JS_SPRATS.SM
Windows 2000, Windows Server 2003, Windows XP (32-bit, 64-bit), Windows Vista (32-bit, 64-bit), Windows 7 (32-bit, 64-bit)
Threat Type: Trojan
Destructiveness: No
Encrypted: No
In the wild: Yes
OVERVIEW
This malware may be installed remotely by a malicious user.
It may perform certain actions on the affected system.
This Trojan may arrive bundled with malware packages as a malware component. It may be hosted on a website and run when a user accesses the said website.
TECHNICAL DETAILS
Arrival Details
This Trojan may arrive bundled with malware packages as a malware component.
It may be hosted on a website and run when a user accesses the said website.
This malware arrives via the following means:
- This Trojan is a packed JSP Shell that may arrive in the system as a WAR (Web ARchive) file.
Information Theft
This Trojan accepts the following parameters:
- z0 - parameter
- z1 - parameter that can be filename, URL, or DB statement
- z2 - parameter that can be filepath or filename
- Z - parameter encoded in the jsp file
- A - prints requested data
- B - prints file list
- C - read buffer
- D - write buffer
- E - delete file
- F - write to client
- G - creates file with random data
- H - lists files in directory and subdirectories otherwise it creates file and directory
- I - renames file to directory name
- J - creates folder from filename
- K - creates file and sets Last Modified to new time
- L - connects to URL passed in z1
- M - executes file passed in z1 then reads output
- N - gets the list of all databases on the SQL Server
- O - gets the list of Table Names
- P - gets the list of Column Names and Column Data Type
- Q - executes SQL command from parameter and get column values from the result
Other Details
This Trojan does the following:
- This malware allows remote Web-based file access and manipulation.
- It runs on any JavaServer Pages (JSP) compatible Web server.
- It may perform the certain actions on the affected system depending on the value of parameter passed on to it.
SOLUTION
Step 1
Before doing any scans, Windows XP, Windows Vista, and Windows 7 users must disable System Restore to allow full scanning of their computers.
Step 2
Note that not all files, folders, and registry keys and entries are installed on your computer during this malware's/spyware's/grayware's execution. This may be due to incomplete installation or other operating system conditions. If you do not find the same files/folders/registry information, please proceed to the next step.
Step 3
Close all opened browser windows
Step 4
Scan your computer with your Trend Micro product to delete files detected as JS_SPRATS.SM. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.
Did this description help? Tell us how we did.