JS_REDIR.MTF

This Trojan arrives as an attachment to email messages spammed by other malware/grayware or malicious users. It may be hosted on a website and run when a user accesses the said website.

This is the Trend Micro detection for files that contain a malicious script. It inserts an IFRAME tag that redirects users to certain URLs.

Arrival Details

This Trojan arrives as an attachment to email messages spammed by other malware/grayware or malicious users.

It may be hosted on a website and run when a user accesses the said website.

Download Routine

This Trojan connects to the following website(s) to download and execute a malicious file:

• http://{BLOCKED}k.{BLOCKED}ps.net/WebTracking/track.html

It saves the files it downloads using the following names:

• %User Temp%\tmp{random numbers}\Psupdate.exe - detected as TSPY_ZBOT.MTF

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Local\Temp on Windows Vista and 7.)

Other Details

This is the Trend Micro detection for files that contain a malicious script.

It inserts an IFRAME tag that redirects users to the following URLs:

• http://{BLOCKED}k.{BLOCKED}ps.net/WebTracking/track.html

NOTES:

It contains links which, when clicked, will make the browser visit the following sites:

• http://{BLOCKED}k.{BLOCKED}ps.net/WebTracking/
• http://{BLOCKED}k.{BLOCKED}ps.net/WebTracking/invoiceGI9OC55B6CKMNB6PJT.JPG.exe

The second link mentioned above will download the following file when visited:

• {user-defined download directory}\invoiceGI9OC55B6CKMNB6PJT.JPG.exe - also detected as TSPY_ZBOT.MTF

This malicious webpage poses as a United Parcel Service (UPS) delivery information to lure users in downloading other malware.