Last Updated: 2007-04-17 18:10:04 UTC
by George Bakos (Version: 1)
What a shocker - malware authors are playing cat 'n' mouse with antivirus signatures.
Roger Chiu of Malware-Test Lab submitted a .ani file observed in the wild that was not detected as malicious by any popular antivirus tools. As with many other ANI attacks, this was presented as a CURSOR object in a DIV element on a compromised web site:
<DIV style="CURSOR: url(hxxp://xxx.xxx.xxx.xxx/mcs2001/chat/css.js)"></DIV>
<DIV style="CURSOR: url(hxxp://xxx.xxx.xxx/customer/image/css.js)"></DIV>
This latest variant was submitted to the A/V community for inclusion and the site owners contacted.