I knew this was bound to happen, but I still got upset when I was confronted with it.
http://findmadeleine.com, the official website to find Madeleine McCann, has a page with links to news articles.
Several days ago, when clicking on one of the news links, a new IE window opened, showing the news article, and ultimately, downloading a trojan. Someone must have taken action, because as of this writing, the trojan is not downloaded anymore. And just to be clear: the trojan was not hosted on or linked to from the findmadeleine.com site.
The official website to find Madeleine McCann links to news sites with articles about the search for Madeleine. One of these sites links to http://47z.nh5egc.gondar-my.info/htm/cc1.php?p=55, which in turn links to http://ww3.boz.com.my-expert-pop-block.biz/track3/sh.htm, which in turn downloads http://ww3.boz.com.my-expert-pop-block.biz/track3/%73%68%65%2e%6a%73.
%73%68%65%2e%6a%73 (she.js) is an encoded JavaScript trojan, detected as JS/IEstart.gen.c. Some of the things it does are:
- changing your IE start page
- installing a VB script to be executed each time your machine boots
- changing the hosts file
- …
The trojan is encoded with the Windows Script Encoder, I used the Windows Script Decoder to decode it.
It’s a known tactic of scammers to exploit the curiosity of the general public whenever there’s an important news event. I don’t think I can do something to help find Madeleine, but I’ll keep an eye on the news section to try to stop these scammers.
Didier Stevens 
Which (detection)software were you using that detected the trojan? It’s sad to see the bas guys using these kind of techniques. Nice blog, keep up the good work!
Comment by Security4all — Monday 28 May 2007 @ 12:02
The signature (JS/IEstart.gen.c) is for the McAfee scan engine, but several other AV products also detect it.
Comment by Didier Stevens — Monday 28 May 2007 @ 19:51
pls bring maddie home she needs her parents. she will be found xxx
Comment by niamhie — Wednesday 6 June 2007 @ 19:03