I'm not surprised when I see injection attempts against my servers anymore, but I am surprised that they're still going with the same domain. The domain that they've used in this particular attack, is one that I saw a couple months or so ago (though I'm not surprised that the domain is still online, due to where it's hosted).
The entry in my server log for this one is;
The hex we're interested in, is the part that begins with 0x, and ends with F72 (look just before %20AS%20CHAR since %20 is just the space character). If we decode the hex, we end up with;
This tells us that it is an SQL exploit that injects the script from www0.douhunqn.cn. What does this script contain? The following of course;
This script is detected by AntiVir as JS/Dldr.IFrame.CR
You'll also notice that it grabs new.htm from the same domain, this is detected as HTML/IFrame.UX, and contains;
Oh dear, this is getting a little messy isn't it?. Lets see what this does shall we.
This is a counter that presumably, tells them how many times the script has been loaded.
This is the HTML/Rce.Gen infection, and gives us a lovely little executable called rondll32.exe (19.8KB), lovingly downloaded from ppexe.com (Ref: hpHosts Listing);
It's downloaded via XMLHTTP and installed via the FileSystemObject (part of the Microsoft Scripting Runtime). For some peculiar reason, my attempts to download rondll32.exe failed (the download kept timing out).
This is detected as HEUR/HTML.Malware and loads yet more iFrames;
i1.html, detected as JS/Dldr.Agent.CQ shows it's loading several SWF (flash) files, I've not checked these yet;
f2.html, detected as HS/Dldr.Agent.QI seems to do the same;
This is a rather nice little file, that according to it's title, is a Visual Studio 0day exploit;
Malzilla had this to say about the u% escaped code;
Alas they really want you to have the executable from ppexe.com, as shown by the following, detected as EXP/SnapshotViewe.B
Yeesh!, they really want to give us as much as possible don't they?
This is detected as HTML/Shellcode.Gen and contains;
Once again, this downloads rondll32.exe
All 3 of these seem to return what looks like a 404, but I can't read a bleedin word, so am not 100% sure;