Wednesday, May 16, 2012

Resurgence of Virut?

It seems like the infamous virus Virut is making a comeback. Over the past 10 days, one of our most popular ClamAV signatures has been HTML.Iframe-63:

HTML.IFrame-63 signature

Virut is a file infector that has been around for over 5 years. It typically connects to its C&C servers at brenz.pl or trenz.pl. It also adds an iFrame script to HTML files on your machine that looks like this:


Brenz.pl iframe


This iFrame will redirect anyone who opens that HTML page in a web browsers to brenz.pl/rc .
Do not navigate to that website.  Historically, it has been used to distribute malware. As of 5/16/2012, Google Safe Browsing warns that brenz.pl has been used in the past 90 days to infect several domains.

On the Snort side, SID 22940 will keep your web servers from serving infected HTML pages to your users.

No comments:

Post a Comment