Author Topic: This site not to be opened with IE6 or IE7  (Read 6848 times)

0 Members and 1 Guest are viewing this topic.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33524
  • malware fighter
This site not to be opened with IE6 or IE7
« on: June 13, 2010, 05:46:18 PM »
Hi malware fighters,

This attack could pose a serious security threat and may damage your computer.

This signature detects a remote code execution vulnerability in the Microsoft Internet Explorer.

Microsoft Internet Explorer is a browser for the Windows operating system.

Internet Explorer is prone to a remote code-execution vulnerability. The issue occurs because an invalid pointer may attempt to access an object after it has been deleted. This may cause memory to become corrupted. This issue affects the 'iepeers.dll' library.

Successful exploits will allow an attacker to run arbitrary code in the context of the user running the application. Failed attacks may cause denial-of-service conditions.
Affected

    * Microsoft Internet Explorer 6.0, 7.0 The issue has not been patched as far as known now..

Where? Status of site is dangerous:
There is also this: wXw.sejib.com.com/   ????
Drive-By Downloads  

Threats: 5

Threat Name:    HTTP IE Attribute Handler Code Exec
Location:    htxp://www.sejib.com/tupian/mingxingjiqing/

   
Threat Name:    HTTP IE Attribute Handler Code Exec
Location:    htxp://www.sejib.com/tupian/qingchunweimei/

   
Threat Name:    HTTP IE Attribute Handler Code Exec
Location:    htxp://www.sejib.com/xiaoshuo/qiangjianxilie/

   
Threat Name:    HTTP IE Attribute Handler Code Exec
Location:    htxp://www.sejib.com/xiaoshuo/xingaijiqiao/

   
Threat Name:    Direct link to HTTP IE Attribute Handler Code Exec
Location:    htx://www.sejib.com/

And a virus here:
Threat Name:      W32.Wapomi
Location:    htxp://www.sejib.com/%CE%D2%BA%CD%D0%A1%BD%E3%BF%AA%B7%BF%B9%FD%B3%CC.av.exe

See: htxp://jsunpack.jeek.org/dec/go?report=cb0539ace521cd698efd0768d1774a95ec5c1874

Also a suspicious link now here: bo.27rb.com suspicious ↗  - displaying 1 of 1

    * <A> 日韩影院 - htxp://bo.27rb.com
http://www.google.com/safebrowsing/diagnostic?site=bo.27rb.com

Then there is this suspicious link:
 src=htxp://z.link88.be/zclick.js></script> But is says Server:[error]!

polonus

   

« Last Edit: June 13, 2010, 05:57:36 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!


Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33524
  • malware fighter
Re: This site not to be opened with IE6 or IE7
« Reply #2 on: June 13, 2010, 06:07:54 PM »
Hi Pondus,

Two instances of malcode well worth reporting.
Good that this  is a Chinese site for local users only,
and adult content sites are always ridden with malware...
but they should be warned as well. 恶意网站分布图
zclicks is on many Chinese sites: htxp://jsunpack.jeek.org/dec/go?report=3e85949196f276ea821ecc33b6c995de0cbef424

polonus
« Last Edit: June 13, 2010, 06:18:24 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33524
  • malware fighter
Re: This site not to be opened with IE6 or IE7
« Reply #3 on: June 13, 2010, 11:48:59 PM »
Hi Pondus,

Tried to analyze the javascript file at WepaWet: http://wepawet.iseclab.org/view.php?hash=32b1b9c6af108dcb1a7bdfc9ae480b82&type=js
See the remarks there:
jsunpack: http://jsunpack.jeek.org/dec/go?report=3e85949196f276ea821ecc33b6c995de0cbef424

Do think it is benign as it is not flagged online, but there are scamming issues involved, see my report here:

and here:
http://www.virustotal.com/nl/analisis/44379790e3cfc2ff2cae712b3af441df30ad93a0c630fd90a5ade0f88dce0fab-1276464623
link88.be is given as clean by URLVoid, but there was malcode there last on 2010-06-08
Yes, this site has hosted malicious software. It infected 8 domain(s), including haokan123.info/, sebaidu.net/, 174.139.140.0/. http://www.webboar.com/net/174.139.140.0/ Krypt Technologies
http://www.trustedsource.org/query/174.139.140.0/22
Notorious for scammer support: http://report-online-scams.com/blog/2009/08/krypt-com-supports-scammers/
blacklisted spam site:
md5:e00da03b685a0dd18fb6a08af0923de0:139
md5:2ceea9830bba0a8263ab64cf60c08da9:139.140
md5:8ca6e4e0b315138540b0a6e32e445005:139.140.0
md5:824d74341835349209497cb8156e5763:139140
md5:0cc9e2292b3787fd9ade9ac8508ea00e:1391400
md5:1385974ed5904a438616ff7bdb3f7439:140
md5:ac9b657f0751dd78c0711f2154b0a531:140.0
md5:f0dd4a99fba6075a9494772b58f95280:1400
md5:bf8229696f7a3bb4700cfddef19fa23f:174
md5:19ef21b2d04edeeb99a459fcd3dcd82f:174.139
md5:4c63deea4ceaa8cb69814fbad9c452cd:174.139.140
md5:48c220ce3dd62135805752d63ecbec66:174.139.140.0
md5:45cebd2c93dd20220eec230189224feb:174139
md5:35272174eebeb5bacf885db2bc52ad15:174139140
md5:a64668c47331ac7ec11f814f9144439e:1741391400

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!