|Detected||Jun 11 2011 02:10 GMT|
|Released||Jun 11 2011 04:44 GMT|
|Published||Sep 19 2011 11:27 GMT|
When opening the infected site in the user's browser, the trojan tries to download resources located at the following links in hidden frames:
http://la2z***g.ru/1.html http://goldf***ters.com/2.html http://la2gol***ub.com/ndex.html http://URLT***FO.TK/trafgobn.php?i=16602 http://la2gol**/me.com/index.html http://iptraf***q.co/trafgon.php?i=2 http://conccuba***ag.narod.ru http://urlt.***dns.org/?inif=17308&tt=653879077.5After transferring from these links, it downloads other JS scripts which in turn build a "chain" of hidden frames where the above mentioned malicious resources are downloaded. These actions are carried out in order to "cheat" the counters on these sites and to increase traffic volume. For example, one of the "chains" of hidden frames links to the following resource:
TRAFFIC EXCHANGE, BUY AND SELL IFRAME TRAFFIClocated at the following address:
If your computer has not been protected with anti-virus software and has been infected with malware, you will need to take the following actions to delete this:
%Temporary Internet Files%
This type of behaviour covers malicious programs that delete, block, modify, or copy data, disrupt computer or network performance, but which cannot be classified under any of the behaviours identified above.
This classification also covers “multipurpose” Trojan programs, i.e. those that are capable of conducting several actions at once and which demonstrate several Trojan behaviours in a single program. This means they cannot be indisputably classified as having any single behaviour.