Content

Obfuscated Script.f!58

Type
Trojan
SubType
Script
Discovery Date
05/20/2009
Length
853 bytes
Minimum DAT
5621 (05/20/2009)
Updated DAT
5664 (07/02/2009)
Minimum Engine
5.2.00
Description Added
05/20/2009
Description Modified
05/21/2009 12:30 PM (PT)
Risk Assessment
Corporate User
Low-Profiled
Home User
Low-Profiled

Tab Navigation

Characteristics

Obfuscated Script.f!58 is a detection for Web pages that are crafted to contain references to some malicious content. Obfuscated javascript is injected into a hijacked Web page, which attempts to redirect the user to another domain hosting a malicious payload.

Variants may download and exploit PDF and Flash-related vulnerabilities. These exploits are often hosted on hijacked Web sites which are normally legitimate. When script scanning is enabled, this detection blocks execution of the potential exploits.

Symptoms

Execution of malicious Web scripts which often link to malicious servers to download further malware. Sometimes, they can cause the Web browser to crash when an exploit is used to target a buffer overflow vulnerability and fails.

Method of Infection

These obfuscated scripts are often hosted on hijacked Web sites which are normally legitimate.

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

-- Update May 21, 2009 --

The risk assessment of this threat has been updated to Low-Profiled due to media attention at:

http://www.theregister.co.uk/2009/05/19/gumblar_google_poisoning_update/


--




Obfuscated Script.f!58 is a detection for Web pages that are crafted to contain references to some malicious content.

Aliases

  • Gumblar (ScanSafe)

Characteristics

Characteristics -

Obfuscated Script.f!58 is a detection for Web pages that are crafted to contain references to some malicious content. Obfuscated javascript is injected into a hijacked Web page, which attempts to redirect the user to another domain hosting a malicious payload.

Variants may download and exploit PDF and Flash-related vulnerabilities. These exploits are often hosted on hijacked Web sites which are normally legitimate. When script scanning is enabled, this detection blocks execution of the potential exploits.

Symptoms

Symptoms -

Execution of malicious Web scripts which often link to malicious servers to download further malware. Sometimes, they can cause the Web browser to crash when an exploit is used to target a buffer overflow vulnerability and fails.

Method of Infection

Method of Infection -

These obfuscated scripts are often hosted on hijacked Web sites which are normally legitimate.

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A