Analysis by: Anthony Joe Melgarejo

ALIASES:

Exploit:JS/CVE-2013-3893.A (Microsoft), Exploit-CVE2013-3893 (McAfee), Exp/20133893-B (Sophos), HTML/Shellcode.Gen (Antivir), JS/CVE3893.gen (F-Prot), JS:Exploit.CVE-2013-3893.A (Bitdefender), Win32/Exploit.CVE-2013-3893.A trojan (ESET)

 PLATFORM:

Windows 2000, Windows Server 2003, Windows XP (32-bit, 64-bit), Windows Vista (32-bit, 64-bit), Windows 7 (32-bit, 64-bit)

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:
 INFORMATION EXPOSURE:

  • Threat Type: Trojan

  • Destructiveness: No

  • Encrypted: No

  • In the wild: Yes

  OVERVIEW

Infection Channel: Downloaded from the Internet

This Trojan executes when a user accesses certain websites where it is hosted.

It executes the downloaded files. As a result, malicious routines of the downloaded files are exhibited on the affected system.

  TECHNICAL DETAILS

File Size: 20,547 bytes
File Type: JS
Memory Resident: No
Initial Samples Received Date: 04 Oct 2013
Payload: Downloads files

Arrival Details

This Trojan executes when a user accesses certain websites where it is hosted.

Download Routine

This Trojan connects to the following website(s) to download and execute a malicious file:

    It saves the files it downloads using the following names:

      It then executes the downloaded files. As a result, malicious routines of the downloaded files are exhibited on the affected system.

      NOTES:
      This Trojan connects to the following website(s) to download and execute a malicious file:

      • http://{BLOCKED}.61.57/svchost.exe

      It saves the files it downloads using the following names:

      • %User Temp%\runrun.exe