My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Trojan.Downloader.JS.Psyme.SR

MEDIUM
MEDIUM
aprox 2kb
(Exploit.JS.ActiveX.r, Exploit:JS/Mult.AC, Virus found JS/Downloader.Agent, Downloader, VBS/TrojanDownloader.Psyme.NFJ trojan)

Symptoms

Files following files appear in %Temp% folder :
  1. GameeeEeee.pif
  2. Gameeeeeee.vbs

The Gameeeeeee.vbs file which is a generated VBScript by the original malware has on the first line this comment :
'I LOVE gameee TEAM .

Removal instructions:

Update your computer : http://www.microsoft.com/technet/security/bulletin/ms06-014.mspx
Please let BitDefender disinfect your files.

Analyzed By

Daniel Chipiristeanu, virus researcher

Technical Description:

The Trojan uses obfuscated VBScript code and Javascript  to download other malware onto the users' computer.
It is part of a "drive-by exploit chain" which uses known security flaws to infect computers which are not updated. It tries to use a vulnerable Microsoft Data Access component (MDAC) ActiveX object trough its CLSID  ( BD96C556-65A3-11D0-983A-00C04FC29E36 ). You can find more here (MS06-014).


Using the mentioned exploit it downloads a file from hxxp://?.weixk.com/new/a1.css which is detected as Rootkit.Agent.AIWN in the %Temp% folder with the name "GameeeEeee.pif". Afterward it generates another  VBScript file which has the following content :

'I LOVE gameee TEAM'I LOVE gameee TEAM
Set Love_gameee = CreateObject("Wscript.Shell")'I LOVE gameee TEAM
'I LOVE gomeee TEAM'i LOVE gomeee TEAM
Love_gameee.run ("%Temp%\GameeeEeee.pif")
'I LOVE gameee TEAM'I LOVE gameee TEAM

This is done in order to execute the first downloaded file trough the generated VBScript using a "shell" object.