McAfee > Theat Center > Virus Detail Page

Overview

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Aliases

• JS.Scob.Trojan (Symantec)

• Scob (F-Secure)

Characteristics

-- Update June 24, 2004--
It has recently been made known that some IIS servers have been remotely hacked. Code containing this exploit gets appended to several files in the webfolder of the compromised IIS server (eg: .html, .txt, .gif) causing unsolicited files to be downloaded and executed. Users get infected by accessing these infected webpages through their web browser.

Certain downloaded files are detected as BackDoor-AXJ.dll , Exploit-MhtRedir.gen , and VBS/Psyme  with the current DAT files, while others are new variants of these threats and require the DAILY DAT files for detection to occur.

Please see the BackDoor-AXJ.gen description for a link to EXTRA.DAT packages.

For further details concerning this threat, and details of available Microsoft patches see:
http://www.microsoft.com/security/incident/download_ject.mspx

-- Update June 10, 2004 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://news.com.com/Pop-up+toolbar+spreads+via+IE+flaws/2100-1002_3-5229707.html?tag=nefd.top

This detection covers exploit code that is similar to JS/Exploit-DialogArg , however the MS02-047 patch does not cover this exploit.  Additionally, this exploit is known to have been used to automatically install a potentially unwanted program without persmission.

Symptoms

Typically this exploit is used to execute other programs.  Those programs can be whatever the author chooses to run on the vulnerable system.  Therefore it is not possible to provide specific information as one attack can vary from the next.  This detection covers the underlying exploit code, rather than any one specific attack incident.

Method of Infection

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, etc.

This particular trojan is delivered upon visiting a malicious webpage or via mail. 

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Aliases

• JS.Scob.Trojan (Symantec)

• Scob (F-Secure)

Characteristics

Characteristics -

-- Update June 24, 2004--
It has recently been made known that some IIS servers have been remotely hacked. Code containing this exploit gets appended to several files in the webfolder of the compromised IIS server (eg: .html, .txt, .gif) causing unsolicited files to be downloaded and executed. Users get infected by accessing these infected webpages through their web browser.

Certain downloaded files are detected as BackDoor-AXJ.dll , Exploit-MhtRedir.gen , and VBS/Psyme  with the current DAT files, while others are new variants of these threats and require the DAILY DAT files for detection to occur.

Please see the BackDoor-AXJ.gen description for a link to EXTRA.DAT packages.

For further details concerning this threat, and details of available Microsoft patches see:
http://www.microsoft.com/security/incident/download_ject.mspx

-- Update June 10, 2004 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://news.com.com/Pop-up+toolbar+spreads+via+IE+flaws/2100-1002_3-5229707.html?tag=nefd.top

This detection covers exploit code that is similar to JS/Exploit-DialogArg , however the MS02-047 patch does not cover this exploit.  Additionally, this exploit is known to have been used to automatically install a potentially unwanted program without persmission.

Symptoms

Symptoms -

Typically this exploit is used to execute other programs.  Those programs can be whatever the author chooses to run on the vulnerable system.  Therefore it is not possible to provide specific information as one attack can vary from the next.  This detection covers the underlying exploit code, rather than any one specific attack incident.

Method of Infection

Method of Infection -

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, etc.

This particular trojan is delivered upon visiting a malicious webpage or via mail. 

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A