SANS ISC: Website with Malware - SANS Internet Storm Center

• SANS Site Network
  • Current Site
  • SANS Internet Storm Center
  • Other SANS Sites Help
  • Graduate Degree Programs
  • Security Training
  • Security Certification
  • Security Awareness Training
  • Penetration Testing
  • Industrial Control Systems
  • Cyber Defense Foundations
  • DFIR
  • Software Security
  • Government OnSite Training

SANS ISC InfoSec Forums

Our reader, Micheal, has notified us a website which could cause users to download a malware.

http:// c n n w a r n e w s . c o m/

A lookup at the domain shown that it is a newly registered domain (registered date is 12 Oct 06).

The website will load a normal webpage from an australian news website (through using frame). It will also however attempt to open a malware from another site.

http:// z a g e v q s o i i .b i z /dl/l o a d a d v 4 3 3 . e x e

VirusTotal shows the result of this malware:

Antivirus    Version        Update        Result
AntiVir        7.2.0.30    10.13.2006    TR/Dldr.Small.dib.6
Authentium    4.93.8    10.13.2006    Possibly a new variant of W32/Downloader-Sml-based!Maximus
Avast        4.7.892.0    10.13.2006    Win32:Small-BSO
AVG        386    10.13.2006    Downloader.Harnig.AM
BitDefender    7.2    10.14.2006    DeepScan:Generic.Malware.dld!!g.07E540DB
CAT-QuickHeal    8.00    10.14.2006    no virus found
ClamAV        devel-20060426    10.13.2006    Trojan.Downloader.Small-2840
eTrust-InoculateIT    23.73.22    10.13.2006    Win32/SillyDL!Trojan
eTrust-Vet    30.3.3131    10.13.2006    Win32/Harnig!generic
DrWeb        4.33    10.14.2006    Trojan.DownLoader.13549
Ewido        4.0    10.13.2006    no virus found
Fortinet    2.82.0.0    10.14.2006    W32/Dowadv.CU!tr.dldr
F-Prot        3.16f    10.13.2006    Possibly a new variant of W32/Downloader-Sml-based!Maximus
F-Prot4        4.2.1.29    10.13.2006    W32/Downloader-Sml-based!Maximus
Ikarus        0.2.65.0    10.13.2006    no virus found
Kaspersky    4.0.2.24    10.14.2006    Trojan-Downloader.Win32.Harnig.cu
McAfee        4873    10.13.2006    no virus found
Microsoft    1.1603    10.14.2006    TrojanDownloader:Win32/Vxidl
NOD32v2        1.1803    10.13.2006    a variant of Win32/TrojanDownloader.Small.DIB
Norman        5.80.02    10.13.2006    W32/DLoader.gen2
Panda        9.0.0.4    10.14.2006    Suspicious file
Sophos        4.10.0    10.13.2006    no virus found
TheHacker    6.0.1.098    10.14.2006    Trojan/Downloader.Tibs.gen
UNA        1.83    10.13.2006    no virus found
VBA32        3.11.1    10.13.2006    suspected of Downloader.Small.3 (paranoid heuristics)
VirusBuster    4.3.7:9    10.13.2006    Trojan.DL.Harnig.Gen.3

It just shown that seemly harmless website may not be that harmless at all. You should be extremely vigilant when visiting unfamiliar websites. If in doubt, it is always good to tighten your browser configuration (e.g. disable Java/ Java script/ ActiveX) before making any attempts to visit the site. This is of course assuming you have the usual security measures in place (latest patch, virus definition etc.).