My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Trojan.JS.Downloader.BHK

LOW
LOW
1808 B
(JS/Agent.HZ (FProt) HTML:Iframe-inf (Avast) HTML/Iframe.cea (Avira))

Symptoms

No obvious symptoms.

Removal instructions:

Please let BitDefender disinfect your files.

Analyzed By

Lutas Andrei Vlad, virus researcher

Technical Description:

This is a Downloader written in Java Script that exploits several vulnerabilities in ActiveX controls such as Storm Player, Snapshot Viewer or Real Player. The trojan uses other malware components located on the web-site http://jjj.[removed].com. 

The trojan first creates an invisible iframe control (height = 0) that contains a link to an infected web-site. The malware located on that page will dynamically create a JS inside the page that will be able to modify security policy for Shockwave Flash Player on the local computer, making it an "allowed control" (though, permiting further malware components to infiltrate into the system).
After creating this invisible iframe, Downloader.BHK will then detect the browser where it is ran. If it is not Internet Explorer 7, it will create another invisible iframe (width = 20, height = 0) that will contain a link to another infected web page.

It will then start creating various instances of ActiveX objects, able to exploit vulnerabilities in components enumerated above (the exploit for the Real Player will only work for versions older than 6.0.14.552). For every created object, it will make additional invisible iframe controls, that will lead to specific exploit code.

 Finally, it will create one more invisible iframe that will contain a link to a web page that contains a specially crafted XML document that may allow remote-code execution, and a malware Java Script that contains the actual exploit-code (the exploit code is encrypted and when it will be executed, it will first decrypt its own body and then will download a password stealer, already detected by BitDefender, on the victim's computer). Both of them are already detected by BitDefender.

 The trojan will also change the browsers status-bar title into a sequence of unprintable characters.