In the weeks following the earthquake, the Symantec Security Response team based in Chengdu discovered that a legitimate Web site [http://]www.85163.cn/q[REMOVED]), which is used for the expression of grief and condolences, had been compromised. The attackers had embedded a malicious IFRAME into the page.
The malicious code pointed to another URL, which in turn caused yet another page to be opened. The latter page contains JavaScript that will attempt to exploit a number of vulnerabilities, including the following:
(BID 25751) Xunlei Web Thunder ActiveX Control DownURL2 Method Remote Buffer Overflow Vulnerability(BID 25121) Baidu Soba Search Bar BaiduBar.DLL ActiveX Control Remote Code Execution Vulnerability(BID 26130) RealPlayer ierpplug.dll ActiveX Control Import Playlist Name Stack Buffer Overflow Vulnerability (BID 28157) RealNetworks RealPlayer 'rmoc3260.dll' ActiveX Control Memory Corruption Vulnerability (BID 17462) Microsoft MDAC RDS.Dataspace ActiveX Control Remote Code Execution Vulnerability (BID 29118) Ourgame 'GLIEDown2.dll' ActiveX Control Remote Code Execution Vulnerability
Downloader
http://www.symantec.com/security_response/writeup.jsp?docid=2002-101518-4323-99
Backdoor.Trojan
http://www.symantec.com/security_response/writeup.jsp?docid=2001-062614-1754-99
Infostealer.Gampass
http://www.symantec.com/security_response/writeup.jsp?docid=2006-111201-3853-99