While researching over the Internet today, I came upon this URL: hxxp://www.sou[BLOCKED]xse.cn/arp.htm

The link looked suspicious so I decided to take a closer look. My initial assumption about this URL was correct.

Here’s what actually happens when you visit that webpage.

1 - A web browser accesses the malicious URL hxxp://www.sou[BLOCKED]xse.cn/arp.htm

2 - ARP.HTM loads in the browser and the user sees something similar to an error message claiming that the requested page cannot be displayed. However, something devious is happening in the background.

3 - Within ARP.HTM’s code is a SCRIPT tag that references a Jscript file, S.JS. This script retrieves XUIK.EXE from the web server where the site is hosted and modifies its filename into ~TMPXXXX.EXE (where XXXX is a random number). The script’s contents are obfuscated so that inexperienced users won’t be able to figure out what it’s trying to do.

4- The file ~TMPXXXX.EXE is downloaded to the Windows folder of the affected system. It is automatically executed in the affected system, using a common method known as ShellExecute.

Both XUIK.EXE and ~TMPXXXX.EXE are detected as TROJ_AGENT.RGA, which is most likely to be a malware downloader. Copies of other malware such as TSPY_DELF.HAJ and WORM_AGENT.RGB have been found being hosted on the same URL.