Analysis by: Jasen Sumalapao
ALIASES:

Trojan-Downloader.JS.Agent.fxs, Trojan-Downloader.JS.Agent.fxs (Kaspersky), [00000c4d.js]:JS/Exploit-Blacole.cr (NAI), Mal/Iframe-W (Sophos), Trojan.JS.Obfuscator.aa (v) (Sunbelt), Exp/JS.ddd (Antivir), JS/Crypted.NW.gen (Authentium), JS/Iframe.W!tr (Fortinet), JS/Crypted.NW.gen (exact) (Fprot), Exploit.HTML.IframeRef (Ikarus)

 PLATFORM:

Windows 2000, Windows XP, Windows Server 2003

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:

  • Threat Type: Trojan

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites. It may be hosted on a website and run when a user accesses the said website.

As of this writing, the said sites are inaccessible.

This is the Trend Micro detection for Web pages that were compromised through the insertion of a certain malicious script. Once a user visits an affected Web page, this HTML script launches a hidden IFRAME that connects to a malicious URL.

  TECHNICAL DETAILS

File Size: 5,545 bytes
File Type: HTML, HTM, JS
Initial Samples Received Date: 13 Aug 2012

Arrival Details

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It may be hosted on a website and run when a user accesses the said website.

Download Routine

This Trojan connects to the following website(s) to download and execute a malicious file:

  • http://{BLOCKED}j.co.cc/count28.php

As of this writing, the said sites are inaccessible.

Other Details

This is the Trend Micro detection for Web pages that were compromised through the insertion of a certain malicious script.

Once a user visits an affected Web page, this HTML script launches a hidden IFRAME that connects to a malicious URL.