This trojan has been found inserted into numerous Web pages via a blanket SQL injection attack, using an automated tool.
IFrame Code Execution
may execute another script within an IFrame named "am6.htm" or "am7.htm". The referenced script (detected as "Exploit:JS/Repl.B
") may contain five or more exploits executed within IFrames:
The IFrames itemized above use the following execution methods:
This IFrame executes a Microsoft Data Access Component (MDAC) ADO ActiveX control known as "RDS.DataSpace". This control contains a vulnerability that could allow the execution of arbitrary code on systems that have not updated with Microsoft Security Bulletin MS06-014
. The IFrame references an HTML script named "ax14.htm" (ActiveX MS06-014) which is identified as "TrojanDownloader:JS/Psyme.BA" or "TrojanDownloader:VBS/Psyme.gen!E".
This IFrame executes an ActiveX control for "RealPlayer" known as "IERPCtl". This control contains a buffer overflow vulnerability that could allow the execution of arbitrary code on systems that have not updated with a security patch update from RealNetworks
. There are two IFrames that are referenced, executing "re10.htm" (RealPlayer 10 exploit) and "re11.htm" (RealPlayer 11 exploit) - both are identified as "Exploit:JS/Repl.C" or "Exploit:HTML/Repl.D
This IFrame executes an ActiveX control for "Ourgame GLWorld" known as "GLAvatar". This control contains an undisclosed (0 day) vulnerability that could allow the execution of arbitrary code. This IFrame references an HTML script named "axlz.htm" (ActiveX Lianzong game platform) identified as "Exploit:JS/Gdow.A". See "GLAvatar Control" in "Additional Information" for more about this vulnerability.
A variant of this IFrame executes an ActiveX control for "Ourgame GLWorld" known as "GLIEDown". This control contains a vulnerability that could allow the execution of arbitrary code. This variant also references an HTML script named "axlz.htm".
This vulnerability is considered a 0 day exploit and it joins three other known vulnerabilities in the GLWorld online game application:
: Multiple Buffer Overflow Vulnerabilities within "HanGamePluginCn18.dll"
: Stack-based Buffer Overflow Vulnerability within "GLChat.ocx"
Bugtraq ID 29118
: Ourgame ActiveX Control Remote Code Execution Vulnerability within "GLIEDown2.dll"
Analysis by Cristian Craioveanu & Patrick Nolan
There are no common symptoms associated with this threat - links are activated within IFrames while viewing Web content on maliciously modified pages. Alert notifications from installed Antivirus software may be the only symptom(s).