My Bitdefender
  • 0 Shopping Cart


Facebook Twitter Google Plus


4631 B
(EXP/XMLSPAN.B (Avira) JS:Shellcode-B [Expl] (Avast) Exploit:JS/Mult.AG (OneCare))


No obvious symptoms.

Removal instructions:

Please let BitDefender disinfect your files.

Analyzed By

Lutas Andrei Vlad, virus researcher

Technical Description:

This is a downloader written in Java Script, and it is part of a larger malware infection. The detection name stands for the actual exploit code that gets injected into the attacked process. 
When it's executed, the exploit will first decrypt its encrypted body. Then, it will start locating the addresses of several API functions that are needed for its operations. It has a routine that checks before every API call if that function is hooked (first opcode is 0xE9 - jmp or 0xE8 - call) and if the attacked process is being debugged, in which case, it will simply refuse to continue execution in order to avoid reverse engineering and detection.
It will then download another malware, that, once executed by the exploit, will drop and execute 2 more malware files inside the %temp% folder (usually c:\documents and settings\user-name\local settings\temp).