Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    August 2015
    S M T W T F S
    « Jul    
  • Email Subscription

  • About Us

    For all you football fans out there, Superbowl XLI is just another few days away. So it may come as to no surprise that we’ve got certain individuals who are trying to ride off all the Superbowl hype.

    Earlier, we’ve had several reports come in about compromised superbowl websites that were hosting malicious code that takes advantage of the VML vulnerability. The embedded javascript was found initially on the website of the stadium that will be hosting this year’s Superbowl.

    The script redirects to a couple of iframes referencing to a special site.

    The webpage “ff.html” contains the actual VML epxloit.

    The downloaded trojan is a ZLOB variant which further download a malware related to the World of Warcraft account stealers that were circulating a couple of months back. The files are still undergoing analysis so we’ll have to wait for updates on this.

    After several Google searches, it appears that the Dolphin Stadium website isn’t the only one having a link pointing to this site in its code. Another thing about the compromised sites is that they are using IIS 5.0 or IIS 6.0. Most of the sites seem to be more on gaming-related side. Fortunately, I believe that most of, if not all, the compromised sites have already had the malicious code removed from their webpages.

    We’ve submitted all the files to the service team for urgent processing and we’ve received word that they will be detected as follows:

    • w1c.exe-1 (56,151 bytes) as TROJ_ZLOB.BZE
    • ff.htm-1 (11,636 bytes) as JS_DLOADER.KQZ
    • gg.htm-1 (9,380 bytes) as JS_DLOADER.KQZ
    • infected.html-1 (24,463 bytes) as JS_DLOADER.KQZ

    We’d like to thank Dan Hubbard and Websense for giving us a heads up on this. With the Superbowl just around the corner and the weekend drawing near, many football afficionados and internet junkies will be visiting these websites for news and updates. We’d best be prepared to receive more reports like this.

    Update (Jonell Baltazar, Sat, 03 Feb 2007 12:03:11 PM)

    The downloaded component of TROJ_ZLOB.BZE is detected as TSPY_WOWCRAFT.BL. Kindly update your pattern file to the latest CPR 4.244.01 to be protected from these malwares.

    Update (Miray Lozada, Sun, 04 Feb 2007 02:29:15 AM)

    The mentioned VML vulnerability is actually Microsoft Security Bulletin MS07-004. In addition, more information about the detected threats can be found here:


    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon

    Comments are closed.


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice