"This attack is similar to the Web threat attacks we are seeing worldwide: just visiting a compromised site leads to a series of redirections that causes the downloading of malware," said Trend Micro Advanced Threats Research Manager Ivan Macalintal.

Affected websites are injected with a malware script (JS_SMALL.QT) resulting from a poor PHP Bulletin Board (phpBB – a popular internet forum software program) implementation.  When affected websites are visited, user's systems are infected with a variant of the ZLOB family (TROJ_ZLOB.CCW) which poses as a video codec installer.  When users download the fake video codecs they are actually downloading several Trojan horse programs, the company explains.

These types of Trojans are known for changing an affected system's DNS server and Internet browser settings, thus making the system vulnerable to additional threats.

Many of the websites have already been compromised with fake pharmaceutical and pornographic spam.  It appears that the first infection occurred in February 2008.  The infections appear to have been carried out in forums and guest books.  The original forum and guest book pages are now inaccessible as they redirect visitors to a porn site to download the fake video codec.

The malware is hosted on servers located in the US and Russia.  This attack is potentially the work of a Russian/Ukrainian criminal gang that has initiated previous ZLOB attacks over the course of the past year, Trend Micro says.

See: http://blog.trendmicro.co m