Home / malware Spoofer:Win32/Arpspoof.A
First posted on 08 October 2010.
Source: SecurityHomeAliases :
Spoofer:Win32/Arpspoof.A is also known as Win-AppCare/Agent.38400 (AhnLab), Application.Tool.847 (BitDefender), Tool.Hijack (Dr.Web), Win32/Spy.Agent.ALD (ESET), not-a-virus:NetTool.Win32.Agent.g (Kaspersky), Generic PUP.x (McAfee), Hack.Win32.Agent.vbn (Rising AV), NetTool.Win32.Agent.g (Sunbelt Software), HackTool.Agent.GBFY (VirusBuster), Virtool:Win32/Obfuscator.BX (other).
Explanation :
Spoofer:Win32/Arpspoof.A is trojan that uses ARP poisoning attacks on the local network to divert HTTP traffic and inject malicious IFrames into hijacked web traffic.
Top
Spoofer:Win32/Arpspoof.A is trojan that uses ARP poisoning attacks on the local network to divert HTTP traffic and inject malicious IFrames into hijacked web traffic. InstallationSpoofer:Win32/Arpspoof.A may be installed by other malware and may be present as the following: %windir%\system32\nvsvc.exe The trojan may be bundled with a utility known as WinPcap. Payload Executes arbitrary codeSpoofer:Win32/Arpspoof.A utilizes functions from installed WinPcap library components to try and hijack web traffic and insert IFrames into requested webpages. The IFrame consists of a "script src" tag that defines a malicious domain and Javascript: <script src={domain}/{subfolder}/yahoo.js></script> In the wild, the domains observed are "faloge.com" and "xzjiayuan.com" with a request to execute a JavaScript file named "yahoo.js".
Analysis by Marian RaduLast update 08 October 2010
