JavaScript Trojan - JS_JECT.A

Discussion in 'malware problems & news' started by Randy_Bell, Jul 2, 2004.

Thread Status:
Not open for further replies.
  1. Randy_Bell

    Randy_Bell Registered Member

    Joined:
    May 24, 2002
    Posts:
    3,004
    Location:
    Santa Clara, CA
    JS_JECT.A is a non-destructive Trojan script that typically arrives as an encrypted JavaScript file embedded in malicious Web pages. It exploits several vulnerabilities in Internet Explorer that allow it to download and execute malicious files on a computer system. This Trojan is currently spreading in the wild, and runs on Windows 95, 98, ME, NT, 2000, and XP.

    Upon execution, this Trojan script attempts to load a file called MD.HTM. It then replaces the contents of the MD.HTM file with the contents of a malicious file called SHELLSCRIPT_LOADER.JS, which is downloaded from a specific malicious Web site.

    Next, it creates an IFRAME named "myiframe", that, when accessed, runs and downloads another malicious file, SHELLSCRIPT.JS (also from the above-mentioned Web site). The downloaded file, SHELLSCRIPT.JS, exploits the ADODB.Stream vulnerability in Internet Explorer that allows the download and execution of the file MSITS.EXE from the Web site mentioned above. If the download is successful, this Trojan script renames MSITS.EXE to WMPLAYER.EXE and installs it in the following directory:

    C:\Program Files\Windows Media Player

    Finally, this script checks the infected system's local hard drive for the presence of the file, MAIN.MHT. If this file is not found, this Trojan script again attempts to access the above-mentioned Web site in order to download MAIN.CHM. The file, MAIN.CHM, contains another script, MAIN.HTM. This Trojan script also attempts to load a file named REDIR.PHP.

    If you would like to scan your computer for JS_JECT.A or thousands of other worms, viruses, Trojans and malicious code, visit HouseCall, Trend Micro's free, online virus scanner at: http://housecall.trendmicro.com

    JS_JECT.A is detected and cleaned by Trend Micro pattern file #919 and above.
     
Loading...
Thread Status:
Not open for further replies.