My Bitdefender
  • 0 Shopping Cart


Facebook Twitter Google Plus


~5.5 kbytes
(Trojan.Webkit!html; JS/Dldr.Multi.CM)


There are no obvious symptoms until the malware manages to infiltrate the system.

Removal instructions:

Keep updated your products.

Please let BitDefender disinfect your files.

Analyzed By

Dana Stanut, virus researcher

Technical Description:

    This is a script written in Javascript that is part of a series of exploitation and redirection techniques. It is used to insert iframes into clean html pages. The injected iframes will lead to different exploits whose target is to download an executable file from http://www.hool[removed].cn/mssot1.exe (detected as Win32.Worm.Autorun.NY).
    A short description of the exploited vulnerabilities is given below:
    - http://www.mth[removed].cn/18/flash.html - this script is used to inject other iframes (it checks for UserAgent and if it is Internet Explorer it leads to http://mth[removed].cn/18/fl/ifl/html otherwise it leads to http://mth[removed].cn/18/fl/ffl.html - when this description was made these links weren't active anymore
    - http://www.mth[removed].cn/18/as.html - a vulnerability in the Snapshot Viewer ActiveX control for Microsoft Access(snapview.ocx) is exploited and will lead to the download of the above mentioned file (the file will be saved to the following path [c or d or e]:/Program Files/Outlook EXpress/WAB.EXE). More details about this vulnerability can be found here MS08-041

    - http://www.mth[removed].cn/18/14.htm - this script exploits a vulnerability in Microsoft Data Access Components (MDAC) when using Adosb.Stream. The downloaded file will be saved in %TEMP% folder under SVCHOST.pif or SVCHOST.vbs. More details about this vulnerability can be found here MS06-014

    - http://www.mth[removed].cn/18/lz.htm - exploits a vulnerability in the function IEStartNative() from Ourgame 'GLIEDown2.dll' ActiveX control that will allow the malware's code to be executed in the context of the currently logged-in user

    - http://www.mth[removed].cn/18/sina.htm - uses the vulnerability found in the  'DownloadAndInstall()' method of the DLoader class ActiveX control which fails to verify that the downloaded files are from a trusted source

    - http://www.mth[removed].cn/18/NCTAudioFile.htm - exploits a buffer overflow vulnerability in the Online Media Technologies NCTsoft NCTAudioFile2 ActiveX control

    - http://www.mth[removed].cn/18/re10.htm - this is an older RealPlayer exploit in ierpplug.dll. More details about this exploit can be found here Exploit.JS.RealPlr.C.

    - http://www.mth[removed].cn/18/re11.htm - exploits a vulnerability in the RealAudioObjects.RealAudio ActiveX control in rmoc3260.dll in some versions of RealPlayer

All the scripts presented above are packed using a Javascript packer in order to avoid detection.