Peter B. Harvey wrote: > An update the Virus is a HAXDOOR variant which is a backdoor. > Symantec and Trend also now detect it.
And most other "major" AV engines -- about an hour before you posted, I got this result from 22 virus scanners with different engines: Win32:Haxdoor-AE [Trj] BDS/Haxdoor.DW.1 BackDoor.Generic.HKX Backdoor.Win32.Haxdoor.dw BackDoor.Haxdoor BackDoor-BAC.gen.b Backdoor.Win32.Haxdoor.DW Trojan Horse Win32/Haxdoor Bck/Haxdoor.DG BKDR_HAXDOOR.CI Troj/Haxdor-Gen Win32.Haxdoor.AF Win32/Banker.50353!Trojan Backdoor.Haxdoor.DM1 > The virus is spread by an iframe or link in an email asking to go to > a compromised website. The latest site seen is: > http://crbmarketing.[...] > > This opens up a two frame page with A hotmail look alike login screen > which appears to be used to steal passport credentials to anyone > foolish enough to enter them. > > The other frame is only a couple of pizels high at the top. This > opens an IFRAME to > http://crbmarketing.[...] > > This page looks like an advert for a samsung phone but contains two > objects > http://crbmarketing.[...] > > > http://crbmarketing.[...] > JS_PSYME.AT > > These emails will get past most content scanners as they are just an > HTML email. SPAM engines might catch them. > > A new variant just came in and it appears to be just using the > javascript component > http://mistysunshine.[...] > IFRAME at the top points to > http://besttraff.[...] > > Again have Javascript turned off before looking at the sites All those sites are now returning "closed for maintenance" or "closed for ToS abuse" style pages... Regards, Nick FitzGerald _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
