JS_WATERHOLE.A
Windows
Threat Type: Spyware
Destructiveness: No
Encrypted: No
In the wild: Yes
OVERVIEW
This spyware executes when a user accesses certain websites where it is hosted.
It logs a user's keystrokes to steal information.
TECHNICAL DETAILS
Arrival Details
This spyware executes when a user accesses certain websites where it is hosted.
This malware arrives via the following means:
- loaded by the URL, http://{BLOCKED}o.usa.cc/tance_script/i/?1
- accessing compromised websites
Information Theft
This spyware gathers the following data:
- IP address
- Referer
- User-Agent
- Location
- Cookie
- Webpage title
- Domain
- character encoding
- Screen height and width
- System Platform
- Default Language
It logs a user's keystrokes to steal information.
Stolen Information
This spyware sends the gathered information via HTTP POST to the following URL:
- http://{BLOCKED}.{BLOCKED}.15.138/tance_script/i/recv.php
- http://{BLOCKED}.{BLOCKED}.15.138/tance_script/i/s.php
- http://{BLOCKED}.{BLOCKED}.15.138/tance_script/i/p.php
- http://{BLOCKED}.{BLOCKED}.15.138/tance_script/i/k.php
Other Details
This spyware does the following:
- It accesses the following URLs to load other component scripts (also detected as JS_WATERHOLE.A) which are used for information gathering:
- http://{BLOCKED}.{BLOCKED}.15.138/tance_script/i/d.php?2
- http://{BLOCKED}.{BLOCKED}.15.138/tance_script/i/d.php?3
- http://{BLOCKED}.{BLOCKED}.15.138/tance_script/i/d.php?4
- http://{BLOCKED}.{BLOCKED}.15.138/tance_script/i/d.php?5
- http://{BLOCKED}.{BLOCKED}.15.138/tance_script/i/d.php?7
- http://{BLOCKED}.{BLOCKED}.15.138/tance_script/i/d.php?9
- http://{BLOCKED}.{BLOCKED}.15.138/tance_script/i/d.php?10
- http://{BLOCKED}.{BLOCKED}.15.138/tance_script/i/d.php?12
- http://{BLOCKED}.{BLOCKED}.15.138/tance_script/i/d.php?13
- http://{BLOCKED}.{BLOCKED}.15.138/tance_script/i/d.php?14
- http://{BLOCKED}.{BLOCKED}.15.138/tance_script/i/d.php?15
- It reports installed applications in the system by checking if any of the following files are present:
- avira - c:/WINDOWS/system32/drivers/avipbb.sys
- bitdefender_2013 - c:/Program Files/Bitdefender/Bitdefender 2013 BETA/BdProvider.dll
- bitdefender_2013 - c:/Program Files/Bitdefender/Bitdefender 2013 BETA/Active Virus Control/avc3_000_001/avcuf32.dll
- mcafee_enterprise - c:/Program Files/McAfee/VirusScan Enterprise/RES0402/McShield.dll
- mcafee_enterprise - c:/Program Files/Common Files/McAfee/SystemCore/mytilus3.dll
- mcafee_enterprise - c:/Program Files/Common Files/McAfee/SystemCore/mytilus3_worker.dll
- avg2012 - c:/Program Files/AVG Secure Search/13.2.0.4/AVG Secure Search_toolbar.dll
- avg2012 - c:/Program Files/Common Files/AVG Secure Search/DNTInstaller/13.2.0/avgdttbx.dll
- avg2012 - c:/WINDOWS/system32/drivers/avgtpx86.sys
- eset_nod32 - c:/WINDOWS/system32/drivers/eamon.sys
- Dr.Web - c:/Program Files/DrWeb/drwebsp.dll
- Mse - c:/WINDOWS/system32/drivers/MpFilter.sys
- sophos - c:/PROGRA~1/Sophos/SOPHOS~1/SOPHOS~1.DLL
- f-secure2011 - c:/program files/f-secure/scanner-interface/fsgkiapi.dll
- f-secure2011 - c:/Program Files/F-Secure/FSPS/program/FSLSP.DLL
- f-secure2011 - c:/program files/f-secure/hips/fshook32.dll
- Kaspersky_2012 - c:/Program Files/Kaspersky Lab/Kaspersky Anti-Virus 2012/klwtblc.dll
- Kaspersky_2012 - c:/WINDOWS/system32/drivers/klif.sys
- Kaspersky_2013 - c:/Program Files/Kaspersky Lab/Kaspersky Anti-Virus 2013/remote_eka_prague_loader.dll
- Kaspersky_2013 - c:/Program Files/Kaspersky Lab/Kaspersky Anti-Virus 2013/klwtblc.dll
- Kaspersky_2013 - c:/WINDOWS/system32/drivers/kneps.sys
- Kaspersky_2013 - c:/WINDOWS/system32/drivers/klflt.sys
- WinRAR - c:/Program Files/WinRAR/WinRAR.exe
- iTunes - c:/Program Files (x86)/iTunes/iTunesHelper.exe
- iTunes - c:/Program Files/iTunes/iTunesHelper.exe
- SQLServer - c:/Program Files (x86)/Microsoft SQL Server/80/COM/sqlvdi.dll
- SQLServer - c:/Program Files/Microsoft SQL Server/80/COM/sqlvdi.dll
- SQLServer - c:/Program Files (x86)/Microsoft SQL Server/90/COM/instapi.dll
- SQLServer - c:/Program Files/Microsoft SQL Server/90/COM/instapi.dll
- winzip - c:/Program Files/WinZip/WZSHLSTB.DLL
- winzip - c:/Program Files/WinZip/ZipSendB.dll
- 7z - c:/Program Files (x86)/7-Zip/7z.exe
- 7z - c:/Program Files/7-Zip/7z.exe
- vmware-server - c:/WINDOWS/system32/drivers/vmx86.sys
- vmware-server - c:/WINDOWS/system32/drivers/vmnet.sys
- vmware-client - c:/WINDOWS/system32/drivers/vmxnet.sys
- symantec-endpoint - c:/WINDOWS/system32/drivers/WpsHelper.sys
- symantec-endpoint - c:/WINDOWS/system32/drivers/SYMEVENT.SYS
- symantec-endpoint - c:/Program Files/Symantec/Symantec Endpoint Protection/wpsman.dll
- F-Secure - C:/Program Files/F-Secure/ExploitShield/fsesgui.exe
- antiyfx - C:/Program Files/agb7pro/agb.exe
- ESTsoft - C:/Program Files/ESTsoft/ALYac/AYLaunch.exe
- ESTsoft - C:/WINDOWS/system32/drivers/EstRtw.sys
- Fortinet - C:/Program Files/Fortinet/FortiClient/FortiClient.exe
- Fortinet - C:/WINDOWS/system32/drivers/FortiRdr.sys
- ViRobot4 - C:/Program Files/ViRobotXP/Vrmonnt.exe
- VirusBuster - C:/Program Files/VirusBuster/winpers.exe
- VirusBuster - C:/WINDOWS/system32/drivers/vbengnt.sys
- COMODO - C:/WINDOWS/system32/drivers/cmderd.sys
- a-squared - C:/Program Files/a-squared Anti-Malware/a2cmd.exe
- IKARUS - C:/Program Files/IKARUS/anti.virus/unGuardX.exe
- sophos - C:/WINDOWS/system32/drivers/SophosBootDriver.sys
- sophos - C:/Program Files/Sophos/Sophos Anti-Virus/SavMain.exe
- Nprotect - C:/Program Files/INCAInternet/nProtect Anti-Virus Spyware 3.0/nsphsvr.exe
- Trend2013 - C:/Program Files/Trend Micro/Titanium/UIFramework/uiWinMgr.exe
- Trend2013 - C:/WINDOWS/system32/drivers/tmtdi.sys
- Norton - C:/Program Files/Norton Internet Security/Branding/muis.dll
- Norton - C:/WINDOWS/system32/drivers/SYMEVENT.SYS
- Outpost - C:/Program Files/Agnitum/Outpost Security Suite Pro/acs.exe
- Outpost - C:/WINDOWS/system32/drivers/afwcore.sys
- AhnLab_V3 - C:/Program Files/AhnLab/V3IS80/V3Main.exe
- F-PROT - C:/Program Files/FRISK Software/F-PROT Antivirus for Windows/FPWin.exe
- F-PROT - C:/WINDOWS/system32/drivers/FStopW.sys
- ESET-SMART - C:/Program Files/ESET/ESET Smart Security/egui.exe
- ESET-SMART - C:/WINDOWS/system32/drivers/eamon.sys
- Kaspersky_Endpoint_Security_8 - C:/Program Files/Kaspersky Lab/Kaspersky Endpoint Security 8 for Windows/avp.exe
- Norman - C:/Program Files/Norman/Nse/Bin/nse.exe
- Norman - C:/WINDOWS/system32/drivers/nvcw32mf.sys
- Sunbelt - C:/Program Files/Sunbelt Software/Personal Firewall/cfgconv.exe
- QuickHeal - C:/Program Files/Quick Heal/Quick Heal Total Security/ARKIT.EXE
- QuickHeal - C:/WINDOWS/system32/drivers/catflt.sys
- Immunet - C:/Program Files/Immunet/ips.exe
- Immunet - C:/WINDOWS/system32/drivers/ImmunetProtect.sys
- JiangMin - C:/Program Files/JiangMin/AntiVirus/KVPopup.exe
- JiangMin - C:/WINDOWS/system32/drivers/SysGuard.sys
- PC_Tools - C:/Program Files/PC Tools Antivirus Software/pctsGui.exe
- Rising_firewall - C:/Program Files/Rising/RFW/RavMonD.exe
- Rising_firewall - C:/WINDOWS/system32/drivers/protreg.sys
- BkavHome - C:/Program Files/BkavHome/Bka.exe
- BkavHome - C:/WINDOWS/system32/drivers/BkavAuto.sys
- SUPERAntiSpyware - C:/Program Files/SUPERAntiSpyware/SUPERAntiSpyware.exe
- Rising - C:/Program Files/Rising/RIS/LangSel.exe
- Rising - C:/WINDOWS/system32/drivers/HookHelp.sys
- Symantec_Endpoint12 - C:/Program Files/Symantec/Symantec Endpoint Protection/DoScan.exe
- eScan - C:/Program Files/eScan/shortcut.exe
- eScan - C:/WINDOWS/system32/drivers/econceal.sys
- Bit9 - C:/Windows/System32/drivers/Parity.sys
- emet4.1 - C:/Program Files (x86)/EMET 4.1/EMET.dll
- emet4.1 - C:/Program Files/EMET 4.1/EMET.dll
- emet4.1 - d:/Program Files/EMET 4.1/EMET.dll
- emet4.1 - D:/Program Files (x86)/EMET 4.1/EMET.dll
- emet5.0 - C:/Program Files (x86)/EMET 5.0/EMET.dll
- emet5.0 - C:/Program Files/EMET 5.0/EMET.dll
- emet5.0 - d:/Program Files (x86)/EMET 5.0/EMET.dll
- emet5.0 - d:/Program Files/EMET 5.0/EMET.dll
- 360 - C:/Program Files/360/360Safe/360Safe.exe
- 360 - d:/Program Files/360/360Safe/360Safe.exe
- It also reports all Windows Updates installed in the system by checking if any of the following files are present:
- KB2378111 - c:/WINDOWS/KB2378111.log
- KB954155 - c:/WINDOWS/KB954155.log
- KB972187 - c:/WINDOWS/KB972187.log
- KB975558 - c:/WINDOWS/KB975558.log
- KB978695 - c:/WINDOWS/KB978695.log
- KB2564958 - c:/WINDOWS/KB2564958.log
- KB915865 - c:/WINDOWS/KB915865.log
- KB2115168 - c:/WINDOWS/KB2115168.log
- KB2229593 - c:/WINDOWS/KB2229593.log
- KB2296011 - c:/WINDOWS/KB2296011.log
- KB2345886 - c:/WINDOWS/KB2345886.log
- KB2347290 - c:/WINDOWS/KB2347290.log
- KB2360937 - c:/WINDOWS/KB2360937.log
- KB2387149 - c:/WINDOWS/KB2387149.log
- KB2419632 - c:/WINDOWS/KB2419632.log
- KB2423089 - c:/WINDOWS/KB2423089.log
- KB2440591 - c:/WINDOWS/KB2440591.log
- KB2443105 - c:/WINDOWS/KB2443105.log
- KB2476490 - c:/WINDOWS/KB2476490.log
- KB2478960 - c:/WINDOWS/KB2478960.log
- KB2478971 - c:/WINDOWS/KB2478971.log
- KB2479943 - c:/WINDOWS/KB2479943.log
- KB2481109 - c:/WINDOWS/KB2481109.log
- KB2483185 - c:/WINDOWS/KB2483185.log
- KB2485663 - c:/WINDOWS/KB2485663.log
- KB2506212 - c:/WINDOWS/KB2506212.log
- KB2507938 - c:/WINDOWS/KB2507938.log
- KB2508429 - c:/WINDOWS/KB2508429.log
- KB2509553 - c:/WINDOWS/KB2509553.log
- KB2510581 - c:/WINDOWS/KB2510581.log
- KB2535512 - c:/WINDOWS/KB2535512.log
- KB2536276-v2 - c:/WINDOWS/KB2536276-v2.log
- KB2544521 - c:/WINDOWS/KB2544521.log
- KB2544893-v2 - c:/WINDOWS/KB2544893-v2.log
- KB2566454 - c:/WINDOWS/KB2566454.log
- KB2570947 - c:/WINDOWS/KB2570947.log
- KB2584146 - c:/WINDOWS/KB2584146.log
- KB2585542 - c:/WINDOWS/KB2585542.log
- KB2592799 - c:/WINDOWS/KB2592799.log
- KB2598479 - c:/WINDOWS/KB2598479.log
- KB2603381 - c:/WINDOWS/KB2603381.log
- KB2619339 - c:/WINDOWS/KB2619339.log
- KB2620712 - c:/WINDOWS/KB2620712.log
- KB2624667 - c:/WINDOWS/KB2624667.log
- KB2631813 - c:/WINDOWS/KB2631813.log
- KB2641690 - c:/WINDOWS/KB2641690.log
- KB2646524 - c:/WINDOWS/KB2646524.log
- KB2653956 - c:/WINDOWS/KB2653956.log
- KB2655992 - c:/WINDOWS/KB2655992.log
- KB2659262 - c:/WINDOWS/KB2659262.log
- KB2660649 - c:/WINDOWS/KB2660649.log
- KB2661637 - c:/WINDOWS/KB2661637.log
- KB2676562 - c:/WINDOWS/KB2676562.log
- KB2691442 - c:/WINDOWS/KB2691442.log
- KB2698365 - c:/WINDOWS/KB2698365.log
- KB2705219-v2 - c:/WINDOWS/KB2705219-v2.log
- KB2712808 - c:/WINDOWS/KB2712808.log
- KB2718704 - c:/WINDOWS/KB2718704.log
- KB2719985 - c:/WINDOWS/KB2719985.log
- KB2723135-v2 - c:/WINDOWS/KB2723135-v2.log
- KB2724197 - c:/WINDOWS/KB2724197.log
- KB2727528 - c:/WINDOWS/KB2727528.log
- KB2736233 - c:/WINDOWS/KB2736233.log
- KB2753842-v2 - c:/WINDOWS/KB2753842-v2.log
- KB2757638 - c:/WINDOWS/KB2757638.log
- KB2758857 - c:/WINDOWS/KB2758857.log
- KB2761465 - c:/WINDOWS/KB2761465.log
- KB2770660 - c:/WINDOWS/KB2770660.log
- KB2779030 - c:/WINDOWS/KB2779030.log
- KB923561 - c:/WINDOWS/KB923561.log
- KB932716-v2 - c:/WINDOWS/KB932716-v2.log
- KB943232-v2 - c:/WINDOWS/KB943232-v2.log
- KB946648 - c:/WINDOWS/KB946648.log
- KB950762 - c:/WINDOWS/KB950762.log
- KB950974 - c:/WINDOWS/KB950974.log
- KB951748 - c:/WINDOWS/KB951748.log
- KB951830 - c:/WINDOWS/KB951830.log
- KB951978 - c:/WINDOWS/KB951978.log
- KB952004 - c:/WINDOWS/KB952004.log
- KB952287 - c:/WINDOWS/KB952287.log
- KB952954 - c:/WINDOWS/KB952954.log
- KB953155 - c:/WINDOWS/KB953155.log
- KB955535 - c:/WINDOWS/KB955535.log
- KB956802 - c:/WINDOWS/KB956802.log
- KB956844 - c:/WINDOWS/KB956844.log
- KB958752 - c:/WINDOWS/KB958752.log
- KB959426 - c:/WINDOWS/KB959426.log
- KB960803 - c:/WINDOWS/KB960803.log
- KB960859 - c:/WINDOWS/KB960859.log
- KB967715 - c:/WINDOWS/KB967715.log
- KB968389 - c:/WINDOWS/KB968389.log
- KB969059 - c:/WINDOWS/KB969059.log
- KB971029 - c:/WINDOWS/KB971029.log
- KB971657 - c:/WINDOWS/KB971657.log
- KB972270 - c:/WINDOWS/KB972270.log
- KB973507 - c:/WINDOWS/KB973507.log
- KB97381 - c:/WINDOWS/KB97381.log
- It reports installed versions of the following applications:
- Flash
- MS Office
- Java
- It reports if any of the following files are present:
- icbc - C:/Windows/SysWOW64/SubmitControl.dll
- icbc - C:/Windows/system32/SubmitControl.dll
- icbc - D:/Windows/SysWOW64/SubmitControl.dll
- icbc - D:/Windows/system32/SubmitControl.dll
- cmb - C:/Windows/system32/CMBEdit.dll
- cmb - C:/Windows/SysWOW64/CMBEdit.dll
- cmb - D:/Windows/system32/CMBEdit.dll
- cmb - D:/Windows/SysWOW64/CMBEdit.dll
SOLUTION
Step 1
Before doing any scans, Windows XP, Windows Vista, and Windows 7 users must disable System Restore to allow full scanning of their computers.
Step 2
Close all opened browser windows
Step 3
Scan your computer with your Trend Micro product to delete files detected as JS_WATERHOLE.A. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.
Did this description help? Tell us how we did.