Look Ma, No Content
Feel free to donate
Chris @ MyITforum
Subscribe in a reader
Subscribe to Chris Mosby at myITforum.com by Email
ASUS.com web site, infected with .ANI exploit? I'm investigating a suspect file called BMW3.PIG which appears to have originated from the asus.com website, it's some sort of .ANI exploit. Can't quite see where it is on the site though. [time 03/04/2007 10:08:22: ID 14: machine [munged]: response 03/04/2007 10:09:06] The Win32/MSA-935423!exploit was detected in C:\DOCUMENTS AND SE...\BMW3[1].PIG. Machine: [munged], User: System. File Status: Cure failed, file renamed.It appears that the culprit is an IFRAME hidden on asus.com.tw pointing to http://www[dot]ipqwe[dot]com/app/helptop.do?id=ad003 which is hosted on 222.73.247.123 in China, along with the following websites (which are probably all malware related) Ipqwe.com Mumy8.com Ok8vs.com Okvs8.com P5ip.com Plmq.com Y8ne.com Yyc8.comI wouldn't advise visiting any of those on a Windows-based PC by the way. I can't manage to deobfuscate the javascript on the other end, but blocking the above sites would be a good way of stopping this particular attack vector. Labels: Viruses
I'm investigating a suspect file called BMW3.PIG which appears to have originated from the asus.com website, it's some sort of .ANI exploit. Can't quite see where it is on the site though.
[time 03/04/2007 10:08:22: ID 14: machine [munged]: response 03/04/2007 10:09:06] The Win32/MSA-935423!exploit was detected in C:\DOCUMENTS AND SE...\BMW3[1].PIG. Machine: [munged], User: System. File Status: Cure failed, file renamed.
Labels: Viruses
Source: Dynamoo's Blog
No Comments