[time 03/04/2007 10:08:22: ID 14: machine [munged]: response 03/04/2007 10:09:06] The Win32/MSA-935423!exploit was detected in C:\DOCUMENTS AND SE...\BMW3[1].PIG. Machine: [munged], User: System. File Status: Cure failed, file renamed.
It appears that the culprit is an IFRAME hidden on asus.com.tw pointing to http://www[dot]ipqwe[dot]com/app/helptop.do?id=ad003 which is hosted on 222.73.247.123 in China, along with the following websites (which are probably all malware related)
- Ipqwe.com
- Mumy8.com
- Ok8vs.com
- Okvs8.com
- P5ip.com
- Plmq.com
- Y8ne.com
- Yyc8.com
I wouldn't advise visiting any of those on a Windows-based PC by the way. I can't manage to deobfuscate the javascript on the other end, but blocking the above sites would be a good way of stopping this particular attack vector.
3 comments:
Symantec detects this as trojan.anicmoo
I have contacted ASUS and they seem to be aware of this though they are not returning any more calls or contacts.
I have also submitted the url link that triggers this detection to symantec gold support.
ASUS Taiwan has been infected before - see here:
http://msmvps.com/blogs/spywaresucks/archive/2006/12/16/425879.aspx
Well. Now that I visit the ASUS site again, Symantec no longer pics up a threat.
So either ASUS removed it or Symantec detected it falsely as my defs were updated before I went back.
Post a Comment