JS_COSMU.A

This JavaScript has received attention from independent media sources and/or other security firms.

To get a one-glance comprehensive view of the behavior of this Trojan, refer to the Threat Diagram shown below.

This Trojan may be unknowingly downloaded by a user while visiting malicious websites. It may be hosted on a website and run when a user accesses the said website.

It takes advantage of software vulnerabilities to allow a remote user or malware/grayware to download files.

Arrival Details

This Trojan may be unknowingly downloaded by a user while visiting malicious websites.

It may be unknowingly downloaded by a user while visiting the following malicious websites:

• http://{BLOCKED}istyle.com/wap/include/wj/ie.html?332

It may be hosted on a website and run when a user accesses the said website.

Download Routine

This Trojan takes advantage of the following software vulnerabilities to allow a remote user or malware/grayware to download files:

• Vulnerability in Internet Explorer Could Allow Remote Code Execution

After successfully exploiting the said vulnerability, this malware connects to the following URLs to possibly download other malicious files:

• http://{BLOCKED}istyle.com/wap/include/2929.exe

It saves the files it downloads using the following names:

• %User Profile%\Application Data\b.exe

(Note: %User Profile% is the current user's profile folder, which is usually C:\Windows\Profiles\{user name} on Windows 98 and ME, C:\WINNT\Profiles\{user name} on Windows NT, and C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003.)

Trend Micro detects the dowloaded file as:

• TROJ_DROPPR.FNZ