ASUS.com web site, infected with .ANI exploit?
I'm investigating a suspect file called BMW3.PIG which appears to have originated from the asus.com website, it's some sort of .ANI exploit. Can't quite see where it is on the site though.
[time 03/04/2007 10:08:22: ID 14: machine [munged]: response 03/04/2007 10:09:06] The Win32/MSA-935423!exploit was detected in C:\DOCUMENTS AND SE...\BMW3[1].PIG. Machine: [munged], User: System. File Status: Cure failed, file renamed.
It appears that the culprit is an IFRAME hidden on asus.com.tw pointing to http://www[dot]ipqwe[dot]com/app/helptop.do?id=ad003 which is hosted on 222.73.247.123 in China, along with the following websites (which are probably all malware related)
- Ipqwe.com
- Mumy8.com
- Ok8vs.com
- Okvs8.com
- P5ip.com
- Plmq.com
- Y8ne.com
- Yyc8.com
I wouldn't advise visiting any of those on a Windows-based PC by the way. I can't manage to deobfuscate the javascript on the other end, but blocking the above sites would be a good way of stopping this particular attack vector.
Labels: Viruses
posted by Conrad Longmore at
10:18
4 Comments:
Symantec detects this as trojan.anicmoo
I have contacted ASUS and they seem to be aware of this though they are not returning any more calls or contacts.
I have also submitted the url link that triggers this detection to symantec gold support.
03 April 2007 19:26
ASUS Taiwan has been infected before - see here:
http://msmvps.com/blogs/spywaresucks/archive/2006/12/16/425879.aspx
03 April 2007 22:18
Well. Now that I visit the ASUS site again, Symantec no longer pics up a threat.
So either ASUS removed it or Symantec detected it falsely as my defs were updated before I went back.
04 April 2007 02:33
This post has been removed by the author.
06 April 2007 18:40
Post a Comment
<< Home