English
The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1

Trojan-Downloader.JS.Agent.gbj

Detected Jun 18 2011 11:59 GMT
Released Jun 18 2011 14:48 GMT
Published Sep 26 2011 14:35 GMT

Technical Details
Payload
Removal instructions

Technical Details

A trojan program that uses the vulnerabilities in Oracle Java and Adobe Reader/Acrobat products to download and launch other malware. It is a HTML document containing Java Script. 88200 bytes.


Payload

The trojan uses Java Script to decipher its body and collect system information, in particular:

  • Type of OS:
    Win
    Mac
    Linux
    FreeBSD
    iPhone
    iPod
    iPad
    Win.*CE
    Win.*Mobile
    Pocket *PC
    
  • Installed browser:
    MS Internet Explorer
    Mozilla Firefox
    Safari
    Chrome
    Opera
    
  • Plugins installed on the browser and ActiveX objects.
  • MIME types supported by the browser.
  • Versions of Java and AdobeReader installed.

The trojan then tries to exploit the vulnerabilities in Java, launching Java-applets located at the following links in the user's browser:

http://<domain_name_of the infected_server>/games/getJavaInfo.jar
http://<domain_name_of the infected_server>/games/worms.jar
Applet "worms.jar" is launched with the following parameters:
name='prm'
value='<encrypted_link>'
where the following class name is issued for the applet, as the main class:
tools.Commander.class
Furthermore, depending on the version installed in the Java system, the trojan tries to open the following web-resources in the hidden frames:
http://<domain_name_of the infected_server>/games/java_trust.php?f=16
http://<domain_name_of the infected_server>/games/java_skyline.php?f=16
To implement additional malicious scripts, the trojan activates the following ActiveX objects:

Msxml2.XMLHTTP Msxml2.DOMDocument Microsoft.XMLDOM ShockwaveFlash.ShockwaveFlash TDCCtl.TDCCtl Shell.UIHelper Scripting.Dictionary wmplayer.ocx Then, using the ActiveX object "MSXML2.XMLHTTP", the trojan downloads the file located at the following URL:

http://qeu***sdfg.cz.cc/k.php?f=16&e=4
using the ActiveX object "Adodb.Stream" it saves the file under the following name:
%Temporary Internet Files%\adobeupdate.exe
and launches it for execution.

The link did not work when creating the description.

To implement Java applications in the browser, the trojan determines the following MIME types:

application/x-java-applet
application/x-java-vm
application/x-java-bean
application/x-java-applet
application/npruntime-scriptable-plugin;deploymenttoolkit
application/java-deployment-toolkit
Using the vulnerability in the Java Deployment Toolkit (JDT), on account of the incorrect processing of the URL, the attacker is able to transfer arbitrary parameters in Java Web Start (JWS) (CVE-2010-0886). The attacker forms a special link and transfers this as a parameter of the vulnerable "launch()" function. This means that the trojan, disguised as a video file, launches the Java-applet:
\\89.***.149.214\pub\new.avi
downloading the file from the link transferred as a parameter:
http://qeu***sdfg.cz.cc/k.php?f=16&e=2
To implement the malicious script in MS Internet Explorer, the trojan uses ActiveX objects with the following unique identifiers:
{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA}
{8AD9C840-044E-11D1-B3E9-00805F499D93}
The trojan then determines the plugins and ActiveX objects Adobe Reader and Adobe Acrobat installed in the browser. To run the malicious scripts in MS Internet Explorer, the trojan uses an ActiveX object with the following unique identifier:
{CA8A9780-280D-11CF-A24D-444553540000}
For implementation in Mozilla and in other NPAPI browsers, the trojan determines the following MIME types:
application/vnd.adobe.pdfxml
application/vnd.adobe.x-mars
Vulnerable versions of Adobe Reader include version 8.0.0 and earlier and all versions of Adobe Reader up to 9.3.1. Depending on the version of "PDF Reader" installed, it opens the malicious PDF document from one of the following links:
http://<domain_name_of the infected_server>/games/2fdp.php?f=16
http://<domain_name_of the infected_server>/games/1fdp.php?f=16
These links did not work when creating the description.

The trojan then checks for the Windows Media Player extension and, if it finds it, it tries to open the following web resource in the hidden frame:

http://<domain_name_of the infected_server>/games/pch.php?f=16


Removal instructions

If your computer has not been protected with anti-virus software and has been infected with malware, you will need to take the following actions to delete this:

  1. Delete the original trojan file (its location on the infected computer will depend on how the program got onto the computer).
  2. Clear the Temporary Internet Files directory containing the infected files(How to delete infected files in the Temporary Internet Files folder?):
    %Temporary Internet Files%
  3. Clear the temporary file directory:
    %Temp%\
  4. Update JRE and JDK to the latest versions.
  5. Install the latest version of Adobe Reader and Adobe Acrobat.
  6. Disable the vulnerable ActiveX objects (How to stop launching the ActiveX control element in the Internet Explorer browser).
  7. Run a full Kaspersky Antivirus scan of the computer with updated antivirus databases (download trial version).


MD5: E5F37EE7AFC96AFB837712ABCD5EFF08
SHA1: 75ADEB0165C0E6A8C251755E79E275B045B13834


Bookmark and Share
Share
Trojan-Downloader

Programs classified as Trojan-Downloader download and install new versions of malicious programs, including Trojans and AdWare, on victim computers. Once downloaded from the Internet, the programs are launched or included on a list of programs which will run automatically when the operating system boots up.

Information about the names and locations of the programs which are downloaded are in the Trojan code, or are downloaded by the Trojan from an Internet resource (usually a web page).

This type of malicious program is frequently used in the initial infection of visitors to websites which contain exploits.


Other versions