i looked into it and the image used to propagate the trojan was likely posted without any intended malice, likely picked up from another forum/google images. anyway, it seemed fine to me but then i cracked it open with a hex editor and saw the trojan downloader appended at the end that likely exploits some parsing error in IE (6?). anyway, it creates an invisible (1px by 1px) iframe which downloads something from
http://www.ciudad.com.ar/ar/popunder/p_submit.asp?site=personales.ciudada.com.ar which is now a 404. so there is no longer a threat of any kind. it appears the image was uploaded in january of this year.
attached is a cleaned version of the image.
"the wisdom of the wise will perish, the intelligence of the intelligent will vanish."
Edited 1 time(s). Last edit at 05/14/2009 02:50PM by Gravis.
Attachments: