JS/Downloader-AUD
Type: Trojan
SubType: Downloader
Discovery Date: 06/15/2006
Length: Varies
Minimum: DAT 4785 (06/15/2006)
Updated DAT
5057 (06/20/2007)
Minimum Engine
5.1.00
Description Added
06/15/2006
Description Modified
06/19/2007 4:37 AM (PT)
Type
Type of threat.
SubType
Additional type information.
Discovery Date
Date that AVERT discovered this threat.
Length
File size, in bytes, of the threat.
Minimum DAT
McAfee DAT files contain detection and repair information for threats. The Minimum DAT field specifies the lowest/oldest DAT version that is capable of detecting the first incarnation of a threat, and the release date. The highest/newest DAT version should always be used for the most complete protection and are available on the Anti-Virus Updates page.
Each description displays the minimum, fully tested, DAT version that includes regular detection for a particular threat. These fully tested DATs are released on a daily basis. If necessary, they are also released when a Medium, Medium On Watch, or High risk threat is discovered. An EXTRA.DAT will also be posted for these more prevalent threats, if necessary.
For each description listed, detection is always available. In the event that the DAT version specified is not yet available, an EXTRA.DAT file may be downloaded via the McAfee AVERT Extra.dat Request Page. Alternatively, minimally tested HOURLY BETA DAT files are available for downloading.
Updated DAT
McAfee DAT files are constantly being updated to enhance detection capabilities. The Updated DAT field specifies the released DAT version that contains the most up to date detection.
Minimum Engine
The scan engine uses the DAT files to detect threats. The Minimum Engine field specifies the lowest/oldest engine version that is capable of detecting this threat. The highest/newest engine version should always be used for the most complete protection and are available on the Anti-Virus Updates page.
Description Added
Date/time this description was published using Pacific Time.
Description Modified
Date/time this description was last modified using Pacific Time.
Risk Assessment
Corporate User
Low-Profiled
Home User
Low-Profiled
Tab Navigation
* Overview
* Characteristics
* Symptoms
* Method of Infection
* Removal
* Variants
_ * All Information
Overview
This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.
Aliases
* JS_DLOADER.NTJ (TrendMicro)
Characteristics
— Update June 19, 2007 —
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.itpro.co.uk/news/115860/italian-websites-hit-by-mpack-malware.html
— Update June 19, 2007 —
Lately, JS/Downloader-AUD is being proactively detected through VirusScan (with script scanning) on a malicious website hosted using the MPack web attack toolkit. MPack is a PHP server-side toolkit used to host malicious web exploits. The malicous website hosted on http://58.65.blocked is reportedly linked from numerous hijacked legitimate websites via an IFRAME.
At the time of writing, the following cocktail of Internet Explorer vulnerabilities are being targeted by the detected JS/Downloader-AUD webpage:
* Microsoft Data Access Components (MDAC) Code Execution Vulnerability (Exploit-MS06-014)
* Microsoft Windows Shell Remote Code Execution Vulnerability (Exploit-CVE2006-3730)
* Apple QuickTime RTSP buffer overflow (Exploit-QtRTSP)
* Sky Software FileView ActiveX control buffer overflow vulnerability (Exploit-CVE2006-5198)
* Microsoft Windows Animated Cursor Remote Code Execution Vulnerability (Exploit-AniFile.c)
When successfully penetrated, the Downloader-Icug trojan hosted on a website at http://64.38.blocked/ ftpcom/file.php is installed on the victim’s machine in the following path:
* C:\Sys4 random alphabets.exe
Internet Explorer users using VirusScan with script scanning enabled will be protected against this thread since 4859 DATs (09/25/2006) as JS/Exploit-BO.gen, and from 5043 DATs (05/31/2007) as JS/Downloader-AUD. Additional detection for JS/Downloader-AUD in other products will be released in 5056 DATs.
— -
Downloaders are designed to pull files from a remote website and execute the files that have been downloaded.
The JavaScript detected as JS/Downloader-AUD is encrypted and is responsible for downloading Generic Downloader.ab exploiting MS06-014 . The Generic Downloader.ab is responsible for downloading other trojans like AdClicker-EO and Generic.b.
Symptoms
Upon execution, the trojan attempts to download files from www.dougansss.com.
Method of Infection
This trojan can get installed while browsing adult websites where it has been hosted.
Removal
AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.
Additional Windows ME/XP removal considerations
Variants
Variants
N/A
All Information
Overview -
This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.
Aliases
* JS_DLOADER.NTJ (TrendMicro)
Characteristics
Characteristics -
— Update June 19, 2007 —
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.itpro.co.uk/news/115860/italian-websites-hit-by-mpack-malware.html
— Update June 19, 2007 —
Lately, JS/Downloader-AUD is being proactively detected through VirusScan (with script scanning) on a malicious website hosted using the MPack web attack toolkit. MPack is a PHP server-side toolkit used to host malicious web exploits. The malicous website hosted on http://58.65.blocked is reportedly linked from numerous hijacked legitimate websites via an IFRAME.
At the time of writing, the following cocktail of Internet Explorer vulnerabilities are being targeted by the detected JS/Downloader-AUD webpage:
* Microsoft Data Access Components (MDAC) Code Execution Vulnerability (Exploit-MS06-014)
* Microsoft Windows Shell Remote Code Execution Vulnerability (Exploit-CVE2006-3730)
* Apple QuickTime RTSP buffer overflow (Exploit-QtRTSP)
* Sky Software FileView ActiveX control buffer overflow vulnerability (Exploit-CVE2006-5198)
* Microsoft Windows Animated Cursor Remote Code Execution Vulnerability (Exploit-AniFile.c)
When successfully penetrated, the Downloader-Icug trojan hosted on a website at http://64.38.blocked/ ftpcom/file.php is installed on the victim’s machine in the following path:
* C:\Sys4 random alphabets.exe
Internet Explorer users using VirusScan with script scanning enabled will be protected against this thread since 4859 DATs (09/25/2006) as JS/Exploit-BO.gen, and from 5043 DATs (05/31/2007) as JS/Downloader-AUD. Additional detection for JS/Downloader-AUD in other products will be released in 5056 DATs.
— -
Downloaders are designed to pull files from a remote website and execute the files that have been downloaded.
The JavaScript detected as JS/Downloader-AUD is encrypted and is responsible for downloading Generic Downloader.ab exploiting MS06-014 . The Generic Downloader.ab is responsible for downloading other trojans like AdClicker-EO and Generic.b.
Symptoms
Symptoms -
Upon execution, the trojan attempts to download files from www.dougansss.com.
Method of Infection
Method of Infection -
This trojan can get installed while browsing adult websites where it has been hosted.
Removal -
AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.
Additional Windows ME/XP removal considerations
Variants
Variants -
N/A
R S S feed
