Home / malwarePDF  

JS/Cripac


First posted on 10 April 2012.
Source: Microsoft

Aliases :

There are no other names known for JS/Cripac.

Explanation :

JS/Cripac is a detection for JavaScript malware that attempts to exploit numerous vulnerabilities that allows the malware to execute arbitrary code.


Top

JS/Cripac is a detection for JavaScript malware that attempts to exploit numerous vulnerabilities that allows the malware to execute arbitrary code.



Installation

This exploit malware is encountered when visiting a web page that contains the malicious JavaScript. When the script executes, it attempts to run exploitation code that targets several applications such as versions of Adobe Reader, Adobe Acrobat and Microsoft Internet Explorer 7.



Payload

Downloads other malware

If JS/Cripac is successful in exploiting vulnerable systems, it could result in downloading and executing other malware. The following are examples of exploit attack code used by JS/Cripac to compromise vulnerable computers.

CVE Vulnerability Mitigation CVE-2006-0003 Microsoft Data Access Components (MDAC) Function MS06-014 CVE-2007-5659 Adobe Reader and Adobe Acrobat APSB08-13 CVE-2007-6250 Stack-based buffer overflow in AOLMediaPlaybackControl AOL update CVE-2008-0015 Microsoft Active Template Library (ATL) MS09-037 CVE-2008-2992 Adobe Reader and Adobe Acrobat ABSB08-19 CVE-2009-0075 Microsoft Internet Explorer 7 MS09-002 CVE-2009-0927 Adobe Reader and Adobe Acrobat APSB09-04 CVE-2010-0094 JRE component of multiple Oracle Java versions Java update CVE-2010-0840 JRE component of multiple Oracle Java versions Java update CVE-2010-0886 Java Toolkit component of multiple Oracle Java versions Java update CVE-2010-1885 Microsoft Windows Help and Support Center MS10-042





















We observed JS/Cripac to download variants of the following malware families:

  • Win32/Nayrabot
  • Win32/Bredolab
  • Win32/Bucriv


Redirects web browser

JS/Cripac may redirect the web browser to the landing page of a compromised website. In the wild, we observed this malware to redirect browsers to domains such as the following:

  • rokantop.comeze.<removed>
  • sickpuppies.<removed>.cc
  • cswilliamsburg.<removed>




Analysis by Shawn Wang

Last update 10 April 2012

 

TOP

Malware :