This Trojan will download a file indicated in the Trojan?s code to the victim machine. It uses a vulnerability in the ADODB.Stream ActiveX component to save the file to disk. The malicious code may be included in html pages. The Trojan is approximately 500 bytes in size.
1. Disable the ADODB.Stream object in Internet Explorer (see here for further details).
2. Delete the original Trojan file (the location will depend on how the program originally penetrated the victim machine).
I am hoping to find some direction. I am running a Microsoft 2003 webserver IIS 6.0. All of a sudden on my website the site tries to connect to http://colehost.cn and then the virus detection kicks on and tells me it detects js/pyne trojan. It will try to access this site over and over so I figured I have an IFRAME Exploit. Normally the IFRAME is placed in the code of the page. I ran a search in the source code of the site and I have no IFRAMES.
Has anyone seen this before or have a solution. I have run an antivirus on the server and have had no results.