JS_WEBLOG.A

[Randy_Bell]

JS_WEBLOG.A is a JavaScript Trojan that retrieves all data entered in HTML Web forms on Internet Explorer. It then sends the retrieved data to a particular Web site or to a particular system on the same network. It affects systems running Internet Explorer on Windows 95, 98, ME, NT, 2000, and XP.

This JavaScript Trojan retrieves data entered in HTML forms on Internet Explorer and sends the data to a particular Web site or to a particular system on the same network. It does not have its own means of propagation and does not install itself. It is either installed manually or is dropped and installed by another malware.

This Trojan has two components. The first component retrieves any data entered in HTML forms that are accessed using the particular browser. It saves this gathered data in text files, which it generates under temporary names in the folder %Windows%TasksData

The text files contain the following information:

* Site/URL where the data is sent
* Date when the data is sent
* Values gathered from the HTML form/s

This malware's second component sends all of the data logged by the first component, to a particular Web site or system. It sends data in a continuous loop and reads all files in the directory where the log files are generated.

It uses HTTP to send the logged data to a particular Web site. If this fails, it drops a text file containing the logged data to a particular network share. To send the stolen data using HTTP, it formats the data in XML and then sends it to a specific URL. To connect to the share, it uses a specific account and then drops a text file containing the logged data into the share.

If you would like to scan your computer for JS_WEBLOG.A or thousands of other worms, viruses, Trojans and malicious code, visit HouseCall, Trend Micro's free, online virus scanner at: http://housecall.trendmicro.com/

JS_WEBLOG.A is detected and cleaned by Trend Micro pattern file #478 and above.