Infected With Trojan-Installation Browser Hijack

Summary: Visitors to (not hyperlinked for obvious reasons) will have their browsers hijacked, and a series of prompts will download and attempt to install malicious software. This will happen ONLY on the first visit from an IP address. Subsequent visits to will not experience the browser hijack.

NOTE: I have only experienced this on the Vancouver Sun section of I'm currently out of different IP addresses to try. I'll try again from home to see if the rest of is infected.

How I found The Problem: I followed a link from to a Vancouver Sun story that Bynkii discussed. My browser was immediately hijacked. I visited the site again, and found no errors. I then tried from a laptop connected to our company's wireless network (completely separate from our internal network, and through a separate ISP) and saw the hijack again. That time I got screencaps. Visiting the site through the wireless again showed no problems, leading me to believe that this displays one time per IP address. Trying multiple browsers did not result in another browser hijack, and neither did clearing cookies, making me think it's recording IP address and attacking once per IP address.


The first time you visit, your browser will flash through a few redirects, and then the following popup will appear:


Note that hitting either Cancel or OK appears to have the same result -- you can't get out of there. Your browser will then appear to scan your hard drive for viruses. It's all theater; it's not actually doing anything at this point:


It will then pop up a message (in an Windows-style message box -- not sure how it did that):


If you're on a Macintosh, it will then offer to download an EXE file. I'm not sure if it will automatically download and run the file on a Windows machine, because I'm not about to try.


I uploaded the downloaded file to, and it found a variety of badness there, general consensus seems to be that this file isn't so bad by itself, but will once installed download and install an additional slew of malware and trojans of unknown potency. (I was unable to find really definitive information about this file; I'm open to suggestions for better places to look.)

I submitted this to the Internet Storm Center, along with a malware sample, and e-mailed with a warning.

Update November 15, 2007: Wired just wrote about the issue; apparently it affects a number of different sites, as the hijack script was distributed via the Doubleclick ad network.

Update November 16, 2007: Wired wrote about the issue again, quoting me this time.