Tuesday, 3 April 2007

ASUS.com web site, infected with .ANI exploit?

I'm investigating a suspect file called BMW3.PIG which appears to have originated from the asus.com website, it's some sort of .ANI exploit. Can't quite see where it is on the site though.

[time 03/04/2007 10:08:22: ID 14: machine [munged]: response 03/04/2007 10:09:06] The Win32/MSA-935423!exploit was detected in C:\DOCUMENTS AND SE...\BMW3[1].PIG. Machine: [munged], User: System. File Status: Cure failed, file renamed.


It appears that the culprit is an IFRAME hidden on asus.com.tw pointing to http://www[dot]ipqwe[dot]com/app/helptop.do?id=ad003 which is hosted on 222.73.247.123 in China, along with the following websites (which are probably all malware related)

  • Ipqwe.com
  • Mumy8.com
  • Ok8vs.com
  • Okvs8.com
  • P5ip.com
  • Plmq.com
  • Y8ne.com
  • Yyc8.com

I wouldn't advise visiting any of those on a Windows-based PC by the way. I can't manage to deobfuscate the javascript on the other end, but blocking the above sites would be a good way of stopping this particular attack vector.
at

3 comments:

  1. OI Staff Support3 April 2007 at 20:26

    Symantec detects this as trojan.anicmoo

    I have contacted ASUS and they seem to be aware of this though they are not returning any more calls or contacts.

    I have also submitted the url link that triggers this detection to symantec gold support.

    ReplyDelete
  2. Unknown3 April 2007 at 23:18

    ASUS Taiwan has been infected before - see here:

    http://msmvps.com/blogs/spywaresucks/archive/2006/12/16/425879.aspx

    ReplyDelete
  3. OI Staff Support4 April 2007 at 03:33

    Well. Now that I visit the ASUS site again, Symantec no longer pics up a threat.

    So either ASUS removed it or Symantec detected it falsely as my defs were updated before I went back.

    ReplyDelete