Was doing some digging in google a couple of days back and found an iframe which led to a site distributing a downloader:

hxxp://w.mh8888.cn/ad.htm?a

This page in turn loads almost 10 pages and scripts from different servers, including one that uses a vulnerability in Internet Explorer to download and install a downloader (it hooks it into Internet Explorer as a BHO). If I did not use a vulnerable browser, nothing happened. Many links inside the scripts relate to the domain “cnzz.com”. Anyone have more info about these guys?

Anyhow, the dropper file’s name was “get.exe” and that in turn downloaded another file called “det.exe” which was placed in C:\Program files\Internet Explorer\det.exe.

When this file was run by get.exe (btw, it would not run in my sandbox:/ ), it started downloading and installing a driver called pcihdd.sys, placing it in c:\windows\system32\drivers\ and making the required system modifications to run. It also modified the file c:\windows\system32\userinit.exe. At the time of detection I only got a handful of “related to”, “modification of” or “suspicious file” responses from http://www.virustotal.com.

The .js’s responsible for the infections was obfuscated by simple encoding routines and then run through eval() statements. The binaries themselves had obfuscated only some of their internal strings, but some were left unchanged. One of those strings was a link to an asian site (hxxp://ilove.com/ttt.cer) disguised as a dating site.

All files including the scripts collected has been reported to the AV vendors now and should be included by now.