Home / malwarePDF  

Trojan.Exploit.JS.F


First posted on 21 November 2011.
Source: BitDefender

Aliases :

There are no other names known for Trojan.Exploit.JS.F.

Explanation :

It's a page with a "The page cannot be found" title, showing "The page you are looking for might have been removed, had its name changed, or is temporarily unavailable.". That's for the HTML code it has. Then comes the SCRIPT area in which it tries to exploit some vulnerabilities. It begins trying to create an ADODBStream object. If failed, injects and ms06014.js iframe in the document (detected asTrojan.Exploit.JS.H) - it's and ADODBStream exploit which downloads back.css(Trojan.PWS.OnLineGames.SSL). On success, the scripts gets the FlashPlayer's version and writes and EMBED tag in the document:
* flash.swf for 9.x.115.x
* flash1.swf for 9.x.47.x
It tries then to exploit(the list has the ActiveX id and the iframe injected in the document if succes instantiating the object and the detection name)
* GLIEDown.IEDown.1 - lz.htm - Trojan.Exploit.JS.G
* MPS.StormPlayer.1 - bf.htm - Trojan.Exploit.JS.G
* DPClient.Vod - xl.htm - Trojan.Exploit.JS.G
If none of the above ActiveX objects were created, the browser is redirected to about:blank.
At the very end, after the SCRIPT tag closes, it embeds and object pointing to flash.swf.

The script has an "infection marker" to be sure that the client doesn't get infected more than once(or to not trigger the firewall or AV if the user installed one after it got infected and, maybe, disinfected). The marker is a cookie: silentwm. This cookie is valid 24 hours.

The swf files exploit a FlashPlayer vulnerability to download and execute a PasswordStealer on the victim's computer.

The filenames listed here might differ. But the overall functionality is the same.

Last update 21 November 2011

 

TOP