Symptoms
Increased Internet activity.
Removal instructions:
Please let BitDefender delete your infected files.
Analyzed By
Marius TIVADAR, virus researcher
Technical Description:
This is a malicious JavaScript, that is part of a major attack that took place in first half of May 2008.
A visit to any compromised site is enough to get infected with this malicious script. It will test for several components having vulnerabilities, and will insert IFRAME tags that will point to attacker's other malicious scripts:
"http://err.www4[...]/614.gif"
"http://err.www4[...]/real10.gif"
"http://err.www4[...]/bf.gif"
"http://err.www4[...]/lz.gif"
"http://err.www4[...]/real11.gif"
"http://js.ton[...]hoo.com/621252/ystat.js"
Vulnerabilities exploited by those scripts are:
(CVE-2007-1765) MS06-14
(CVE-2007-4816) Baofeng Storm MPS.StormPlayer
(CVE-2007-5722) GLCHAT.GLChatCtrl.1 ActiveX
(CVE-2007-5601) RealPlayer IERPCtl.IERPCtl.1
All those malicious scripts will download and execute trojans on your computer.
At the moment of analysis, those trojans are detected as:
Trojan.Downloader.Agent.YTX
Win32.Almanahe.D
SHARE
THIS ON