Content

JS/Downloader-AUD

Type
Trojan
SubType
Downloader
Discovery Date
06/15/2006
Length
Varies
Minimum DAT
4785 (06/15/2006)
Updated DAT
5604 (05/03/2009)
Minimum Engine
5.1.00
Description Added
06/15/2006
Description Modified
05/08/2008 2:24 AM (PT)
Risk Assessment
Corporate User
Low-Profiled
Home User
Low-Profiled

Tab Navigation

Characteristics

-- Update January 11, 2008 --

A new variant of this threat has been found to be referenced on a variety of legitimate websites due to a mass hacking. The following cocktail of vulnerabilities are being targeted:

  • Microsoft Data Access Components (MDAC) Code Execution Vulnerability - Exploit-MS06-014
  • Online Media Technologies NCTsoft NCTAudioFile2 ActiveX buffer overflow - CVE-2007-0018
  • Apple QuickTime RTSP Content-Type header stack buffer overflow- CVE-2007-6166
  • AOL Instant Messenger Notification Window Remote Script Code Execution Vulnerability - CVE-2007-4901

    -- Update June 19, 2007 --
    The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
    http://www.itpro.co.uk/news/115860/italian-websites-hit-by-mpack-malware.html

    -- Update June 19, 2007 --

    Lately, JS/Downloader-AUD is being proactively detected through VirusScan (with script scanning) on a malicious website hosted using the MPack web attack toolkit. MPack is a PHP server-side toolkit used to host malicious web exploits. The malicous website hosted on http://58.65.{blocked} is reportedly linked from numerous hijacked legitimate websites via an IFRAME.

    At the time of writing, the following cocktail of Internet Explorer vulnerabilities are being targeted by the detected JS/Downloader-AUD webpage:

    • Microsoft Data Access Components (MDAC) Code Execution Vulnerability (Exploit-MS06-014)
    • Microsoft Windows Shell Remote Code Execution Vulnerability (Exploit-CVE2006-3730)
    • Apple QuickTime RTSP buffer overflow  (Exploit-QtRTSP)
    • Sky Software FileView ActiveX control buffer overflow vulnerability (Exploit-CVE2006-5198)
    • Microsoft Windows Animated Cursor Remote Code Execution Vulnerability (Exploit-AniFile.c)

      When successfully penetrated, the Downloader-Icug trojan hosted on a website at http://64.38.{blocked}/~ftpcom/file.php is installed on the victim's machine in the following path:

      • C:\Sys{4 random alphabets}.exe

        Internet Explorer users using VirusScan with script scanning enabled will be protected against this threat since 4859 DATs (09/25/2006) as JS/Exploit-BO.gen, and from 5043 DATs (05/31/2007) as JS/Downloader-AUD. Additional detection for JS/Downloader-AUD in other products will be released in 5056 DATs.

        ---

        Downloaders are designed to pull files from a remote website and execute the files that have been downloaded.

        The JavaScript detected as JS/Downloader-AUD is encrypted and is responsible for downloading Generic Downloader.ab exploiting MS06-014 . The Generic Downloader.ab is responsible for downloading other trojans like AdClicker-EO and Generic.b.

    Symptoms

    Upon execution, the trojan attempts to download files from www.dougansss.com.

    Method of Infection

    This trojan can get installed while browsing adult websites where it has been hosted.

    Removal

    AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

    Additional Windows ME/XP removal considerations

    Variants

    Variants

      N/A

    All Information

    Overview -

    This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

    Aliases

    • JS_DLOADER.NTJ (TrendMicro)
    • Random JS (Finjan)

    Characteristics

    Characteristics -

    -- Update January 11, 2008 --

    A new variant of this threat has been found to be referenced on a variety of legitimate websites due to a mass hacking. The following cocktail of vulnerabilities are being targeted:

  • Microsoft Data Access Components (MDAC) Code Execution Vulnerability - Exploit-MS06-014
  • Online Media Technologies NCTsoft NCTAudioFile2 ActiveX buffer overflow - CVE-2007-0018
  • Apple QuickTime RTSP Content-Type header stack buffer overflow- CVE-2007-6166
  • AOL Instant Messenger Notification Window Remote Script Code Execution Vulnerability - CVE-2007-4901

    -- Update June 19, 2007 --
    The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
    http://www.itpro.co.uk/news/115860/italian-websites-hit-by-mpack-malware.html

    -- Update June 19, 2007 --

    Lately, JS/Downloader-AUD is being proactively detected through VirusScan (with script scanning) on a malicious website hosted using the MPack web attack toolkit. MPack is a PHP server-side toolkit used to host malicious web exploits. The malicous website hosted on http://58.65.{blocked} is reportedly linked from numerous hijacked legitimate websites via an IFRAME.

    At the time of writing, the following cocktail of Internet Explorer vulnerabilities are being targeted by the detected JS/Downloader-AUD webpage:

    • Microsoft Data Access Components (MDAC) Code Execution Vulnerability (Exploit-MS06-014)
    • Microsoft Windows Shell Remote Code Execution Vulnerability (Exploit-CVE2006-3730)
    • Apple QuickTime RTSP buffer overflow  (Exploit-QtRTSP)
    • Sky Software FileView ActiveX control buffer overflow vulnerability (Exploit-CVE2006-5198)
    • Microsoft Windows Animated Cursor Remote Code Execution Vulnerability (Exploit-AniFile.c)

      When successfully penetrated, the Downloader-Icug trojan hosted on a website at http://64.38.{blocked}/~ftpcom/file.php is installed on the victim's machine in the following path:

      • C:\Sys{4 random alphabets}.exe

        Internet Explorer users using VirusScan with script scanning enabled will be protected against this threat since 4859 DATs (09/25/2006) as JS/Exploit-BO.gen, and from 5043 DATs (05/31/2007) as JS/Downloader-AUD. Additional detection for JS/Downloader-AUD in other products will be released in 5056 DATs.

        ---

        Downloaders are designed to pull files from a remote website and execute the files that have been downloaded.

        The JavaScript detected as JS/Downloader-AUD is encrypted and is responsible for downloading Generic Downloader.ab exploiting MS06-014 . The Generic Downloader.ab is responsible for downloading other trojans like AdClicker-EO and Generic.b.

    Symptoms

    Symptoms -

    Upon execution, the trojan attempts to download files from www.dougansss.com.

    Method of Infection

    Method of Infection -

    This trojan can get installed while browsing adult websites where it has been hosted.

    Removal -

    Removal -

    AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

    Additional Windows ME/XP removal considerations

    Variants

    Variants -

      N/A