McAfee > Theat Center > Virus Detail Page

Overview

--

JS/RenWish is a detection for malicious javascript that is executed by clicking a crafted Macromedia Flash file. As the website being communicated is normally controlled by the malware author, any files being downloaded can be remotely modified and the behavior of these new binaries altered - possibly with every user infection.

Characteristics

The malicious javascript is executed as part of clicking a specially crafted Macromedia Flash file. This Flash file is detected as W32/RenWish.

The Macromedia Flash file is being circulated through the Chinese social networking site Renren.com. Propogation is occuring due to a cross-site scripting flaw within the web site that does not allow script blocking. This is exhibited in playswf=function via 'allowScriptAccess=\”always\'.

Upon execution of the javascript file, 'friends' information will be harvested and it will share the message with them.

Communication may be made with the following domains:

• [removed]img.cn
• [removed]ou.com

Symptoms

• Presence of the aforementioned files
• Presence of unexpected network connections

Method of Infection

Users of the social network site renren.com receive messages on their profile that purports to be a Macromedia Flash video of Pink Floyd's "Wish You Were Here". Clicking the Macromedia Flash file will access this external Javascript malware.

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

-- Update August 26, 2009 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.theregister.co.uk/2009/08/25/pink_floyd_worm/

--

JS/RenWish is a detection for malicious javascript that is executed by clicking a crafted Macromedia Flash file. As the website being communicated is normally controlled by the malware author, any files being downloaded can be remotely modified and the behavior of these new binaries altered - possibly with every user infection.

Characteristics

Characteristics -

The malicious javascript is executed as part of clicking a specially crafted Macromedia Flash file. This Flash file is detected as W32/RenWish.

The Macromedia Flash file is being circulated through the Chinese social networking site Renren.com. Propogation is occuring due to a cross-site scripting flaw within the web site that does not allow script blocking. This is exhibited in playswf=function via 'allowScriptAccess=\”always\'.

Upon execution of the javascript file, 'friends' information will be harvested and it will share the message with them.

Communication may be made with the following domains:

• [removed]img.cn
• [removed]ou.com

Symptoms

Symptoms -

• Presence of the aforementioned files
• Presence of unexpected network connections

Method of Infection

Method of Infection -

Users of the social network site renren.com receive messages on their profile that purports to be a Macromedia Flash video of Pink Floyd's "Wish You Were Here". Clicking the Macromedia Flash file will access this external Javascript malware.

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A