Home / malwarePDF  

Trojan.Exploit.JS.Agent.AR


First posted on 21 November 2011.
Source: BitDefender

Aliases :

There are no other names known for Trojan.Exploit.JS.Agent.AR.

Explanation :

The attack begins when the victim visits an infected page and thus running the script.
The malware consists of a javascript that is obfuscated to conceal the actions and means of the attack.
After decription the script verifies if the victim has an vulnerable flash player and acording to it's version and revison it tryes to download one of the following files (caught as Exploit.SWF.Gen):

i115.swf
i64.swf
i47.swf
i45.swf
i28.swf
i16.swf

*Note that the names of the files may vary but they all are *.swf

The script only fires when reaching a victim that has flashplayer 9 installled.
The numbers in the name of the *.swf files are the revison dates of the flashplayer (eg. 9.0.124.0 has the revision number 124).
Once downloaded the apropriate .swf the script tryes to run it in the vulnerable flash player, causing the attack described in http://www.bitdefender.ro/VIRUS-1000301-ro--Exploit.SWF.Gen.html.

Last update 21 November 2011

 

TOP