Content

JS/Downloader-AUE

Type
Trojan
SubType
Downloader
Discovery Date
05/07/2008
Length
varies
Minimum DAT
5290 (05/07/2008)
Updated DAT
5290 (05/07/2008)
Minimum Engine
5.1.00
Description Added
05/07/2008
Description Modified
05/08/2008 5:47 AM (PT)
Risk Assessment
Corporate User
Low-Profiled
Home User
Low-Profiled

Tab Navigation

Characteristics

--- Update May 08, 2008 --
The risk assessment of this threat was updated to Low-Profiled due to media attention.

This is a detection for obfuscated malicious script files that exploits a vulnerability in the Microsoft Data Access Component (MDAC) functions. These files are most commonly hosted on a hacked or maliciously crafted webpage, in an aim to exploit vulnerable systems via the Internet Explorer web browser.

A recent exploit was discovered in a mass attack against a plethora of websites. When successful, it may download and install W32/Autorun.worm.ck from

  • http://61.188.{blocked}/images/test.exe


and is installed on the victim's machine in the following path: 

  • %Windows%\Tasks\0x01xx8p.exe

W32/Autorun.worm.ck in turn downloads

  • http://winzipi{blocked}.cn/1.exe

which is detected as Generic Rootkit.dr

Internet Explorer users using McAfee VirusScan with script scanning enabled are protected proactively against this threat as Exploit-Ms06-014. Additional detection for Exploit-Ms06-014 in other products are released in 5290 DATs as JS/Downloader-AUE.

More details of this vulnerability at:

http://vil.nai.com/vil/content/v_vul23004.htm

Symptoms

Upon successful exploitation, the trojan attempts to download files from http://winzipi{blocked}.cn and http://61.188.{blocked}/images/

 

Method of Infection

This threat could be delivered via an infectious web page or an email message.

Removal

A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

This is a detection for obfuscated malicious script files that exploits a vulnerability in the Microsoft Data Access Component (MDAC) functions. These files are most commonly hosted on a hacked or maliciously crafted webpage, in an aim to exploit vulnerable systems via the Internet Explorer web browser.

Characteristics

Characteristics -

--- Update May 08, 2008 --
The risk assessment of this threat was updated to Low-Profiled due to media attention.

This is a detection for obfuscated malicious script files that exploits a vulnerability in the Microsoft Data Access Component (MDAC) functions. These files are most commonly hosted on a hacked or maliciously crafted webpage, in an aim to exploit vulnerable systems via the Internet Explorer web browser.

A recent exploit was discovered in a mass attack against a plethora of websites. When successful, it may download and install W32/Autorun.worm.ck from

  • http://61.188.{blocked}/images/test.exe


and is installed on the victim's machine in the following path: 

  • %Windows%\Tasks\0x01xx8p.exe

W32/Autorun.worm.ck in turn downloads

  • http://winzipi{blocked}.cn/1.exe

which is detected as Generic Rootkit.dr

Internet Explorer users using McAfee VirusScan with script scanning enabled are protected proactively against this threat as Exploit-Ms06-014. Additional detection for Exploit-Ms06-014 in other products are released in 5290 DATs as JS/Downloader-AUE.

More details of this vulnerability at:

http://vil.nai.com/vil/content/v_vul23004.htm

Symptoms

Symptoms -

Upon successful exploitation, the trojan attempts to download files from http://winzipi{blocked}.cn and http://61.188.{blocked}/images/

 

Method of Infection

Method of Infection -

This threat could be delivered via an infectious web page or an email message.

Removal -

Removal -

A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A