we have observed some suspicious activity on the Chinese Yahoo astrology site, http://astrology.cn.yahoo.com. Upon investigation, we determined that the site in question contained an iframe that was linking to the domain luckty.com, an astrology-based match finding company. This page contained an embedded iframe that linked to a malicious site that was exploiting the Real Player ierpplug.dll ActiveX Control Buffer Overflow Vulnerability and the MSIE ADODB.Stream Object File Installation Weakness to download malicious code onto a compromised machine.
The downloaded malicious code samples are detected as Downloader with definitions version 03/22/2008 revision 2 and later.
