-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Greetings, Not sure if anyone else has seen this but here it is again if so. First seen discussed per SANS http://isc.sans.org/diary.php?date=2006-10-14 * h t t p://cnnwarnews(dot)com/ uses an iframe to go to * h t t p://www.theaustralian.news.com.au/index/0,,5002460,00.html which is a legit Australian news site but also uses another iframe to open * h t t p://zagevqsoii(dot)biz/dl/adv433_.php and this opens: * h t t p://zagevqsoii(dot)biz/dl/loadadv433.exe If you google for usage of the domain you can see that it has been seeding web forums with supposed "news" stories about North Korea that entice victims to get infected as above: * h t t p://www.google.com/search?q=www(dot)cnnwarnews(dot)com * h t t p://www.google.com/search?q=au(dot)cnnwarnews(dot)com eg: h t t p://sv.wikipedia.org/wiki/The_Forum h t t p://www.kaigai-wedding.com/cgi-bin/wforum3/wforum.cgi?mode=new_sort h t t p://www.depdiknas.go.id/RPP/modules.php?name=Forums&file=posting&mode=topicreview&t=1331 The articles being seeded or spammed around usually look like this: Subject: North Korea vs Australia - nuclear stress Prime minister of Australia John Govard claimed that "..nuclear tests of North Korea was confirmed by seismological data", Associated Press. In connection with increase of probability of nuclear attack from the direction of North Korea Minister of Defence of Australia along with Ministers of Defence of China, South Korea and Russia signed a memorandum on infliction? h t t p://au(dot)cnnwarnews(dot)com/topnews/ The infection process is/was the same as above. Still accessible to the spammed material via: wget --header="Host: au(dot)cnnwarnews(dot)com" h t t p://203.116.50.253/topnews/ The original infector file, loadadv433.exe, is detected as Harnig which grabs: * h t t p://zbobivgcso(dot)biz/dl/loadadv455.exe And this then grabs: * h t t p://zagevqsoii(dot)biz/progs_exe/tdynqspzoa/ffkzyu * h t t p://zagevqsoii(dot)biz/progs_exe/tdynqspzoa/oswzvfcm * h t t p://zagevqsoii(dot)biz/progs_exe/tdynqspzoa/tkshrolhx.php * h t t p://zagevqsoii(dot)biz/progs_exe/tdynqspzoa/plgrx.php * h t t p://zagevqsoii(dot)biz/progs_exe/tdynqspzoa/rsamiscm * h t t p://zagevqsoii(dot)biz/progs_exe/tdynqspzoa/djrhd.php * h t t p://zagevqsoii(dot)biz/progs_exe/tdynqspzoa/gwrkgq.php * h t t p://zagevqsoii(dot)biz/progs_exe/tdynqspzoa/mhghnoxhnv.php * h t t p://zagevqsoii(dot)biz/progs_exe/tdynqspzoa/wipfrokuw.php * h t t p://zagevqsoii(dot)biz/progs_exe/tdynqspzoa/idlgmwf.php We have submitted all of these binaries to AV and sent shutdown requests for the four key domains above. We haven't seen much discussion of this but maybe the spam run hasn't really taken off yet. The subject of the upcoming spam run will probably look like "North Korea vs Australia - nuclear stress" and have the same text at the forum spams above. Credit to F-Secure for some of their analysis on this. Hope this is of some use. Best regards, - -- Matthew McGlashan -- Coordination Centre Team Leader | Hotline: +61 7 3365 4417 Australian Computer Emergency Response Team | Direct: +61 7 3365 7924 (AusCERT) | Fax: +61 7 3365 7031 The University of Queensland | WWW: www.auscert.org.au Qld 4072 Australia | Email: auscert(a)auscert.org.au -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (FreeBSD) Comment: http://www.auscert.org.au/render.html?it=1967 Comment: http://www.auscert.org.au/render.html?it=1967 iQCVAwUBRTSTYCh9+71yA2DNAQIZDwP/SZQYu/hzHAutGUa+6pkQqCRAczlMoqYw rjiCm71mfX++HCEup7IXo9NzW4rTPhCxNfM5q+qhukUZlWLd4QFah2eRk+fFtopT Sf1POAOuWM0knjwBRWPG156bA4jytLIu+UU+M9P8hoFt4MovvQYqPljOsIpSBADe eAgPsGrny8k= =guYP -----END PGP SIGNATURE-----