For Consumer

Virus Profile: JS/Redirector

Threat Search
Print
   
Virus Profile information details
Risk Assessment: Home Low | Corporate Low
Date Discovered: 1/20/2009
Date Added: 1/20/2009
Origin: N/A
Length: Varies
Type: Trojan
Subtype: Script
DAT Required: 5501
Removal Instructions
   
 
 
   

Description

This detection covers obfuscated JavaScript that will lead to redirection of the browser window to exploits that can download and execute malware on user's computer.

Aliases -

  • Avast - JS:Redirector-SQ [Trj]
  • GData - JS:Redirector-SQ
  • Kaspersky - HEUR:Trojan.Script.Generic

Indication of Infection

--------------------- Updated on May 18, 2013 ----------------------------------------

Because this is a generic detection there is no specific description of the activity undertaken by JavaScript detected under this name, however these can include malicious activity such as downloading and executing files or scripts.


------------------------------------Updated on Mar 28 2012-----------------------------------

Unexpected network connections to unknown websites.

--------------------------------------------------------------------------------------

Redirection of websites.

Methods of Infection

--------------------------------Updated on Mar 28 2012 --------------------------------------------

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

--------------------------------------------------------------------------------------------

This Trojan can be installed while browsing compromised websites.

   

Virus Characteristics

--------------------- Updated on June 27, 2013 ----------------------------------------

Aliases

  • Kaspersky - HEUR:Trojan.Script.Iframer

Characteristics


JS/Redirector” is the detection for JavaScript contained within Web pages.

JS/Redirector” is a JavaScript Trojan that redirects the browser to a malicious website. Whenever the user visits a compromised website containing this malicious JavaScript, it redirects the browser to malicious site with help of iframe.

The below is the malicious iframe injected in the compromised web site.

  • hxxp://co[Removed]m.com/forum/news.php

--------------------- Updated on May 18, 2013 ----------------------------------------

Aliases –

  • Ikarus         - Trojan-PWS.HTML.Bankfraud
  • Microsoft - PWS:HTML/Bankfraud.F

JS/Redirector” is the generic detection for the phishing page. The Trojan attempt to steals bank related information and credit card information.

Phishing is the act of attempting to acquire information such as usernames, passwords, and credit card details.

Phishing is typically carried out by e-mail spoofing or instant messaging and it often directs users to enter details at a fake website whose look and feel are almost identical to the legitimate one.

Upon execution the Trojan tries send the collected information to the below URL.

  • hxxp://92.50.[Removed].218/finish.php

The above mentioned URL is down at time of analysis.

Below is the Fake Barclays Bank web page displayed that ask the user to submit the form in order to steal sensitive information


-------------------------------------Updated on Mar 28 2012------------------------------------

"JS/Redirector" is detection for an specific javaScript contained within web pages.This javaScript Trojan may be present on a malicious web site or may be injected via SQL injection into the HTML page, and it redirect to web sites other than expected. It is also possible for attacker to craft HTML-based e-mail messages containing the javascript.

The JS/Redirector will lead to redirection of the browser window to the following site.

  • an[Removed]me.ru

At the time of writing, the site is currently down and no other malicious activity was found.

--------------------------------------------------------------------------------------

JS/Redirector is an obfuscated JavaScript that could be embedded into compromised websites. This Trojan will redirect the user to malicious websites and download malwares or execute browser exploits.

Aliases

  • Avast  - JS:Redirector-MX [Trj]
  • Gdata  - JS:Redirector-MX
  • Sophos  - Troj/JSRedir-EJ
  • Symantec - Trojan.Webkit!html

JS/Redirector is an obfuscated JavaScript that could be embedded into compromised websites. This Trojan will redirect the user to malicious websites and download malwares or execute browser exploits.

When executed the Trojan tries to connect to the following site which is currently down.

  • http://cms-wide[Removed]dns.com/main.php?page=68dfc2dfc10659c

------------------------------------------------------

--Updated on Dec 06, 2011-------

Aliases –

    • Norman - JS/Redir.GI
    • Sophos - Mal/JSRedir-H

"JS/Redirector" is the detection for JavaScript contained within Web pages.

JS/Redirector is an obfuscated JavaScript that could be embedded into compromised websites. This Trojan will redirect the user to malicious websites and download malwares or execute browser exploits.

The given file is a .htm file which contains the following malicious JavaScript links.

hxxp://bmd[removed].ro/ajaxam.js
hxxp://ambrogio[removed].ro/ajaxam.js
hxxp://gossip[removed].ro/ajaxam.js
hxxp://ajansku[removed].com/ajaxam.js
hxxp://www.kvickly[removed].dk/js.js
hxxp://michelles[removed].co.uk/js.js
hxxp://myescorts[removed].com/js.js
hxxp://nit[removed].net/js.js
hxxp://hit[removed].org/ajaxam.js
hxxp://jeanpaul[removed].zxq.net/ajaxam.js
hxxp://kunsthan[removed].nl/ajaxam.js
hxxp://kurkkul[removed].fi/ajaxam.js

This Trojan uses "ajaxam.js" which is a small Java script file to embed the Adobe flash content. The attackers use this feature to redirect the user to malicious sites to download malwares or execute browser exploits.

Upon execution, the Trojan will lead to redirection of the browser window to the following sites.

    • hxxp://zaza[removed].in/main.php?page=abfd0d069b45c17e
    • hxxp://telem[removed].com/main.php?page=cfbeb202361a5131
    • hxxp://twist[removed].com/main.php?page=64078c3dc54bfa8a

At the time of writing, the above sites are not accessible.

---------

--Updated on May 13, 2011-------

Aliases

  • Avast         - JS:Illmsg-D
  • NOD32     - JS/TrojanDownloader.Pegel.CD
  • Kaspersky - Trojan-Downloader.JS.Pegel.g
  • Microsoft   - Trojan:JS/Redirector.DQ

JS/Redirector is an obfuscated JavaScript that could be embedded into compromised websites. This Trojan will redirect the user to malicious websites and download malwares or execute browser exploits.

The exploits comes in a mail with an attachment, when opening the attachment, it redirects users to a compromised web site. This compromised site further redirects visitors to a multitude of known-malicious sites where downloads may occur.

When executed the Trojan redirects the user to the following sites which are currently down.

  • Govos-com-[Removed].1gb.ua
  • Dotti[Removed]ope.com

---------------------------------------------------------------------

-- Update July 15, 2010 --

A new JS/Redirector variant has been discovered that is being spammed in emails purporting to be sent from eBay. When opening the attachment, it redirects users to a compromised web site. This compromised site further redirects visitors to a multitude of known-malicious sites where downloads may occur.

The compromised web site was clean at the time of testing however this condition could change without warning.

----------------------------

JS/Redirector is an obfuscated JavaScript that could be embedded into compromised websites. This Trojan will redirect the user to malicious websites and download malwares or execute browser exploits.

This Trojan uses "swfobject.js" which is a small Java script file to embed the Adobe flash content. The attackers use this feature to redirect the user to malicious sites to download malwares or execute browser exploits.

 

   

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).