JS_WATERHOLE.A

November 15, 2014

PLATFORM:

Windows

OVERALL RISK RATING:

DAMAGE POTENTIAL:

DISTRIBUTION POTENTIAL:

REPORTED INFECTION:

INFORMATION EXPOSURE:

Threat Type: Spyware
Destructiveness: No
Encrypted: No
In the wild: Yes

OVERVIEW

Infection Channel:

Downloaded from the Internet

This spyware executes when a user accesses certain websites where it is hosted.

It logs a user's keystrokes to steal information.

TECHNICAL DETAILS

File Size:

Varies

File Type:

Script

Initial Samples Received Date:

14 Nov 2014

Payload:

Steals information

Arrival Details

This spyware executes when a user accesses certain websites where it is hosted.

This malware arrives via the following means:

loaded by the URL, http://{BLOCKED}o.usa.cc/tance_script/i/?1
accessing compromised websites

Information Theft

This spyware gathers the following data:

IP address
Referer
User-Agent
Location
Cookie
Webpage title
Domain
character encoding
Screen height and width
System Platform
Default Language

It logs a user's keystrokes to steal information.

Stolen Information

This spyware sends the gathered information via HTTP POST to the following URL:

http://{BLOCKED}.{BLOCKED}.15.138/tance_script/i/recv.php
http://{BLOCKED}.{BLOCKED}.15.138/tance_script/i/s.php
http://{BLOCKED}.{BLOCKED}.15.138/tance_script/i/p.php
http://{BLOCKED}.{BLOCKED}.15.138/tance_script/i/k.php

Other Details

This spyware does the following:

It accesses the following URLs to load other component scripts (also detected as JS_WATERHOLE.A) which are used for information gathering:
- http://{BLOCKED}.{BLOCKED}.15.138/tance_script/i/d.php?2
- http://{BLOCKED}.{BLOCKED}.15.138/tance_script/i/d.php?3
- http://{BLOCKED}.{BLOCKED}.15.138/tance_script/i/d.php?4
- http://{BLOCKED}.{BLOCKED}.15.138/tance_script/i/d.php?5
- http://{BLOCKED}.{BLOCKED}.15.138/tance_script/i/d.php?7
- http://{BLOCKED}.{BLOCKED}.15.138/tance_script/i/d.php?9
- http://{BLOCKED}.{BLOCKED}.15.138/tance_script/i/d.php?10
- http://{BLOCKED}.{BLOCKED}.15.138/tance_script/i/d.php?12
- http://{BLOCKED}.{BLOCKED}.15.138/tance_script/i/d.php?13
- http://{BLOCKED}.{BLOCKED}.15.138/tance_script/i/d.php?14
- http://{BLOCKED}.{BLOCKED}.15.138/tance_script/i/d.php?15
It reports installed applications in the system by checking if any of the following files are present:
- avira - c:/WINDOWS/system32/drivers/avipbb.sys
- bitdefender_2013 - c:/Program Files/Bitdefender/Bitdefender 2013 BETA/BdProvider.dll
- bitdefender_2013 - c:/Program Files/Bitdefender/Bitdefender 2013 BETA/Active Virus Control/avc3_000_001/avcuf32.dll
- mcafee_enterprise - c:/Program Files/McAfee/VirusScan Enterprise/RES0402/McShield.dll
- mcafee_enterprise - c:/Program Files/Common Files/McAfee/SystemCore/mytilus3.dll
- mcafee_enterprise - c:/Program Files/Common Files/McAfee/SystemCore/mytilus3_worker.dll
- avg2012 - c:/Program Files/AVG Secure Search/13.2.0.4/AVG Secure Search_toolbar.dll
- avg2012 - c:/Program Files/Common Files/AVG Secure Search/DNTInstaller/13.2.0/avgdttbx.dll
- avg2012 - c:/WINDOWS/system32/drivers/avgtpx86.sys
- eset_nod32 - c:/WINDOWS/system32/drivers/eamon.sys
- Dr.Web - c:/Program Files/DrWeb/drwebsp.dll
- Mse - c:/WINDOWS/system32/drivers/MpFilter.sys
- sophos - c:/PROGRA~1/Sophos/SOPHOS~1/SOPHOS~1.DLL
- f-secure2011 - c:/program files/f-secure/scanner-interface/fsgkiapi.dll
- f-secure2011 - c:/Program Files/F-Secure/FSPS/program/FSLSP.DLL
- f-secure2011 - c:/program files/f-secure/hips/fshook32.dll
- Kaspersky_2012 - c:/Program Files/Kaspersky Lab/Kaspersky Anti-Virus 2012/klwtblc.dll
- Kaspersky_2012 - c:/WINDOWS/system32/drivers/klif.sys
- Kaspersky_2013 - c:/Program Files/Kaspersky Lab/Kaspersky Anti-Virus 2013/remote_eka_prague_loader.dll
- Kaspersky_2013 - c:/Program Files/Kaspersky Lab/Kaspersky Anti-Virus 2013/klwtblc.dll
- Kaspersky_2013 - c:/WINDOWS/system32/drivers/kneps.sys
- Kaspersky_2013 - c:/WINDOWS/system32/drivers/klflt.sys
- WinRAR - c:/Program Files/WinRAR/WinRAR.exe
- iTunes - c:/Program Files (x86)/iTunes/iTunesHelper.exe
- iTunes - c:/Program Files/iTunes/iTunesHelper.exe
- SQLServer - c:/Program Files (x86)/Microsoft SQL Server/80/COM/sqlvdi.dll
- SQLServer - c:/Program Files/Microsoft SQL Server/80/COM/sqlvdi.dll
- SQLServer - c:/Program Files (x86)/Microsoft SQL Server/90/COM/instapi.dll
- SQLServer - c:/Program Files/Microsoft SQL Server/90/COM/instapi.dll
- winzip - c:/Program Files/WinZip/WZSHLSTB.DLL
- winzip - c:/Program Files/WinZip/ZipSendB.dll
- 7z - c:/Program Files (x86)/7-Zip/7z.exe
- 7z - c:/Program Files/7-Zip/7z.exe
- vmware-server - c:/WINDOWS/system32/drivers/vmx86.sys
- vmware-server - c:/WINDOWS/system32/drivers/vmnet.sys
- vmware-client - c:/WINDOWS/system32/drivers/vmxnet.sys
- symantec-endpoint - c:/WINDOWS/system32/drivers/WpsHelper.sys
- symantec-endpoint - c:/WINDOWS/system32/drivers/SYMEVENT.SYS
- symantec-endpoint - c:/Program Files/Symantec/Symantec Endpoint Protection/wpsman.dll
- F-Secure - C:/Program Files/F-Secure/ExploitShield/fsesgui.exe
- antiyfx - C:/Program Files/agb7pro/agb.exe
- ESTsoft - C:/Program Files/ESTsoft/ALYac/AYLaunch.exe
- ESTsoft - C:/WINDOWS/system32/drivers/EstRtw.sys
- Fortinet - C:/Program Files/Fortinet/FortiClient/FortiClient.exe
- Fortinet - C:/WINDOWS/system32/drivers/FortiRdr.sys
- ViRobot4 - C:/Program Files/ViRobotXP/Vrmonnt.exe
- VirusBuster - C:/Program Files/VirusBuster/winpers.exe
- VirusBuster - C:/WINDOWS/system32/drivers/vbengnt.sys
- COMODO - C:/WINDOWS/system32/drivers/cmderd.sys
- a-squared - C:/Program Files/a-squared Anti-Malware/a2cmd.exe
- IKARUS - C:/Program Files/IKARUS/anti.virus/unGuardX.exe
- sophos - C:/WINDOWS/system32/drivers/SophosBootDriver.sys
- sophos - C:/Program Files/Sophos/Sophos Anti-Virus/SavMain.exe
- Nprotect - C:/Program Files/INCAInternet/nProtect Anti-Virus Spyware 3.0/nsphsvr.exe
- Trend2013 - C:/Program Files/Trend Micro/Titanium/UIFramework/uiWinMgr.exe
- Trend2013 - C:/WINDOWS/system32/drivers/tmtdi.sys
- Norton - C:/Program Files/Norton Internet Security/Branding/muis.dll
- Norton - C:/WINDOWS/system32/drivers/SYMEVENT.SYS
- Outpost - C:/Program Files/Agnitum/Outpost Security Suite Pro/acs.exe
- Outpost - C:/WINDOWS/system32/drivers/afwcore.sys
- AhnLab_V3 - C:/Program Files/AhnLab/V3IS80/V3Main.exe
- F-PROT - C:/Program Files/FRISK Software/F-PROT Antivirus for Windows/FPWin.exe
- F-PROT - C:/WINDOWS/system32/drivers/FStopW.sys
- ESET-SMART - C:/Program Files/ESET/ESET Smart Security/egui.exe
- ESET-SMART - C:/WINDOWS/system32/drivers/eamon.sys
- Kaspersky_Endpoint_Security_8 - C:/Program Files/Kaspersky Lab/Kaspersky Endpoint Security 8 for Windows/avp.exe
- Norman - C:/Program Files/Norman/Nse/Bin/nse.exe
- Norman - C:/WINDOWS/system32/drivers/nvcw32mf.sys
- Sunbelt - C:/Program Files/Sunbelt Software/Personal Firewall/cfgconv.exe
- QuickHeal - C:/Program Files/Quick Heal/Quick Heal Total Security/ARKIT.EXE
- QuickHeal - C:/WINDOWS/system32/drivers/catflt.sys
- Immunet - C:/Program Files/Immunet/ips.exe
- Immunet - C:/WINDOWS/system32/drivers/ImmunetProtect.sys
- JiangMin - C:/Program Files/JiangMin/AntiVirus/KVPopup.exe
- JiangMin - C:/WINDOWS/system32/drivers/SysGuard.sys
- PC_Tools - C:/Program Files/PC Tools Antivirus Software/pctsGui.exe
- Rising_firewall - C:/Program Files/Rising/RFW/RavMonD.exe
- Rising_firewall - C:/WINDOWS/system32/drivers/protreg.sys
- BkavHome - C:/Program Files/BkavHome/Bka.exe
- BkavHome - C:/WINDOWS/system32/drivers/BkavAuto.sys
- SUPERAntiSpyware - C:/Program Files/SUPERAntiSpyware/SUPERAntiSpyware.exe
- Rising - C:/Program Files/Rising/RIS/LangSel.exe
- Rising - C:/WINDOWS/system32/drivers/HookHelp.sys
- Symantec_Endpoint12 - C:/Program Files/Symantec/Symantec Endpoint Protection/DoScan.exe
- eScan - C:/Program Files/eScan/shortcut.exe
- eScan - C:/WINDOWS/system32/drivers/econceal.sys
- Bit9 - C:/Windows/System32/drivers/Parity.sys
- emet4.1 - C:/Program Files (x86)/EMET 4.1/EMET.dll
- emet4.1 - C:/Program Files/EMET 4.1/EMET.dll
- emet4.1 - d:/Program Files/EMET 4.1/EMET.dll
- emet4.1 - D:/Program Files (x86)/EMET 4.1/EMET.dll
- emet5.0 - C:/Program Files (x86)/EMET 5.0/EMET.dll
- emet5.0 - C:/Program Files/EMET 5.0/EMET.dll
- emet5.0 - d:/Program Files (x86)/EMET 5.0/EMET.dll
- emet5.0 - d:/Program Files/EMET 5.0/EMET.dll
- 360 - C:/Program Files/360/360Safe/360Safe.exe
- 360 - d:/Program Files/360/360Safe/360Safe.exe
It also reports all Windows Updates installed in the system by checking if any of the following files are present:
- KB2378111 - c:/WINDOWS/KB2378111.log
- KB954155 - c:/WINDOWS/KB954155.log
- KB972187 - c:/WINDOWS/KB972187.log
- KB975558 - c:/WINDOWS/KB975558.log
- KB978695 - c:/WINDOWS/KB978695.log
- KB2564958 - c:/WINDOWS/KB2564958.log
- KB915865 - c:/WINDOWS/KB915865.log
- KB2115168 - c:/WINDOWS/KB2115168.log
- KB2229593 - c:/WINDOWS/KB2229593.log
- KB2296011 - c:/WINDOWS/KB2296011.log
- KB2345886 - c:/WINDOWS/KB2345886.log
- KB2347290 - c:/WINDOWS/KB2347290.log
- KB2360937 - c:/WINDOWS/KB2360937.log
- KB2387149 - c:/WINDOWS/KB2387149.log
- KB2419632 - c:/WINDOWS/KB2419632.log
- KB2423089 - c:/WINDOWS/KB2423089.log
- KB2440591 - c:/WINDOWS/KB2440591.log
- KB2443105 - c:/WINDOWS/KB2443105.log
- KB2476490 - c:/WINDOWS/KB2476490.log
- KB2478960 - c:/WINDOWS/KB2478960.log
- KB2478971 - c:/WINDOWS/KB2478971.log
- KB2479943 - c:/WINDOWS/KB2479943.log
- KB2481109 - c:/WINDOWS/KB2481109.log
- KB2483185 - c:/WINDOWS/KB2483185.log
- KB2485663 - c:/WINDOWS/KB2485663.log
- KB2506212 - c:/WINDOWS/KB2506212.log
- KB2507938 - c:/WINDOWS/KB2507938.log
- KB2508429 - c:/WINDOWS/KB2508429.log
- KB2509553 - c:/WINDOWS/KB2509553.log
- KB2510581 - c:/WINDOWS/KB2510581.log
- KB2535512 - c:/WINDOWS/KB2535512.log
- KB2536276-v2 - c:/WINDOWS/KB2536276-v2.log
- KB2544521 - c:/WINDOWS/KB2544521.log
- KB2544893-v2 - c:/WINDOWS/KB2544893-v2.log
- KB2566454 - c:/WINDOWS/KB2566454.log
- KB2570947 - c:/WINDOWS/KB2570947.log
- KB2584146 - c:/WINDOWS/KB2584146.log
- KB2585542 - c:/WINDOWS/KB2585542.log
- KB2592799 - c:/WINDOWS/KB2592799.log
- KB2598479 - c:/WINDOWS/KB2598479.log
- KB2603381 - c:/WINDOWS/KB2603381.log
- KB2619339 - c:/WINDOWS/KB2619339.log
- KB2620712 - c:/WINDOWS/KB2620712.log
- KB2624667 - c:/WINDOWS/KB2624667.log
- KB2631813 - c:/WINDOWS/KB2631813.log
- KB2641690 - c:/WINDOWS/KB2641690.log
- KB2646524 - c:/WINDOWS/KB2646524.log
- KB2653956 - c:/WINDOWS/KB2653956.log
- KB2655992 - c:/WINDOWS/KB2655992.log
- KB2659262 - c:/WINDOWS/KB2659262.log
- KB2660649 - c:/WINDOWS/KB2660649.log
- KB2661637 - c:/WINDOWS/KB2661637.log
- KB2676562 - c:/WINDOWS/KB2676562.log
- KB2691442 - c:/WINDOWS/KB2691442.log
- KB2698365 - c:/WINDOWS/KB2698365.log
- KB2705219-v2 - c:/WINDOWS/KB2705219-v2.log
- KB2712808 - c:/WINDOWS/KB2712808.log
- KB2718704 - c:/WINDOWS/KB2718704.log
- KB2719985 - c:/WINDOWS/KB2719985.log
- KB2723135-v2 - c:/WINDOWS/KB2723135-v2.log
- KB2724197 - c:/WINDOWS/KB2724197.log
- KB2727528 - c:/WINDOWS/KB2727528.log
- KB2736233 - c:/WINDOWS/KB2736233.log
- KB2753842-v2 - c:/WINDOWS/KB2753842-v2.log
- KB2757638 - c:/WINDOWS/KB2757638.log
- KB2758857 - c:/WINDOWS/KB2758857.log
- KB2761465 - c:/WINDOWS/KB2761465.log
- KB2770660 - c:/WINDOWS/KB2770660.log
- KB2779030 - c:/WINDOWS/KB2779030.log
- KB923561 - c:/WINDOWS/KB923561.log
- KB932716-v2 - c:/WINDOWS/KB932716-v2.log
- KB943232-v2 - c:/WINDOWS/KB943232-v2.log
- KB946648 - c:/WINDOWS/KB946648.log
- KB950762 - c:/WINDOWS/KB950762.log
- KB950974 - c:/WINDOWS/KB950974.log
- KB951748 - c:/WINDOWS/KB951748.log
- KB951830 - c:/WINDOWS/KB951830.log
- KB951978 - c:/WINDOWS/KB951978.log
- KB952004 - c:/WINDOWS/KB952004.log
- KB952287 - c:/WINDOWS/KB952287.log
- KB952954 - c:/WINDOWS/KB952954.log
- KB953155 - c:/WINDOWS/KB953155.log
- KB955535 - c:/WINDOWS/KB955535.log
- KB956802 - c:/WINDOWS/KB956802.log
- KB956844 - c:/WINDOWS/KB956844.log
- KB958752 - c:/WINDOWS/KB958752.log
- KB959426 - c:/WINDOWS/KB959426.log
- KB960803 - c:/WINDOWS/KB960803.log
- KB960859 - c:/WINDOWS/KB960859.log
- KB967715 - c:/WINDOWS/KB967715.log
- KB968389 - c:/WINDOWS/KB968389.log
- KB969059 - c:/WINDOWS/KB969059.log
- KB971029 - c:/WINDOWS/KB971029.log
- KB971657 - c:/WINDOWS/KB971657.log
- KB972270 - c:/WINDOWS/KB972270.log
- KB973507 - c:/WINDOWS/KB973507.log
- KB97381 - c:/WINDOWS/KB97381.log
It reports installed versions of the following applications:
- Flash
- MS Office
- PDF
- Java
It reports if any of the following files are present:
- icbc - C:/Windows/SysWOW64/SubmitControl.dll
- icbc - C:/Windows/system32/SubmitControl.dll
- icbc - D:/Windows/SysWOW64/SubmitControl.dll
- icbc - D:/Windows/system32/SubmitControl.dll
- cmb - C:/Windows/system32/CMBEdit.dll
- cmb - C:/Windows/SysWOW64/CMBEdit.dll
- cmb - D:/Windows/system32/CMBEdit.dll
- cmb - D:/Windows/SysWOW64/CMBEdit.dll

SOLUTION

Minimum Scan Engine:

9.700

FIRST VSAPI PATTERN FILE:

11.276.04

FIRST VSAPI PATTERN DATE:

14 Nov 2014

VSAPI OPR PATTERN File:

11.277.00

VSAPI OPR PATTERN Date:

15 Nov 2014

Step 1

Before doing any scans, Windows XP, Windows Vista, and Windows 7 users must disable System Restore to allow full scanning of their computers.

Step 2

Close all opened browser windows

Step 3

Scan your computer with your Trend Micro product to delete files detected as JS_WATERHOLE.A. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.

Did this description help? Tell us how we did.

JS_WATERHOLE.A

OVERVIEW

TECHNICAL DETAILS

SOLUTION

Resources

Support

About Trend

Country Headquarters

JS_WATERHOLE.A

OVERVIEW

TECHNICAL DETAILS

SOLUTION

Resources

Support

About Trend

Country Headquarters

The Americas

Middle East & Africa

Europe

Asia & Pacific