JS_DLOADER.FIS

This JavaScript has received attention from independent media sources and/or other security firms.

To get a one-glance comprehensive view of the behavior of this Trojan, refer to the Threat Diagram shown below.

This Trojan may be unknowingly downloaded by a user while visiting malicious websites. It may be hosted on a website and run when a user accesses the said website.

It connects to certain URLs. It may do this to remotely inform a malicious user of its installation. It may also do this to download possibly malicious files onto the computer, which puts the computer at a greater risk of infection by other threats. It executes the downloaded files. As a result, malicious routines of the downloaded files are exhibited on the affected system.

Arrival Details

This Trojan may be unknowingly downloaded by a user while visiting malicious websites.

It may be hosted on a website and run when a user accesses the said website.

Download Routine

This Trojan connects to the following malicious URLs:

• http://{BLOCKED}ftpaccess.cc/demo/ad.jpg

It takes advantage of the following software vulnerabilities to download possibly malicious files:

• Microsoft Security Bulletin MS10-002

It saves the files it downloads using the following names:

• %Application Data%\a.exe - detected as TROJ_HYDRAQ.SMA

(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Windows\Profiles\{user name}\Application Data on Windows 98 and ME, C:\WINNT\Profiles\{user name}\Application Data on Windows NT, and C:\Documents and Settings\{user name}\Local Settings\Application Data on Windows 2000, XP, and Server 2003.)

It then executes the downloaded files. As a result, malicious routines of the downloaded files are exhibited on the affected system.