AegisLab has found that A-Fish.com.tw(澎湖海鮮網) official website has been trojaned with virus and malicious links. While innocent visitors open these pages, they will be forcely downloaded the malware or redirected to the malicious site to download the IE exploit.

    The root page contains two iframes of zero size and the corresponding pages are x.htm and h.asp as shown in Figure 1. However, the h.asp is not available.

    The x.htm(Figure 2) includes a script file (log.js) and creates a invisible button whose onClick() callback function is called at the end of the file.The callback function calls Riaa('bo'+'dy'),which is defined in log.js. The statement is to call:

   document.createElement('body')

 

 

iframe

Figure 1: root page

 

button 

Figure 2: x.htm

    The created object is attached to the document and invoke the setAttribute method. This attack exploits CVE-2010-0806 (Microsoft Internet Explorer iepeers.dll use-after-free exploit). 

    After analyzing the log.js file(Figure 3), we can get the download site "hxxp://www.a-fish.com.tw/gif/3.exe".

 

澎湖海鮮王

  Figure 3: log.js 

The attack path is listed as below. 

[root]hxxp://www.a-fish.com.tw/gif/
    [exp]hxxp://www.a-fish.com.tw/gif/x.htm(Exploit.Ie0dayCVE0806.a)
        [script]hxxp://www.a-fish.com.tw/gif/log.Js
        [virus]hxxp://www.a-fish.com.tw/gif/3.exe 

 

The detection rate of this virus is 66.7% (26/39) in VirusTotal.

 

 

 The detection rate of this malicious link is 9% (2/22) in URLVoid.com. 

 


Since 06/04/2011,  AegisLab WebGuard has blocked these trojaned pages.

By AegisLab