Initial verification shows that this malicious link has been introduced into a large number of sites, both through script injection in forms as well as ways that look very much like web server compromise to us.
If you have a large installed base of Windows machines with browsing access, you may wish to review your proxy logs for requests for the following files. We removed the actual domain as to not to link directly to the actual malware.
The file downloaded upon succesful execution is called 'install.exe' and has an md5 checksum of f9fc3189d619462f6c939bfbf36c90ab. Once executed, it installs three files on the system, 'winboot.exe', 'winroot.bat' and '1.exe', of which the latter remains resident in memory. The software seems to be a keylogger at this point in time. Anti-virus detection for this malware was non-existent this morning, but AV vendors have been informed and are actively adding detection.
We're very interested in hearing more about this from you. If you notice the existence of this link on one of your sites and can provide us with more information on how the compromise occured in your instance, please let us know. This type of information could prove very helpful to other victims.
Mar 10th 2007
1 decade ago