The reason why this virus comes is only because of the either of the following : 1) You have a weak 7 vulnerable code on your website which is exploited by a hacker. 2) Your ftp password is weak and generally a dictionary word which is cracked by brute force attempts. The hackers behind this have not actually “hacked” into servers, but are using the Webs OWN programming errors to inject this code into search results pages created by the Web sites OWN internal search engines! The hacker searches for popular keywords, like “bank” on the equity Web site using its internal search engine. But instead of running a normal search, the (hacker?) adds on an HTML command to the end of his search string. HTML = hyper text markup Language…the stuff we write websites with mainly. This command then opens up an invisible “iframe” window in the victims browser which then redirects to a malicious Web site, which then (if successful) installs fake antispyware or a version of the “Zlob Trojan Horse” - a malware on the victims (meaning YOU) PC. And hear this! These (hackers) actually have great Google rankings!! In order to boost their Google rankings, Web sites often save a copy of these search results and submit them to Google. When a victim searches Google for the keyword, these cached search results then pop up, with the malicious code now inside them. How the hack is done? Client side PC infected with virus. Virus gets FTP username/password from the FTP clients. Using the username/password, the virus downloads the index files, add iframe code it and re-uploads it. The iframe code points to the same virus. So, anyone accessing this website gets infected with the same virus, and it uses the FTP username/password to spread again!!!! Solutions # 1) Ensure that your code is free from such kind of vulnerabilities. 2) Change all the ftp passwords and keep them safe & a combination of alpha + numbers + special characters like ^%$@^#% 3) Before updating the new password in their FTP clients, advise them to do a full system Virus scan with a reliable virus scanner updated with the latest virus definition files. 4) Advise the clients not to save ( remember ) the FTP username/password on FTP clients. On 4/23/09, saich <saiched@gmail.com> wrote:

Dear all Does anyone know how to prevent a website from being infected with an iframe virus _______________________________________________ Skunkworks mailing list Skunkworks@lists.my.co.ke http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks Other services @ http://my.co.ke Other lists ------------- Skunkworks announce: http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks-announce Science - http://lists.my.co.ke/cgi-bin/mailman/listinfo/science kazi - http://lists.my.co.ke/cgi-bin/mailman/admin/kazi/general

-- Name : Michael Wambua Location : Kigali Rwanda. Cell : +254 721415372. +250 03629258.