It seems like the infamous virus Virut is making a comeback. Over the past 10 days, one of our most popular ClamAV signatures has been HTML.Iframe-63:

HTML.IFrame-63 signature

Virut is a file infector that has been around for over 5 years. It typically connects to its C&C servers at or It also adds an iFrame script to HTML files on your machine that looks like this: iframe

This iFrame will redirect anyone who opens that HTML page in a web browsers to .
Do not navigate to that website.  Historically, it has been used to distribute malware. As of 5/16/2012, Google Safe Browsing warns that has been used in the past 90 days to infect several domains.

On the Snort side, SID 22940 will keep your web servers from serving infected HTML pages to your users.