Trojan-Downloader.JS.Agent.gcv
| Detected | Jul 01 2011 18:09 GMT |
| Released | Jul 01 2011 20:44 GMT |
| Published | Sep 09 2011 13:22 GMT |
Technical Details
A trojan program that uses the vulnerabilities in Oracle Java and Adobe Reader/Acrobat products to download and launch other malware. It is a HTML document containing Java Script. 45082 bytes.
Payload
After opening the malicious HTML page in the browser, it displays the following message:
404 Not FoundThen, using Java Script, the trojan collects system information, in particular:
- The type of OS:
Win Mac Linux FreeBSD iPhone iPod iPad Win.*CE Win.*Mobile Pocket PC
- The installed browser:
MS Internet Explorer Mozilla Firefox Safari Chrome Opera
- Plugins installed on the browser and ActiveX objects.
- MIME types supported by the browser.
- Versions of Java and AdobeReader installed.
The trojan then tries to launch the Java-applet located at the following link in the user's browser:
http://<domain_name_of the infected_server>/games/getJavaInfo.jarIf the system has Java version 5, update 23 or below or version 6, update 18 or below installed, the trojan tries to launch the applet located at the following link in the user's browser:
http://<domain_name_of the infected_server>/games/worms.jarstarting it with the following parameters:
name=' prm' value='<encrypted_link>'The following class name is issued for the applet, as the main class:
xmlTools.XMLMaker.classTo implement additional malicious scripts, the trojan activates the following ActiveX objects:
Msxml2.XMLHTTP Msxml2.DOMDocument Microsoft.XMLDOM ShockwaveFlash.ShockwaveFlash TDCCtl.TDCCtl Shell.UIHelper Scripting.Dictionary wmplayer.ocxTo implement Java applications in the browser, the trojan determines the following MIME types:
application/x-java-applet application/x-java-vm application/x-java-bean application/x-java-applet application/npruntime-scriptable-plugin;deploymenttoolkit application/java-deployment-toolkitUsing the vulnerability in the Java Deployment Toolkit (JDT) on account of the incorrect URL processing which allows the attacker to transfer arbitrary parameters in Java Web Start (JWS) (CVE-2010-0886), the attacker forms a special link and transfers this as a parameter of the vulnerable "launch()" function. This means that the trojan, disguised as a media file, then launches the malicious Java-applet:
\\193.**.**.86\pub\new.aviwhich downloads and launches the malicious file located at the following link:
http://ktr***.cc/d.php?f=360&e=2To implement the malicious script in MS Internet Explorer, the trojan uses ActiveX objects with the following unique identifiers:
{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA}
{8AD9C840-044E-11D1-B3E9-00805F499D93}
If you have installed Java version 6, update 23, the trojan tries to open the following web resource in the hidden frame:
http://<domain_name_of the infected_server>/games/java_trust.php?f=360It also searches for the plugin installed in the "Windows Media Player" browser and, if it finds it, tries to download the exploit located at the following link in the hidden frame:
http://<domain_name_of the infected_server>/games/pch.php?f=360The trojan then determines the plugins and ActiveX objects Adobe Reader and Adobe Acrobat installed in the browser. To run the malicious scripts in MS Internet Explorer, the trojan uses an ActiveX object with the following unique identifier:
{CA8A9780-280D-11CF-A24D-444553540000}
For implementation in Mozilla and in other NPAPI browsers, the trojan determines the following MIME types:
application/vnd.adobe.pdfxml application/vnd.adobe.x-marsVulnerable versions of Adobe Reader include version 8.0.0 and earlier and all versions of Adobe Reader up to 9.3.1. Depending on the version of "PDF Reader" installed, it opens the malicious PDF document from one of the following links:
http://<domain_name_of the infected_server>/games/1fdp.php?f=360 http://<domain_name_of the infected_server>/games/1fdp.php?f=360These links did not work when creating the description.
Removal instructions
If your computer has not been protected with anti-virus software and has been infected with malware, you will need to take the following actions to delete this:
- Delete the original trojan file (its location on the infected computer will depend on how the program got onto the computer).
- Clear the Temporary Internet Files directory containing the infected files (
): %Temporary Internet Files%
- Update JRE and JDK to the latest versions.
- Install the following updates:
- Install the latest version of Adobe Reader and Adobe Acrobat.
- Disable the vulnerable ActiveX objects (
). - Run a full Kaspersky Antivirus scan of the computer with updated antivirus databases (
).
[MD5: 268c0fde6d0559931657330fe803f44b]
[SHA1: 69b665549871da20343e857808efe08248e4dfc3]
НОВОЕ НА САЙТЕ
23 апреля 2024 года
В составе песочницы будет обновлена документация — описание работы обслуживания будет снова на... Антивирус Dr.Web
Бизнес-школа «БИЗНЕС ИНСАЙТ» и проект «ЭКСПЕРТЫ» приглашают на III Всероссийский онлайн-форум «БИЗНЕС. ВЕСНА 2024». Бизнес-форум — важнейшее событие в мире бизнеса. На одной площадке соберутся действующие предприниматели, эксперты-практики, чтобы поделиться […]
The post
17 апреля 2024 года
В 2023 году самыми всераспространенными Android-угрозами стали троянские программы, демонстрирующие рекламу. Шпионские троянские приложения по уподоблению с прошлым годом понизили свою энергичность таково словно стали вторыми по числу детектирований на защищаемых антивирусом Dr.Web устройствах. невзирая на то, словн... Вирусные новости
11 апреля 2024 года
Обновление ориентировано н... Антивирус Dr.Web
4 апреля 2024 года