Yet another IFrame Exploit

I found another site that has been hacked and several exploits have been injected into the page. The culprit is well known for hacking sites and Forums that do not have their latest updates installed …



This is a 2-prong attack using 2 IFrame entries and a malicious Javescript, the first IFrame is detected by NOD32 as “JS/TrojanDownloader.Agent.BI” the second is “HTML/TrojanDownloader.Agent.AU” and then to top it off as you can see in the IE7 Info Bar a “Microsoft Data Access exploit” which is from the Javascript.


VirusTotal results on the page itself …


AntiVir = found nothing
Authentium = found nothing
Avast = found nothing
AVG = found nothing
BitDefender = found nothing
CAT-QuickHeal = found nothing
ClamAV = found nothing
DrWeb = found nothing
eTrust-InoculateIT = found nothing
eTrust-Vet = found nothing
Ewido = found [Not-A-Virus.Constructor.Perl.Msdds.b]
F-Prot = found nothing
F-Prot4 = found nothing
Fortinet = found nothing
Ikarus = found nothing
Kaspersky = found [Constructor.Perl.Msdds.b]
McAfee = found nothing
Microsoft = found nothing
NOD32v2 = found [probably a variant of HTML/TrojanDownloader.Agent.AU]
Norman = found nothing
Panda = found nothing
Prevx1 = found nothing
Sophos = found nothing
TheHacker = found nothing
UNA = found nothing
VBA32 = found [Trojan-Downloader.HTML.Agent.aq#6]
VirusBuster = found nothing


Note: the website owner was notified but no reply as yet … that’s why the URL was removed.


After placing the 2 malicious sites in the HOSTS file and revisiting the site there was no pop-up from NOD32 or a prompt from IE7 about the “Microsoft Data Access” … be safe out there folks! The next update will contain the needed entries to block this attack and hopefully the Antivirus community will update their databases soon.



Leave a Reply