Threat Encyclopedia

JS_DLOADER.NTJ

Malware type: JavaScript

Aliases: Trojan-Downloader.JS.Psyme.jf (Kaspersky), JS/Downloader-AUD (McAfee), Downloader.Trojan (Symantec), HTML/Crypt.Script.X (Avira), Mal/ObfJS-M (Sophos),

In the wild: Yes

Destructive: No

Language: English

Platform: Windows 98, ME, NT, 2000, XP, Server 2003

Encrypted: No

Overall risk rating:

Reported infections:

Damage potential:

Medium

Distribution potential:

Medium

Description: 

This malicious JavaScript is hosted in the IP address http://{BLOCKED}.38.xxx.13. A user lands on this page via Internet browser redirections instigated by another malicious script detected by Trend Micro as HTML_IFRAME.CU.

It exploits a certain vulnerability in a system's Internet browser to enable it to download a Trojan detected as TROJ_SMALL.HCK. As a result, routines of the down loaded malware may be exhibited on the affected system.

For additional information about this threat, see:

Description created: Jun. 16, 2007 4:42:30 PM GMT -0800


TECHNICAL DETAILS


File type: Script

Size of malware: 10,403 bytes

Initial samples received on: Jun 16, 2007

Related toHTML_IFRAME.CU, TROJ_SMALL.HCK

Payload 1: Downloads files

Details:

This malicious JavaScript is hosted in the IP address http://{BLOCKED}.38.xxx.13. A user lands on this page via Internet browser redirections instigated by another malicious script detected by Trend Micro as HTML_IFRAME.CU.

It exploits a certain vulnerability in a system's Internet browser to enable it to connect to the URL http://{BLOCKED}.38.xxx.13/~ftpcom//file.php and download a Trojan detected as TROJ_SMALL.HCK. It saves and executes the downloaded file in the hard coded path C:\ as SYS{Random strings}.EXE. As a result, routines of the down loaded malware may be exhibited on the affected system.

This malicious JavaScript runs on Windows 98, ME, NT, 2000, XP, Server 2003.

Analysis By: Julius Caezar R. Dizon

Revision History:

First pattern file version: 4.539.00
First pattern file release date: Jun 16, 2007

SOLUTION


Minimum scan engine version needed: 8.000

Pattern file needed: 4.539.00

Pattern release date: Jun 16, 2007


Important note: The "Minimum scan engine" refers to the earliest Trend Micro scan engine version guaranteed to detect this threat. However, Trend Micro strongly recommends that you update to the latest version in order to get comprehensive protection. Download the latest scan engine here.

Solution:

Note: Close all Internet browser windows before proceeding with the solution below. To fully remove all associated malware, perform the clean solution for the following:

Important Windows ME/XP Cleaning Instructions

Users running Windows ME and XP must disable System Restore to allow full scanning of infected computers.

Users running other Windows versions can proceed with the succeeding solution set(s).

Running Trend Micro Antivirus

If you are currently running in safe mode, please restart your computer normally before performing the following solution.

Scan your computer with Trend Micro antivirus and delete files detected as JS_DLOADER.NTJ. To do this, Trend Micro customers must download the latest virus pattern file and scan their computer. Other Internet users can use HouseCall, the Trend Micro online virus scanner.

Applying Patch

Ensure that the Internet browser you are using carries the latest patch and updates to prevent this malware from finding any vulnerabilities it can exploit.




Trend Micro offers best-of-breed antivirus and content-security solutions for your corporate network, small and medium business, mobile device or home PC.

Featured Stories

Connect with us on