Trojan-Downloader.JS.Agent.fun

Technical Details

This Trojan downloads another program and launches it on the victim machine without the user's knowledge or consent. It is a Java Script scenario within an HTML document. It is 73 010 bytes in size.

Payload

Once launched, the Trojan attempts to launch a malicious Java-applet in the user's browser from the following link:

http:///games/plugins.jar

At the time of writing, this link was inactive.

The following class file is specified for this applet as the main class file:

powerColor.p3.class

The parameter called "blift" is sent to the applet as argument. It has the following value:

rOOSqtt_MfEkMEkkt_ESrSIWAf&U-An

This parameter is an encrypted link, which the malicious applet uses to download malware.

The Trojan then uses Java script scenarios to decrypt its malicious code. It exploits a vulnerability in Java Deployment Toolkit (JDT) that arises due to incorrect processing of URL. This allows the malicious user to send random parameters to Java Web Start (JWS) (CVE-2010-0886). The malicious user generates a special link and sends it as a parameter of the vulnerable "launch()" function. This way the Trojan is disguised as a file, located at the following network resource:

\\46.***.129.152\smb\news.avi

It downloads and launches the malicious file for execution from the following link:

http://dz2***z.cc/d.php?f=21&e=1

The Trojan uses ActiveX objects with unique identifiers to run its malicious script in MS Internet Explorer:

{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA}
{8AD9C840-044E-11D1-B3E9-00805F499D93}
{CA8A9780-280D-11CF-A24D-444553540000}

To execute its script in Mozilla Firefox and other NPAPI browsers, the Trojan determines the following MIME types:

application/npruntime-scriptable-plugin;deploymenttoolkit
application/java-deployment-toolkit
application/vnd.adobe.pdfxml
application/vnd.adobe.x-mars

The Trojan then checks for the browser plugin named "Media Player" and if this plugin is available, then in a hidden frame it will try to open the malware, which will try to exploit a vulnerability in Microsoft Windows Help and Support Center (helpctr.exe) (MS10-042, CVE-2010-1885). The Trojan will open this resource from the following link:

http://dz2***z.cc/games/hcp_asx.php?f=21

At the time of writing, this link was inactive.

The malware then detects plugins, installed in the browser and Adobe Reader and Adobe Acrobat ActiveX objects. It then, depending on the PDF Reader version, opens malicious PDF documents from one of the following links:

http:///games/pdf.php?f=21
http:///games/pdf2.php?f=21

Adobe Reader 8.0.0 and earlier versions as well as all Adobe Reader versions up to 9.3.1 are vulnerable.

Removal instructions

If your computer does not have antivirus protection and has been infected by this malicious program, follow the instructions below to delete it:

1. Delete the original Trojan file (its location will depend on how the program originally penetrated the infected computer).
2. Empty the Temporary Internet Files directory, which contains infected files (How to delete infected files from Temporary Internet Files folder?):

   %Temporary Internet Files%

3. Install the latest versions of Sun Java JRE and JDK.
4. Install the most recent version of Adobe Reader and Adobe Acrobat.
5. Empty the current user's temporary folder:

   %Temp %\

6. Disable the vulnerable ActiveX objects (see How to disable an ActiveX control in Internet Explorer).
7. Perform a full scan of the computer using Kaspersky Anti-Virus with up-to-date antivirus databases (download a trial version).

[MD5: 53c96271f4f2c4377a135100e52afd47]

[SHA1: 9da71be035fe637bc2f64acbc029e21b4a525dc6]