McAfee > Theat Center > Virus Detail Page

Overview

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Characteristics

This trojan drops a VBScript file named ads.vbs, which is an IIS web server utility script.  The trojan has been found to be used in a recent attack against multiple IIS servers, to configure those servers to add a footer to all documents severed.  This footer contains code that directs visitors to a remote web server that contained malicious JavaScript as described here:
http://vil.nai.com/vil/content/v_126241.htm

Symptoms

Presence of a file named iis###.dll in the %WinDir%\system32\inetsrv directory and web server configured to use this file as a footer.

Method of Infection

This trojan is believed to have been execute on system vulnerable to a MS04-011 vulnerability .

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Characteristics

Characteristics -

This trojan drops a VBScript file named ads.vbs, which is an IIS web server utility script.  The trojan has been found to be used in a recent attack against multiple IIS servers, to configure those servers to add a footer to all documents severed.  This footer contains code that directs visitors to a remote web server that contained malicious JavaScript as described here:
http://vil.nai.com/vil/content/v_126241.htm

Symptoms

Symptoms -

Presence of a file named iis###.dll in the %WinDir%\system32\inetsrv directory and web server configured to use this file as a footer.

Method of Infection

Method of Infection -

This trojan is believed to have been execute on system vulnerable to a MS04-011 vulnerability .

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A