The infection was a Trojan JavaScript Redirector which takes visitors through a series of infected sites to the final location in Russia, most likely a distribution center for fake antivirus.
The malware was first reported to the AVAST Virus Lab through the CommunityIQ system of sensors. After receiving the initial report on August 5, 20.53 CET, the Lab confirmed the infection and flagged the site to avast! users.
“The script creates a URL (hXXp://cameoprincess.com/index.php?go=lastnews&rf=) and creates a script tag with it which basically activates the code on that URL,” said Alena Varkockova, Virus Lab analyst. The ‘cameoprincess’ page contains a JavaScript code, which redirects the visitor to ‘hXXp://papucky.eu/ext/’ which redirects the visitor to ‘http://adeportes.es/images/info/js/js.php’ and then to ‘hXXp://labource.ru/iframe.php?
id=0xxnnc3e8793z0nevu1f4o36ncdvg34’.
“This last address seems to be the page that contained the payload - and it is turned off for now. By using a combination of redirectors, it’s statistically difficult to uncover the precise payload,” she added. “The likely candidate is some sort of fake antivirus.”
While injected JavaScript downloaders or redirectors are fairly common, the specific AVF Trojan at the superglue site is not. “It’s not in the top fifty malware rankings, but it has already been reported in over 500 sites today,” said Ms. Varkockova.
