Sponsored by..

Tuesday 3 April 2007

ASUS.com web site, infected with .ANI exploit?

I'm investigating a suspect file called BMW3.PIG which appears to have originated from the asus.com website, it's some sort of .ANI exploit. Can't quite see where it is on the site though.

[time 03/04/2007 10:08:22: ID 14: machine [munged]: response 03/04/2007 10:09:06] The Win32/MSA-935423!exploit was detected in C:\DOCUMENTS AND SE...\BMW3[1].PIG. Machine: [munged], User: System. File Status: Cure failed, file renamed.


It appears that the culprit is an IFRAME hidden on asus.com.tw pointing to http://www[dot]ipqwe[dot]com/app/helptop.do?id=ad003 which is hosted on 222.73.247.123 in China, along with the following websites (which are probably all malware related)

  • Ipqwe.com
  • Mumy8.com
  • Ok8vs.com
  • Okvs8.com
  • P5ip.com
  • Plmq.com
  • Y8ne.com
  • Yyc8.com

I wouldn't advise visiting any of those on a Windows-based PC by the way. I can't manage to deobfuscate the javascript on the other end, but blocking the above sites would be a good way of stopping this particular attack vector.

3 comments:

OI Staff Support said...

Symantec detects this as trojan.anicmoo

I have contacted ASUS and they seem to be aware of this though they are not returning any more calls or contacts.

I have also submitted the url link that triggers this detection to symantec gold support.

Unknown said...

ASUS Taiwan has been infected before - see here:

http://msmvps.com/blogs/spywaresucks/archive/2006/12/16/425879.aspx

OI Staff Support said...

Well. Now that I visit the ASUS site again, Symantec no longer pics up a threat.

So either ASUS removed it or Symantec detected it falsely as my defs were updated before I went back.