Users have reported us another website infected by an hidden iframe:
hxxp://www.minecraftforum.net/ |
All web pages are affected!
Here is an image of the hidden iframe at the bottom of the HTML pages:
When I visted the infected website, NoVirusThanks EXE Radar Pro has displayed an alert of an unknown executable that tried to run in the system:
C:\Documents and Settings\User\Local Settings\Temp\scvhost.exe |
Report date: 2011-06-22 11:34:41 (GMT 1)
File name: scvhost-exe
File size: 18944 bytes
MD5 hash: 5e71723d34d10648ed880af8e564f63b
SHA1 hash: 1af3dcb235e0a16eb58cebdbc0b9fb6316dc2f3b
Detection rate: 0 on 5 (0%)
Status: CLEAN
Thanks to NoVirusThanks EXE Radar Pro, I was able to block and delete the unknown and malicious executable file, preventing the system from being infected.
Some ASCII strings extracted from the PE file:
Type: ASCII RVA: 00006CE2 Offset: 000040E2 Size: 0000000D Value: GuardCore.dll Type: ASCII RVA: 00006EBC Offset: 000042BC Size: 00000024 Value: hxxp://www.dashangu.com/new/getw.asp Type: ASCII RVA: 00006EFF Offset: 000042FF Size: 00000006 Value: server Type: ASCII RVA: 00006F14 Offset: 00004314 Size: 0000000E Value: WTF\Config.wtf Type: ASCII RVA: 00006F24 Offset: 00004324 Size: 0000000A Value: realmName Type: ASCII RVA: 00006F35 Offset: 00004335 Size: 00000005 Value: Right Type: ASCII RVA: 00006F4C Offset: 0000434C Size: 00000024 Value: hxxp://www.dashangu.com/new/getr.asp Type: ASCII RVA: 00006F74 Offset: 00004374 Size: 00000011 Value: JAGEXLAUNCHER.EXE Type: ASCII RVA: 00006F88 Offset: 00004388 Size: 00000007 Value: WOW.EXn Type: ASCII RVA: 00006F90 Offset: 00004390 Size: 00000007 Value: WinInet |
URLVoid domain analysis:
http://www.urlvoid.com/scan/minecraftforum.net
16:38PM UPDATE:
The website looks like to be in maintenance now, so probably it will be fixed soon.