Banner ads on a number of websites over the weekend could have infected people's machines with a variant of the Bofra worm.
Among the websites affected was IT news site The Register, which posted the message: "If you may have visited The Register between 6am and 12.30pm using any Windows platform bar XP SP2 we strongly advise you to check your machine with up to date anti-virus software, to install SP2 if you are running Windows XP, and to strongly consider running an alternative browser, at least until Microsoft deals with the issue."
The problem was the result of third-party ad serving company Falk, which later reported that one of its servers had been hacked and one in every 30 ads it served redirected someone's browser to a compromised website.
The website contained images that took advantage of an unpatched buffer overflow flaw in the way Internet Explorer 6 handles the IFrame tag. The hole works in Windows XP without SP2 and Windows 2000, according to SANS. The vulnerability allows attackers to gain complete control of a user's computer.
According to SANS, sites in Sweden and the Netherlands have also been affected by the malicious code. In the Netherlands, the country's biggest news site, NU.nl, with over 450,000 unique visitors per month, was infected through Falk's ad system. Other sites of Ilse Media, including one of the largest Dutch sites Startpagina, distributed the Trojan horse as well.
Adserver tags and link addresses were manipulated in order to install and execute the malware. User requests were redirected from Falk's servers to the URL "search.comedycentral.com" (188.8.131.52), from where the malicious code was delivered.
Falk's competitor Adtech has released its own statement saying that its adserving system Helios is not affected by the problem.
Microsoft has yet to issue a patch for the IE IFrame hole for users who have not installed SP2. However, some "unofficial" patches have however been released, including one from a German security researcher at the website, cherryware.de.