While browsing over the Internet today, I came along a suspicious looking URL (znewly[dot]hk). Now I call it suspicious-looking because when I visited the site, the page took (suspiciously again) a long time to load and after a few seconds, the browser suddenly closed. Several seconds later and I was staring at a Windows shutdown message-my machine was shutting down!

Now what did just happen here?

It turns out that the page contains an obfuscated script that loads several more HTML pages with malicious code. The loaded HTML documents contain known exploits that are in turn loaded through an IFRAME tag. It is worth mentioning that one of the exploits is similar to the one TROJ_ANICMOO used, which is concerned with a vulnerability in handling animated cursors. Eventually, a malicious executable file (fun.exe) is downloaded from “znewly[dot]hk/fun.exe”. Once the download has begun, the browser closes and the .EXE file attempts to shutdown Windows. The shutdown operation won’t work if the group policy for restricted access to the Shut Down command is enabled in Windows XP.

Further inspection of the site’s HTML source also reveals that it uses a pinch of social engineering to trick unsuspecting users into downloading the malicious file. Similar to the download sections of popular sites, it contains a statement telling the user that if he encounters a problem with the automatic download, he can obtain the file from this location: (znewly[dot]hk/fun.exe).

Trend will detect the malicious web page as JS_DLOAD.AZ. The EXE file will be detected as a Trojan, TROJ_TIBS.ABO.