McAfee > Theat Center > Virus Detail Page

Overview

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Aliases

• IllWill.kit

Characteristics

-- Update September 1st, 2004 --
This threat has been updated to Low-Profiled due to media attention at:
http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci1003551,00.html
--

-- Update August 31, 2004 --
A new Bagle variant was discovered.  Messages received contain the following information:

Subject : foto
Body : foto
Attachment: foto.zip ( containing foto.html and foto1.exe )

foto.html contains the JS/IllWill trojan, proactively detected with the 4260 DATs or higher.

foto1.exe contains the W32/Bagle.dll.dr trojan, proactively detected with the 4385 DATs or higher.

--

-- Update Aug 9, 2004 --
A new Bagle variant mails a zip file containing an HTML file that is detected as JS/IllWill.  For details on this variant, see: W32/Bagle.aq@MM

JS/IllWill is a JavaScript trojan that uses the Windows Script Host Shell Object ActiveX component and exploits a Microsoft virtual machine vulnerability . This Trojan also makes use of an Internet Explorer vulnerability of handling URLs with dotless IP addresses . Internet Explorer has different security zones for the Internet and Intranet browsing. This trojan will be able to bypass the security settings and bluff the browser into thinking that an internet site is located within a local intranet. This, in turn, allows for some web sites to execute or download malicious files in a less secure browsing zone.

These malicious JavaScripts are created by a "kit" (a script generation program).

Symptoms

Varies. Unexplained files that have appeared on the hard drive after browsing a web site. (This is a symptom only and is not a full diagnosis)

Method of Infection

Visiting a web site which contain this trojan JavaScript.

Removal

All Users :
Use current engine and DAT files for detection and removal.Delete any file which contains this detection.

Install any applicable Microsoft patches:
Microsoft virtual machine vulnerability patch
Malformed Dotless IP Address Can Cause Web Page to be Handled in Intranet Zone patch

Variants

Variants

N/A

All Information

Overview -

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Aliases

• IllWill.kit

Characteristics

Characteristics -

-- Update September 1st, 2004 --
This threat has been updated to Low-Profiled due to media attention at:
http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci1003551,00.html
--

-- Update August 31, 2004 --
A new Bagle variant was discovered.  Messages received contain the following information:

Subject : foto
Body : foto
Attachment: foto.zip ( containing foto.html and foto1.exe )

foto.html contains the JS/IllWill trojan, proactively detected with the 4260 DATs or higher.

foto1.exe contains the W32/Bagle.dll.dr trojan, proactively detected with the 4385 DATs or higher.

--

-- Update Aug 9, 2004 --
A new Bagle variant mails a zip file containing an HTML file that is detected as JS/IllWill.  For details on this variant, see: W32/Bagle.aq@MM

JS/IllWill is a JavaScript trojan that uses the Windows Script Host Shell Object ActiveX component and exploits a Microsoft virtual machine vulnerability . This Trojan also makes use of an Internet Explorer vulnerability of handling URLs with dotless IP addresses . Internet Explorer has different security zones for the Internet and Intranet browsing. This trojan will be able to bypass the security settings and bluff the browser into thinking that an internet site is located within a local intranet. This, in turn, allows for some web sites to execute or download malicious files in a less secure browsing zone.

These malicious JavaScripts are created by a "kit" (a script generation program).

Symptoms

Symptoms -

Varies. Unexplained files that have appeared on the hard drive after browsing a web site. (This is a symptom only and is not a full diagnosis)

Method of Infection

Method of Infection -

Visiting a web site which contain this trojan JavaScript.

Removal -

Removal -

All Users :
Use current engine and DAT files for detection and removal.Delete any file which contains this detection.

Install any applicable Microsoft patches:
Microsoft virtual machine vulnerability patch
Malformed Dotless IP Address Can Cause Web Page to be Handled in Intranet Zone patch

Variants

Variants -

N/A