Websites related to pornography that appear to be compromised were found by Trend Micro engineers loading malicious JavaScript which redirects users onto malicious domains that ultimately lead to the download of an MBR rootkit (TROJ_SNOWAL.A)onto the affected system.

The malicious JavaScripts are now detected as the following:

• JS_IFRAME.APQ
• JS_IFRAME.ABG
• JS_IFRAME.QD
• JS_PSYME.CRT
• JS_IFRAME.APU
• JS_IFRAME.APW

The abovementioned malicious scripts all follow a similar routine: upon execution, it checks for the date on the target system then generates a URL based on the date obtained. It then creates an IFrame, which would redirect the user to the generated URL. The URL then leads to the download of a malicious file, which in turn downloads an MBR rootkit.

Steps on how to identify and fix files infected by TROJ_SNOWAL.A can be found in the Virus Encyclopedia.
On the other hand, the Smart Protection Network protects users by detecting the malicious JavaScript which leads to the download of the rootkit, therefore preventing the rootkit from being downloaded onto users’ systems in the first place.