McAfee > Theat Center > Virus Detail Page

Overview

-- Update April 08, 2009 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.theregister.co.uk/2009/04/08/macca_malware_attack/
--

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Aliases

• Virus:JS/Xilos (Microsoft)

Characteristics

Downloaders are designed to pull files from a remote Website and execute the files that have been downloaded.

The JavaScript detected as JS/Downloader-BNL is encrypted and is responsible for downloading FakeAlert-BY.

When run, the script assembles more scripts from this IP:
hxxp://84.244.138.55/[infected]

Then it downloads FakeAlert-BY from
hxxp://91.212.65.12/[infected]

In addition, it tries to reach the following IPs, possibly to download other files and update itself:
hxxp://192.88.80.150/[infected]
hxxp://195.88.80.207/[infected]
hxxp://78.26.179.239/[infected]

Symptoms

• Presence of traffic to the IP addresses mentioned above
• Detection of FakeAlert-BY.

Method of Infection

This trojan can get installed while browsing Websites where it has been hosted.

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

-- Update April 08, 2009 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.theregister.co.uk/2009/04/08/macca_malware_attack/
--

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Aliases

• Virus:JS/Xilos (Microsoft)

Characteristics

Characteristics -

Downloaders are designed to pull files from a remote Website and execute the files that have been downloaded.

The JavaScript detected as JS/Downloader-BNL is encrypted and is responsible for downloading FakeAlert-BY.

When run, the script assembles more scripts from this IP:
hxxp://84.244.138.55/[infected]

Then it downloads FakeAlert-BY from
hxxp://91.212.65.12/[infected]

In addition, it tries to reach the following IPs, possibly to download other files and update itself:
hxxp://192.88.80.150/[infected]
hxxp://195.88.80.207/[infected]
hxxp://78.26.179.239/[infected]

Symptoms

Symptoms -

• Presence of traffic to the IP addresses mentioned above
• Detection of FakeAlert-BY.

Method of Infection

Method of Infection -

This trojan can get installed while browsing Websites where it has been hosted.

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A