Home / malware Trojan:JS/Twitini.A
First posted on 26 May 2010.
Source: SecurityHomeAliases :
Trojan:JS/Twitini.A is also known as JS/Pakes.E (Authentium (Command)), Trojan.JS.Pakes.bh (Kaspersky), JS.Twetty.A (VirusBuster), JS/Twetti.A (CA), JS/Kryptik.G (ESET), Mal/ObfJS-AG (Sophos), Trojan-Downloader.JS.Twettir.a (Sunbelt Software).
Explanation :
Trojan:JS/Twitini.A is a detection for malicious JavaScript code that may be appended to pages on compromised web servers. When run, it may download and execute arbitrary files.
Top
Trojan:JS/Twitini.A is a detection for malicious JavaScript code that may be appended to pages on compromised web servers. When run, it may download and execute arbitrary files. Payload Downloads and executes arbitrary files Trojan:JS/Twitini.A is a detection for obfuscated JavaScript code that may be appended to pages on compromised Web servers. When an affected page is loaded, the malware contacts search.twitter.com and requests a list of the top trending topics on Twitter for the week. It then uses this information, along with the current date, as inputs to a formula to generate a domain name, such as jikygipfir.com or dcopxmpfir.com. The malware€™s authors register domains whose names they calculate using the same formula, and host arbitrary files on these sites for Trojan:JS/Twitini to download and execute. At the time of publication these files did not appear to be available. The malware creates a cookie for the affected Web site with a name of €œrf5f6ds€, and a lifetime of one week, which is used to ensure that for each user, the malware runs only once per week per infected domain.
Analysis by David WoodLast update 26 May 2010