JS_BLACOLE.ISH

This Trojan arrives as an attachment to email messages spammed by other malware/grayware or malicious users. It may be hosted on a website and run when a user accesses the said website.

Arrival Details

This Trojan arrives as an attachment to email messages spammed by other malware/grayware or malicious users.

It may be hosted on a website and run when a user accesses the said website.

Download Routine

This Trojan connects to the following website(s) to download and execute a malicious file:

• http://{BLOCKED}s.net/news/readers-sections.php?jnlp=8b81c0983a
• http://{BLOCKED}s.net/news/readers-sections.php?{variable URI}

It saves the files it downloads using the following names:

• %User Temp%\{random numbers}.exe

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Local\Temp on Windows Vista and 7.)

NOTES:

The {variable URI} depends on the browser plugin in the affected system.

Here are some examples of the {variable URI}:

• hvucuaz=abelzaj&ktaq=fsdcxzf
• gszjhwrs=uyk&;cekvyjcy=ambkahq
• wf=1f:33:1k:30:1f&ke=1n:2w:1n:1g:30:1f:1o:1n:1i:2v&a=1f&wr=c&oi=j&;jopa=8799859
• sf=1f:33:1k:30:1f&ee=1n:2w:1n:1g:30:1f:1o:1n:1i:2v&l=1f&zm=u&zi=p&jopa=2924946

After its download routine, it redirects the browser to the following site to trick users that they are visiting a legitimate website.

• http://google.com/search?q=bbb