Home / malwarePDF  

TrojanDownloader:Win32/Webpwnd.A


First posted on 04 March 2010.
Source: SecurityHome

Aliases :

TrojanDownloader:Win32/Webpwnd.A is also known as Win-Trojan/Agent.90112.PQ (AhnLab), TR/Dldr.meb.A.2 (Avira), Trojan-Downloader.MSIL.Agent.gc (Kaspersky), Downloader-BQL (McAfee).

Explanation :

TrojanDownloader:Win32/Webpwnd.A is a detection for specially crafted .NET assemblies used in an attack that exploits a vulnerability in Microsoft DirectShow (CVE-2009-1537).
Top

TrojanDownloader:Win32/Webpwnd.A is a detection for specially crafted .NET assemblies used in an attack that exploits a vulnerability in Microsoft DirectShow (CVE-2009-1537). InstallationTrojanDownloader:Win32/Webpwnd.A is installed on a compromised Web server by an attacker. A user could encounter the malicious code when navigating to the compromised site using Internet Explorer 6 or 7 with Windows XP and a vulnerable version of DirectX. The exploit attempts to fetch a malicious script (detected as Trojan:HTML/Redirector.I or Exploit:JS/Mult.BM). The malicious script loads multiple .NET assemblies located on the Web server that define custom Web controls that have no other purpose but to load a shellcode payload in string objects. The malicious .NET assemblies are detected as TrojanDownloader:Win32/Webpwnd.A, TrojanDownloader:Win32/Webpwnd.B or TrojanDownloader:Win32/Webpwnd.C with only minor differences among the malware. Payload Downloads and executes arbitrary filesUsing a heap spraying technique, the malicious script loads a specially crafted .AVI file that triggers the vulnerability (the malicious .AVI file is detected as Exploit:Win32/CVE-2009-1537). Upon successful exploitation, the executed shellcode downloads and executes additional malware. In the wild, this malware has been observed to download malicious files from the following domains:

  • dishconnect.us
  • b35.info
  • Additional InformationMicrosoft published Microsoft Security Bulletin MS09-028 to mitigate the vulnerability mentioned in Microsoft Security Advisory 971778.

    Analysis by Cristian Craioveanu

    Last update 04 March 2010

     

    TOP

    Malware :