Well according to neowin there is a new virus which spreads through browser exploits when viewed, their source is pcworld.

"The Internet Storm Center, which tracks online threats, warned Wednesday that a worm is infecting vulnerable Web sites with a database attack. Though relatively small by Web attack standards with about 4,000 reported infected sites, the assault adds invisible code to a site that can force visitors to download malware onto their PC. Bad PR, to say the least.

IMPORTANT: DO NOT visit the domain named in the following test, or any sites that show up on a Web search as having this domain listed in their pages' code (including cached pages). Doing so could infect your PC with malware.

To see if your site has been hit, run the following Google search: "site:your company domain (ex. pcworld.com) winzipices.cn" -- or search for that domain within your Web site's HTML code. If you find anything, let your IT know immediately. When I ran a search just now I saw sites for everything from insurance companies to cemeteries to universities that all appear to have been infected.

The worm uses a SQL injection attack, according to the ISC, but it doesn't yet know just what vulnerability is targeted. The attack highlights the importance of keeping your site secure, something I wrote about last month. It's likewise critical to keep your own PC software up-to-date, as the ISC says visitors to infected sites can be hit via a known flaw in old Real Player software."

I found the following australian websites infected.

www.drive.com.au
www.safoodcentre.com
www.cpe.sa.gov.au
www.penguinfoundation.org.au
www.skateaustralia.org.au
www.cheesesa.com.au
www.service.sa.gov.au
www.booksellerandpublisher.com.au
www.ocpe.sa.gov.au
www.australianinvestor.com.au
www.carwashwater.com.au
www.sunshinecomputers.com.au
www.v8central.com

EDIT: Head Up, Don't visit the sites lol. They are infected LOL.

I was hit with it Saturday night from site unknown (was browsing Digg and such so went to a few different domains).

I ended up killing my Vista install by my own stupidity (forgot its zealous about protecting itself...) but I found a few new and so far unique attributes.

it follows the usual DLL in hte system32 folder along with some other files path. Runs under rundll32.exe, blah blah.

It also:
Disables task manager via a registry setting
Protects its DLL and other files if you change permissions (my usual clean method is to block SYSTEM access to the files, reboot and delete)
Re-instates its run commands in startup (usual)
Re-instates some of the files you can manually delete
Runs in safe mode
Doesnt run the primary stream, but secondary (#1) stream of the DLL. This is an NTFS function to have streams.

Symptoms was a yellow exclamation in the taskbar area saying you have malware, click for removal tools (when clicked opens a site with about 20 different referrers with paid for tools).
It also has popups saying its windows defender, or windows security center, click for tools, opens the above.

As above I tried blocking access to rundll32.exe to stop it running so I could clean it (NOD32 and trend online scanners failed to find it). Vista then said I tried to hack the system, re-enter cd key blah blah.

Alliance1911 writes...

Though relatively small by Web attack standards with about 4,000 reported infected sites, the assault adds invisible code to a site that can force visitors to download malware onto their PC. Bad PR, to say the least.

Aah, Linux. =]

☢Anonymous.☢ writes...

Aah, Linux. =]
+1
Funny you should mention linux, this is one of the above mentioned sites :)
www.penguinfoundation.org.au

Currently off line for server repairs.

Sounds scary.

Would AVG or spybot pick this up?

Nasty.

Does it come up with a prompt to install the software on opening these sites, or does it just happen in the background?

I though Vista's UAC etc was supposed to prevent this?

Good old Sandboxie. Gotta love it.

Perfect for situations like this. Highly recommend it.

I'm just exploring this virus as I post. I should note it adds a file to C:\WINDOWS\ called "SbiePST.dat"

I'll post further updates when I can.

I am just suprised drive.com.au is infected... pretty major site! Although this isn't as good as ransomware ;) reminds me of the news articles about computers being infected with PGP and the owners need to pay to have the computer unlocked and data recovered :)

I had a client tonight who was infected with this rubbish. System Restore did the trick in safe mode (XP).

I did a quick search in Google just now and got an amazing number of sites that include the bad html code on their pages.

**DO NOT OPEN ANY OF THESE SEARCH RESULTS UNDER ANY CIRCUMSTANCES**

www.google.com.au/search...eta=lr%3Dlang_en

**DO NOT OPEN ANY OF THESE SEARCH RESULTS UNDER ANY CIRCUMSTANCES**

Pretty high traffic sites are exploted as well :S

i.e PETA
parts of AOL.com

I would think it would be nice if a WP programmer would code up a bot to take advantage of the exploit and simply remove the infected code from websites by having the bot search google for the code ;)

just had a look at some of the sights listed in the Google links provided earlier, some sights are down for maint, others are still infected, and some appear to have fixed the problem.
The latest free AVG detects the threat without a problem.
(note: i visited these sights using a virtual XP SP3 installation,and reverted back to an earlier snapshot afterwards so i couldn't get infected)

darkknight145 writes...

The latest free AVG detects the threat without a problem.

Same here.. using the old ver 7 AVG Free too BTW.
It's good to be able to test your setup, throw it in the deep end... (yawn NOT using Linux either) and find it is working.. tried about 6 of the links... He he he, they sure are active little critters..

So does this virus infect your computer automatically in the background and there is no escape, or does it prompt the user to download/install something therefore anyone with common sense could avoid it...?

Munka writes...

Funny you should mention linux, this is one of the above mentioned sites :)
www.penguinfoundation.org.au

Currently off line for server repairs.

i thought you were serious (no winking smiley)
till i googled
www.penguinfoundation.org.au

Alliance1911 writes...

www.penguinfoundation.org.au

well now what am i meant to look at..

the penguin writes...

well now what am i meant to look at..

Oh ROFL from the penguin!!

talkin to me? writes...

Oh ROFL from the penguin!!

LOL