(Exploit.JS.ActiveX.r, Exploit:JS/Mult.AC, Virus found JS/Downloader.Agent, Downloader, VBS/TrojanDownloader.Psyme.NFJ trojan)
Symptoms
Files following files appear in
%Temp% folder :
- GameeeEeee.pif
- Gameeeeeee.vbs
The
Gameeeeeee.vbs file which is a generated VBScript by the original malware has on the first line this comment :
'I LOVE gameee TEAM .
Removal instructions:
Analyzed By
Daniel Chipiristeanu, virus researcher
Technical Description:
The Trojan uses obfuscated
VBScript code and
Javascript to download other malware onto the users' computer.
It is part of a "
drive-by exploit chain" which uses known security flaws to infect computers which are not updated. It tries to use a vulnerable Microsoft Data Access component (
MDAC) ActiveX object trough its CLSID (
BD96C556-65A3-11D0-983A-00C04FC29E36 ). You can find more
here (MS06-014).
Using the mentioned exploit it downloads a file from
hxxp://?.weixk.com/new/a1.css which is detected as
Rootkit.Agent.AIWN in the %Temp% folder with the name "
GameeeEeee.pif". Afterward it generates another VBScript file which has the following content :
'I LOVE gameee TEAM'I LOVE gameee TEAM
Set Love_gameee = CreateObject("Wscript.Shell")'I LOVE gameee TEAM
'I LOVE gomeee TEAM'i LOVE gomeee TEAM
Love_gameee.run ("%Temp%\GameeeEeee.pif")
'I LOVE gameee TEAM'I LOVE gameee TEAM
This is done in order to execute the first downloaded file trough the generated VBScript using a "shell" object.
SHARE
THIS ON