JS_OBFUSCAT.SMB

 Analysis by: Jasen Sumalapao

 PLATFORM:

Windows 2000, Windows XP, Windows Server 2003

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:

  • Threat Type: Trojan

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW


This is the Trend Micro detection for Web pages that were compromised through the insertion of a certain malicious script. Once a user visits an affected Web page, this HTML script launches a hidden IFRAME that connects to a malicious URL. It redirects browsers to certain sites. However, as of this writing, the said sites are inaccessible.

  TECHNICAL DETAILS

File Size:

Varies

File Type:

HTML, HTM, JS

Memory Resident:

No

Initial Samples Received Date:

28 Apr 2011

Payload:

Connects to URLs/IPs

Other Details

This is the Trend Micro detection for Web pages that were compromised through the insertion of a certain malicious script.

Once a user visits an affected Web page, this HTML script launches a hidden IFRAME that connects to a malicious URL.

It redirects browsers to the following sites:

  • http://{random domains}.{random characters}.dev.aero4.cn/main-hosting.cn

However, as of this writing, the said sites are inaccessible.

NOTES:
Examples of the redirected sites:

  • http://{BLOCKED}nte.com.fbc43b8a91103135.dev.aero4.cn/main-hosting.cn
  • http://{BLOCKED}flie.com.0496a2dcb73bf685.dev.aero4.cn/main-hosting.cn
  • http://{BLOCKED}nse.com.0299dddc87af57c5.dev.aero4.cn/main-hosting.cn
  • http://{BLOCKED}sila.com.3eed9f9255d85442.dev.aero4.cn/ ain-hosting.cn/