For Home

Virus Profile: JS/Exploit-Blacole.eg

Threat Search
Print
   
Virus Profile information details
Risk Assessment: Home Low | Corporate Low
Date Discovered: 7/4/2012
Date Added: 7/4/2012
Origin: N/A
Length: Varies
Type: Trojan
Subtype: Exploit
DAT Required: 6762
Removal Instructions
   
 
 
   

Description

This is a Trojan detection. Unlike viruses, Trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include e-mail, malicious or hacked Web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Aliases

  • Kaspersky - Trojan-Downloader.JS.Expack.vu
  • Ikarus - Exploit.JS.Blacole
  • Fortinet - JS/Expack.VT!tr
  • BitDefender - Trojan.JS.Redirector.APJ

Indication of Infection

Because this is a generic detection there is no specific description of the activity undertaken by JavaScript detected under this name, however these can include malicious activity such as downloading and executing files or scripts.

Methods of Infection

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, e-mail, etc.
   

Virus Characteristics

JS/Exploit-Blacole.eg” is a generic detection for malicious Java code that exploits a vulnerability that allows the execution of arbitrary code. Also it will check for the installed components such as flash plug-in and it looks for vulnerable version of flash.

JS/Exploit-Blacole.eg” is a generic detection for obfuscated JavaScript that points to an Iframe to a remote malicious site.

JS/Exploit-Blacole.eg” is an obfuscated JavaScript that could be embedded into compromised websites. This Trojan will redirect the user to malicious websites and download other malwares or execute browser exploits.

Upon execution, it open Iexplore.exe and tries to load the java script and checking the browser plug-in /components such as Shockwave flash player version in a compromised system and redirect to the malicious URL with the help of script available in below site.

  • hxxps://d3lvr[Removed]ui.cloudfront.net/items/loaders/loader_1036.js?aoi=1311798366&pid=1036&zoneid=12768

Also this detection uses the following latest injection techniques in order to make a connection to randomly generated malicious domain.

  • / * km0ae9gr6m * /
  •  / * qhk6sa6g1c * /

The above injection techniques redirects to the following malicious URL with the help of iframe

  • hxxp://loh[Removed]dfl.ru/runforestrun?sid=botnet2
   

All Users:

Please use the following instructions for all supported versions of Windows to remove threats and other potential risks:

1.Disable System Restore .

2.Update to current engine and DAT files for detection and removal.

3.Run a complete system scan.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

1. Please go to the Microsoft Recovery Console and restore a clean MBR.

On windows XP:

Insert the Windows XP CD into the CD-ROM drive and restart the computer.
When the "Welcome to Setup" screen appears, press R to start the Recovery Console.
Select the Windows installation that is compromised and provide the administrator password
Issue 'fixmbr' command to restore the Master Boot Record
Follow onscreen instructions
Reset and remove the CD from CD-ROM drive.


On Windows Vista and 7:

Insert the Windows CD into the CD-ROM drive and restart the computer.
Click on "Repair Your Computer"
When the System Recovery Options dialog comes up, choose the Command Prompt.
Issue 'bootrec /fixmbr' command to restore the Master Boot Record
Follow onscreen instructions
Reset and remove the CD from CD-ROM drive.