Analysis by: Alvin Bacani
 Modified by: Jennifer Gumban

 PLATFORM:

Windows 2000, Windows Server 2003, Windows XP (32-bit, 64-bit), Windows Vista (32-bit, 64-bit), Windows 7 (32-bit, 64-bit)

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:
 INFORMATION EXPOSURE:

  • Threat Type: Trojan

  • Destructiveness: No

  • Encrypted: No

  • In the wild: Yes

  OVERVIEW

Infection Channel: Dropped by other malware, Downloaded from the Internet

This malware may be installed remotely by a malicious user.

It may perform certain actions on the affected system.

This Trojan may arrive bundled with malware packages as a malware component. It may be hosted on a website and run when a user accesses the said website.

  TECHNICAL DETAILS

File Size: Varies
File Type: Java
Initial Samples Received Date: 05 Aug 2013
Payload: Connects to URLs/IPs, Steals information, Creates files, Deletes files, Executes files

Arrival Details

This Trojan may arrive bundled with malware packages as a malware component.

It may be hosted on a website and run when a user accesses the said website.

This malware arrives via the following means:

  • This Trojan is a packed JSP Shell that may arrive in the system as a WAR (Web ARchive) file.

Information Theft

This Trojan accepts the following parameters:

  • z0 - parameter
  • z1 - parameter that can be filename, URL, or DB statement
  • z2 - parameter that can be filepath or filename
  • Z - parameter encoded in the jsp file
  • A - prints requested data
  • B - prints file list
  • C - read buffer
  • D - write buffer
  • E - delete file
  • F - write to client
  • G - creates file with random data
  • H - lists files in directory and subdirectories otherwise it creates file and directory
  • I - renames file to directory name
  • J - creates folder from filename
  • K - creates file and sets Last Modified to new time
  • L - connects to URL passed in z1
  • M - executes file passed in z1 then reads output
  • N - gets the list of all databases on the SQL Server
  • O - gets the list of Table Names
  • P - gets the list of Column Names and Column Data Type
  • Q - executes SQL command from parameter and get column values from the result

Other Details

This Trojan does the following:

  • This malware allows remote Web-based file access and manipulation.
  • It runs on any JavaServer Pages (JSP) compatible Web server.
  • It may perform the certain actions on the affected system depending on the value of parameter passed on to it.

  SOLUTION

Minimum Scan Engine: 9.800
VSAPI OPR PATTERN File: 10.205.00
VSAPI OPR PATTERN Date: 08 Aug 2013

Step 1

Before doing any scans, Windows XP, Windows Vista, and Windows 7 users must disable System Restore to allow full scanning of their computers.

Step 2

Note that not all files, folders, and registry keys and entries are installed on your computer during this malware's/spyware's/grayware's execution. This may be due to incomplete installation or other operating system conditions. If you do not find the same files/folders/registry information, please proceed to the next step.

Step 3

Close all opened browser windows

Step 4

Scan your computer with your Trend Micro product to delete files detected as JS_SPRATS.SM. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.


Did this description help? Tell us how we did.