For Consumer

Virus Profile: JS/Exploit-Blacole.gc

Threat Search
Print
   
Virus Profile information details
Risk Assessment: Home Low | Corporate Low
Date Discovered: 8/9/2012
Date Added: 8/9/2012
Origin: Unknown
Length: Varies
Type: Trojan
Subtype: Exploit
DAT Required: 6798
Removal Instructions
   
 
 
   

Description

This is a Trojan detection. Unlike viruses, Trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include e-mail, malicious or hacked Web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Indication of Infection

Because this is a generic detection there is no specific description of the activity undertaken by JavaScript detected under this name, however these can include malicious activity such as downloading and executing files or scripts.

Methods of Infection

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, e-mail, etc.
   

Virus Characteristics

-------------------Updated on 8 Aug 2013---------------

Aliases-

  • Miscrosoft    -    Trojan:JS/BlacoleRef.DD
  • Fortinet    -    JS/Blacole.EUS!tr.dldr
  • Drweb        -    Exploit.BlackHole.12

Characteristics-

JS/Exploit-Blacole.gc” is the detection for obfuscated JavaScript contained within Web pages.

JS/Exploit-Blacole.gc” is a JavaScript Trojan that redirects the browser to a malicious website with the help of IFRAME.

 “JS/Exploit-Blacole.gc” is an obfuscated JavaScript that could be embedded into compromised websites. The Trojan will redirect the user to malicious websites and to download other malwares or execute browser exploits.

Whenever the user visits a compromised website containing this malicious JavaScript, it redirects the browser to malicious site.
The Trojan redirects to the below malicious URL with help of the following Iframe “hxxp://wtgylzokmsyd.myfw.us/ad/feed.php”

  • hxxp://do[Removed]ons.com/redir_not_found/redir_not_found.shtml?wtgylzokmsyd.myfw.us 

Below is the malicious script which is embedded in the compromised website and redirects to the malicious website.



-------------------Updated on 26 Feb 2013---------------

JS/Exploit-Blacole.gc” is a generic detection for malicious Java code that exploits a vulnerability that allows the execution of arbitrary code.
JS/Exploit-Blacole.gc ” is a generic detection for obfuscated JavaScript that points to a hidden iframe  which connect to malicious site.
JS/Exploit-Blacole.gc ” is an obfuscated JavaScript that could be embedded into compromised websites. This Trojan will redirect the user to malicious websites and download other malwares or execute browser exploits.

The "Backhole" exploit kit may exploit vulnerabilities in certain software that may be installed in the victim computer. After the successful exploitation, it may lead to the download and execution of other malicious files.

Also this detection uses the following recent injection techniques in order to make a connection to randomly generated malicious domain.
<!--b5bee1-->
<!--/b5bee1-->

Upon execution, tries to load the java script and redirect the user to the following website with help of hidden iframe under the div class id “gvq”

  • http://harv[Removed]rican.org/dtd.php

-------------------Updated on 5 Feb 2013---------------

JS/Exploit-Blacole.gc” is a generic detection for malicious Java code that exploits a vulnerability that allows the execution of arbitrary code.

JS/Exploit-Blacole.gc ” is a generic detection for obfuscated JavaScript that points to a hidden iframe to a remote malicious site.

JS/Exploit-Blacole.gc ” is an obfuscated JavaScript that could be embedded into compromised websites. This Trojan will redirect the user to malicious websites and download other malwares or execute browser exploits.

The "Backhole" exploit kit may exploit vulnerabilities in certain software that may be installed in the victim computer. After the successful exploitation, it may lead to the download and execution of other malicious files.

Upon execution, tries to load the java script and redirect the user to the following website with help of hidden iframe:

  •   hxxp://linuxevenp[Removed]centrals.org/ad/feed.php
  •   hxxp://www.[Removed].la/?3488079
  •   hxxp://web1.[Removed].la:82/go.asp?svid=4&id=3488079&tpages=2&ttimes=1&tzone=5.5&tcolor=24&sSize=1362,590&referrer=&vpage=file%3A///%URL%55810-17-8.html

--------------------Updated on 7 Jan 2013---------------

JS/Exploit-Blacole.gc” is a generic detection for malicious Java code that exploits a vulnerability that allows the execution of arbitrary code. Also it will check for the installed components such as flash plug-in and it looks for vulnerable version of flash.

JS/Exploit-Blacole.gc” is a generic detection for obfuscated JavaScript that points to an Iframe to a remote malicious site.

JS/Exploit-Blacole.gc” is an obfuscated JavaScript that could be embedded into compromised websites. This Trojan will redirect the user to malicious websites and download other payload or executes browser exploits.

Upon execution, tries to load the java script and redirect the user to the following URL through remote port 8080:

•    hxxp://pana[Removed]ew.ru:8080/forum/links/column.php
•    hxxp://cont[Removed]mo.ru:8080/forum/links/column.php

------------------------------------------------------------

JS/Exploit-Blacole.gc” is a generic detection for malicious Java code that exploits a vulnerability that allows the execution of arbitrary code. Also it will check for the installed components such as flash plug-in and it looks for vulnerable version of flash.

JS/Exploit-Blacole.gc” is a generic detection for obfuscated JavaScript that points to an Iframe to a remote malicious site.

JS/Exploit-Blacole.gc” is an obfuscated JavaScript that could be embedded into compromised websites. This Trojan will redirect the user to malicious websites and download other malwares or execute browser exploits.

Upon execution, Trojan tries to load the java script and redirect the user to the following URL

  •  hxxp://asha[Removed]9e5c2c
   

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).