According to a handler’s diary entry in SANS ISC, there were a number of compromised sites that hosts a script-tag linking to malicious Javasipt on a Chinese web server.

I took a look at this incident, googling parts of the script-tag gave a quite a good result, there were a couple of compromised sites that hosted this script-tag.

Downloading the file being pointed by the script-tag, I found out it redirects you to a malicious HTML file that has malicious script codes. This HTML file in turn downloads an executable. This HTML file has codes in it for MS06-014. Both the files were already submitted for pattern creation, they will be detected as VBS_PSYCHME.ACU for the HTML file and the executable file being downloaded will be detected as TSPY_WOW.YO.
Virus reports are also being created and will be available in a few moments.

Please be careful in surfing the web. It’s a dangerous world.

SANS has a list of the couple of sites that was compromised with the use of google cache.
Note:We do not guarantee that the sites are already safe for viewing, but admins were already contacted by SANS.

- airindia.com

- acmt.net

- fireworks.com

- fci.org

- pbonline.com

- postbulletin.com

- post-bulletin.com

- k-1usa.net

- scsusports.com

- stariq.com

- erskinecollegesports.com

- installshield.com

- roundballclassic.com

- onebrick.org

- whozontop.com

- dove.org

- cvac.net

- honestreporting.com

- totallydrivers.com

- irinnews.org