Hidden Iframe in MineCraftForum.Net

Users have reported us another website infected by an hidden iframe:

hxxp://www.minecraftforum.net/

All web pages are affected!

Here is an image of the hidden iframe at the bottom of the HTML pages:

Image

When I visted the infected website, NoVirusThanks EXE Radar Pro has displayed an alert of an unknown executable that tried to run in the system:

C:\Documents and Settings\User\Local Settings\Temp\scvhost.exe

Report date: 2011-06-22 11:34:41 (GMT 1)
File name: scvhost-exe
File size: 18944 bytes
MD5 hash: 5e71723d34d10648ed880af8e564f63b
SHA1 hash: 1af3dcb235e0a16eb58cebdbc0b9fb6316dc2f3b
Detection rate: 0 on 5 (0%)
Status: CLEAN

Thanks to NoVirusThanks EXE Radar Pro, I was able to block and delete the unknown and malicious executable file, preventing the system from being infected.

Some ASCII strings extracted from the PE file:

Type: ASCII
RVA: 00006CE2
Offset: 000040E2
Size: 0000000D
Value: GuardCore.dll
 
Type: ASCII
RVA: 00006EBC
Offset: 000042BC
Size: 00000024
Value: hxxp://www.dashangu.com/new/getw.asp
 
Type: ASCII
RVA: 00006EFF
Offset: 000042FF
Size: 00000006
Value: server
 
Type: ASCII
RVA: 00006F14
Offset: 00004314
Size: 0000000E
Value: WTF\Config.wtf
 
Type: ASCII
RVA: 00006F24
Offset: 00004324
Size: 0000000A
Value: realmName 
 
Type: ASCII
RVA: 00006F35
Offset: 00004335
Size: 00000005
Value: Right
 
Type: ASCII
RVA: 00006F4C
Offset: 0000434C
Size: 00000024
Value: hxxp://www.dashangu.com/new/getr.asp
 
Type: ASCII
RVA: 00006F74
Offset: 00004374
Size: 00000011
Value: JAGEXLAUNCHER.EXE
 
Type: ASCII
RVA: 00006F88
Offset: 00004388
Size: 00000007
Value: WOW.EXn
 
Type: ASCII
RVA: 00006F90
Offset: 00004390
Size: 00000007
Value: WinInet

URLVoid domain analysis:

http://www.urlvoid.com/scan/minecraftforum.net

16:38PM UPDATE:

The website looks like to be in maintenance now, so probably it will be fixed soon.