For all you football fans out there, Superbowl XLI is just another few days away. So it may come as to no surprise that we’ve got certain individuals who are trying to ride off all the Superbowl hype.
The script redirects to a couple of iframes referencing to a special site.
The webpage “ff.html” contains the actual VML epxloit.
The downloaded trojan is a ZLOB variant which further download a malware related to the World of Warcraft account stealers that were circulating a couple of months back. The files are still undergoing analysis so we’ll have to wait for updates on this.
After several Google searches, it appears that the Dolphin Stadium website isn’t the only one having a link pointing to this site in its code. Another thing about the compromised sites is that they are using IIS 5.0 or IIS 6.0. Most of the sites seem to be more on gaming-related side. Fortunately, I believe that most of, if not all, the compromised sites have already had the malicious code removed from their webpages.
We’ve submitted all the files to the service team for urgent processing and we’ve received word that they will be detected as follows:
- w1c.exe-1 (56,151 bytes) as TROJ_ZLOB.BZE
- ff.htm-1 (11,636 bytes) as JS_DLOADER.KQZ
- gg.htm-1 (9,380 bytes) as JS_DLOADER.KQZ
- infected.html-1 (24,463 bytes) as JS_DLOADER.KQZ
We’d like to thank Dan Hubbard and Websense for giving us a heads up on this. With the Superbowl just around the corner and the weekend drawing near, many football afficionados and internet junkies will be visiting these websites for news and updates. We’d best be prepared to receive more reports like this.
Update (Jonell Baltazar, Sat, 03 Feb 2007 12:03:11 PM)
The downloaded component of TROJ_ZLOB.BZE is detected as TSPY_WOWCRAFT.BL. Kindly update your pattern file to the latest CPR 4.244.01 to be protected from these malwares.
Update (Miray Lozada, Sun, 04 Feb 2007 02:29:15 AM)
The mentioned VML vulnerability is actually Microsoft Security Bulletin MS07-004. In addition, more information about the detected threats can be found here: