Alert update posted on our blog: http://www.websense.com/securitylabs...php?BlogID=114 Websense Security LabsTM has received reports of new, malicious Web sites which are designed to install Trojan horses. The Web sites are hosted in Korea and Hong Kong. The sites attempt to exploit the Microsoft AdoDB / XML HTTP (MS06-014) vulnerability to download and install a Trojan downloader without end-user interaction. Users receive an email, written in German, requesting that they visit a Web site to verify their order number. Upon visiting the site, the malicious code is automatically downloaded and run, assuming the user is not patched for the Microsoft vulnerability. The original site, which is hosted in Korea, appears to have been compromised. An IFRAME pointing to the exploit code site is contained at the bottom of the original site. The site contains encoded JavaScript which, when decoded, runs the exploit code and downloads an .exe file, update.exe, from a server in Hong Kong (http:///cosmos/cmp/get.php?file=exe). Email screenshot: Encoding example: Infected site screenshot:

More...