JS_SPRATS.SM

This malware may be installed remotely by a malicious user.

It may perform certain actions on the affected system.

This Trojan may arrive bundled with malware packages as a malware component. It may be hosted on a website and run when a user accesses the said website.

Arrival Details

This Trojan may arrive bundled with malware packages as a malware component.

It may be hosted on a website and run when a user accesses the said website.

This malware arrives via the following means:

• This Trojan is a packed JSP Shell that may arrive in the system as a WAR (Web ARchive) file.

Information Theft

This Trojan accepts the following parameters:

• z0 - parameter
• z1 - parameter that can be filename, URL, or DB statement
• z2 - parameter that can be filepath or filename
• Z - parameter encoded in the jsp file
• A - prints requested data
• B - prints file list
• C - read buffer
• D - write buffer
• E - delete file
• F - write to client
• G - creates file with random data
• H - lists files in directory and subdirectories otherwise it creates file and directory
• I - renames file to directory name
• J - creates folder from filename
• K - creates file and sets Last Modified to new time
• L - connects to URL passed in z1
• M - executes file passed in z1 then reads output
• N - gets the list of all databases on the SQL Server
• O - gets the list of Table Names
• P - gets the list of Column Names and Column Data Type
• Q - executes SQL command from parameter and get column values from the result

Other Details

This Trojan does the following:

• This malware allows remote Web-based file access and manipulation.
• It runs on any JavaServer Pages (JSP) compatible Web server.
• It may perform the certain actions on the affected system depending on the value of parameter passed on to it.