Malicious Website / Malicious Code Alert: ShangHai Huizhong Automotive Manufacturing

Websense® Security Labs has received reports that the website that hosts the Chinese car manufacturing site "ShangHai Huizhong Automotive Manufacturing (SHAC)" appears to have been compromised and attempts to download and run malicious code when users visit the site. SHAC is a joint venture between VW and the state-owned manufacturing company.

An IFRAME was added to the bottom of the front page. It tries to use a Microsoft® Internet Explorer CHM exploit that allows malicious code to be downloaded and run without user intervention. The website, which is hosted in Australia and was up at the time of this alert, downloads a file called "help.txt", which is not a text file but a CHM Windows® Help file. This malicious Windows Help file drops another file called fu**snow.exe, which is upx packed. That file in turn uses several built-in Windows APIs to connect to the internet, open a back door, and install a keylogger. Websense® - Security Labs Alert: ShangHai Huizhong Automotive Manufacturing

Linked by shanmuga Tuesday, 29th November 2005 3:00AM