AegisLab discovered many "mail.htm" were trojanized by drive-by download attack with embedded <iframe>. By now, there are 311 victim websites and increasing.
If you connect to the victim website without HTTP referer, it will redirect you to Google website.
But with porper HTTP referer, you will be redirected to the following websites：
- (and more...)
Besides "mail.htm", we found many "upload.htm" are also trojanized due to the software packages they use are vulnerable.
The software packages that victim websites use listed as below：
- hxxp://www.r-toto.com.cn/mail.htm -> Metinfo 4.0
- hxxp://www.tiyidi.com/mail.htm -> Discuz X2
- hxxp://www.kshaoye.com/mail.htm -> WordPress 3.4.1
Finally, the program we downloaded from malicious websites is called "win32.exe" and its detection rate in VT is as below:
AegisLab WebGuard has blocked all of the malicious websites and Antivirus can destroy the malicious program.