Trojan:JS/Iframe.AQ

Trojan:JS/Iframe.AQ is a malicious JavaScript file that is embedded, via an IFrame, into malicious or compromised webpages, usually via SQL injection or through Blackhat search engine optimization (SEO) poisoning. The purpose of the file is to redirect your browser to other sites that may download malware onto your computer.

To avoid detection, the IFrame may be only one pixel in size.

Installation

When you visit a website that contains Trojan:JS/Iframe.AQ, your browser is redirected to another website that may download malware onto your computer.

Payload

Redirects webpages

In the wild, a webpage that contains Trojan:JS/Iframe.AQ may redirect to any of the following malicious URLs:

• antigest.ru/red.php
• asprout.in/wb65a/05.php
• awnlc.net/styles/counter.php
• baalite.in/wb65a/05.php
• cabaniaseleden.com.ar/stats.php
• cahnite.in/wb65a/05.php
• couchtarts.com/media.php
• counterdevelopment.in/wb65a/05.php
• draymen.in/wb65a/05.php
• glamorous-models-girls.net
• heartofpole.net/xml.php
• kildee.in/wb65a/05.php
• localwebgeek.com/wp-feeds.php
• misguiding.in/index.php?r=3f8a86e
• mytresca.com/counter.php
• natbushing.com/counter.php
• newstops.ru/red.php
• planwood.com/modules/counter.php
• poowabah.info/counter.php
• progenitive.in/wb65a/05.php
• pukers.ru/red.php
• reredatas.co.cc/red.php
• sessioweb.in/images.php?t=42442948
• setriner.co.cc/red.php
• speckdose.com/helpfiles/main.php
• ssl.imagecloud.in/release.php?image=178ed687bcbc8d3c
• start.clearlighthealing.ch/demo/single/counter.php?sid=1
• superololo.net/demo/single/counter.php?sid=1
• sushi.hideko-sushi.com.ar/demo/single/counter.php?sid=1

Analysis by Ric Robielos