JS_AGENT.APSS

This Trojan arrives as a component bundled with malware/grayware packages. It may be hosted on a website and run when a user accesses the said website.

It requires its main component to successfully perform its intended routine. However, as of this writing, the said sites are inaccessible.

Arrival Details

This Trojan arrives as a component bundled with malware/grayware packages.

It may be hosted on a website and run when a user accesses the said website.

Other Details

This Trojan requires its main component to successfully perform its intended routine.

It requires the existence of the following files to properly run:

• lspinq/2f12b8b.js

However, as of this writing, the said sites are inaccessible.

NOTES:

This malware is hosted on the following sites:

• http://{BLOCKED}l8r1bihsjwuj1n4zf.casaeclectica.com.mx/kafecodes/kholdq/zwen.php

It creates an iframe or redirects to certain URLs depending on the parameter it receives.

It may redirect to the following URL:

• {malware’s host}/{malware’s URL path}/blondonn.php

The iframe consists of any of the following URL that is appended to the current URL:

• {malware’s host}/{malware’s URL path}/xescapingc.php
• {malware’s host}/{malware’s URL path}/mheret.php
• {malware’s host}/{malware’s URL path}/psuperiorg.php - also detected as JS_AGENT.APSS
• {malware’s host}/{malware’s URL path}/dperilsi.php
• {malware’s host}/{malware’s URL path}/rcommittede.php
• {malware’s host}/{malware’s URL path}/mhinderb.php
• {malware’s host}/{malware’s URL path}/egovernmentc.php
• {malware’s host}/{malware’s URL path}/rhandclaspk.php
• {malware’s host}/{malware’s URL path}/abulgingq.php

{malware’s host URL}/{malware’s URL path}/psuperiorg.php inserts the .SWF file {malware’s host URL}/{malware’s URL path}/lspinq/30734a.swf with the following parameter:

FlashVars ="urli=http://{BLOCKED}l8r1bihsjwuj1n4zf.{BLOCKED}lectica.com.mx/kafecodes/kholdq/lodlwithr.php?id=4"