Symptoms
There are no obvious symptoms, except for unusual running processes.
Presence of swf files with names i[nr].swf in %TEMP% folder.
See Technical description below.
Removal instructions:
This file can't be disinfected. Just keep the shield up.
Please let BitDefender disinfect your files.
Analyzed By
Cristian Lungu, virus researcher
Technical Description:
The attack begins when the victim visits an infected page and thus running the script.
The malware consists of a javascript that is obfuscated to conceal the actions and means of the attack.
After decription the script verifies if the victim has an vulnerable flash player and acording to it's version and revison it tryes to download one of the following files (caught as Exploit.SWF.Gen):
i115.swf
i64.swf
i47.swf
i45.swf
i28.swf
i16.swf
*Note that the names of the files may vary but they all are *.swf
The script only fires when reaching a victim that has flashplayer 9 installled.
The numbers in the name of the *.swf files are the revison dates of the flashplayer (eg. 9.0.124.0 has the revision number 124).
Once downloaded the apropriate .swf the script tryes to run it in the vulnerable flash player, causing the attack described in
http://www.bitdefender.ro/VIRUS-1000301-ro--Exploit.SWF.Gen.html.
SHARE
THIS ON