AegisLab has found that澎湖海鮮網) official website has been trojaned with virus and malicious links. While innocent visitors open these pages, they will be forcely downloaded the malware or redirected to the malicious site to download the IE exploit.

    The root page contains two iframes of zero size and the corresponding pages are x.htm and h.asp as shown in Figure 1. However, the h.asp is not available.

    The x.htm(Figure 2) includes a script file (log.js) and creates a invisible button whose onClick() callback function is called at the end of the file.The callback function calls Riaa('bo'+'dy'),which is defined in log.js. The statement is to call:





Figure 1: root page



Figure 2: x.htm

    The created object is attached to the document and invoke the setAttribute method. This attack exploits CVE-2010-0806 (Microsoft Internet Explorer iepeers.dll use-after-free exploit). 

    After analyzing the log.js file(Figure 3), we can get the download site "hxxp://".



  Figure 3: log.js 

The attack path is listed as below. 



The detection rate of this virus is 66.7% (26/39) in VirusTotal.



 The detection rate of this malicious link is 9% (2/22) in 


Since 06/04/2011,  AegisLab WebGuard has blocked these trojaned pages.

By AegisLab