A potent trojan cocktail consisting of backdoors, password stealers, and downloader is being loaded by a malicious iframe on nearly 55,000 compromised website pages.

The iframe points to an intermediary exploit site, http://a0v.org/x.js, which in turn loads additional exploits and malware from up to seven different malware domains.

A Google search on the iframe script tag resulted in 54,900 hits. Victim sites include www.feedzilla.com, latindiscover.com, and a number of charitable and nursing facilities, including howellcarecenter.com, sweetgrassvillagealf.com, www.foodsresourcebank.org, and morningsideassistedliving.com.

The malware hosting domains were registered on or after August 3, 2009 and include: ahthja.info, gaehh.info, htsrh.info, car741.info, game163.info, car963.info, and game158.info. The most prolific observed by ScanSafe thus far has been ahthja.info.

The path of the exploits/malware is consistent among the domains, as seen in the following examples:

/fox.exe
/jcin02.exe
/mj.exe
/oday/14.js
/oday/14.js?
/oday/15.js
/oday/15.js?
/oday/16.js
/oday/16.js?
/oday/avast.js
/oday/done.swf
/oday/ff.html
/oday/ie.html
/oday/index.html
/oday/index.html?
/oday/mam.exe
/oday/nYnTd14.htm
/oday/nYnTd14.htm?
/oday/NyNtDfll.htm?
/oday/of.htm
/oday/of.htm?
/oday/of.js
/oday/of.js?
/oday/of1.css
/oday/of1.css?
/oday/q.js?
/oday/xp.swf
/oday/yt.jpg
/oday/yt.jpg?
/oday/ytfl.htm
/oday/YTUUCeee.pif
/oday/YTUUCeee.vbs
/oday/YUT.htm
/oday/YUT.htm?
/win.exe
/s5.exe
/za.exe

Post infection, additional malware may also be downloaded from 74.52.164.210/pk/axa0727.exe

Sample WHOIS info:

Domain Name:AHTHJA.INFO
Created On:10-Aug-2009 15:21:48 UTC
Last Updated On:10-Aug-2009 15:25:54 UTC
Expiration Date:10-Aug-2010 15:21:48 UTC
Sponsoring Registrar:GoDaddy.com Inc.

ThreatExpert Report
VirusTotal Results (1)
VirusTotal Results (2)
Wepawet Analysis