C�ch di?t Trojan-Downloader.JS.Multi.ca

Ng�y ph�t hi?n: 13 ? 05 ? 2008

Hi?m h?a: TrojanDownloader

N?n t?ng: JS

Trojan n�y download m?t ch??ng tr�nh kh�c th�ng qua Internet v� kh?i ch?y n� tr�n m�y t�nh n?n nh�n m� ng??i d�ng m�y kh�ng h? bi?t hay cho ph�p. N� m� h�a Java Script trong m?t t�i li?u HTML. Dung l??ng c?a n� l� 14147 byte.



Ho?t ??ng :

Khi trang b? nhi?m ??c ???c m? ra b?ng tr�nh duy?t web, ng??i d�ng s? nh?n ???c m?t th�ng b�o:


    Not Found
    The requested URL / was not found on this server.



Trojan sau ?� gi?i m� ch�nh b?n th�n n� v� kh?i ch?y k?ch b?n m� ??c ?? th?c thi. N� s? s? d?ng c�c l? h?ng ???c li?t k� sau ?�y:



1. l?i tr�n b? ??m trong ?i?u khi?n ActiveX Live Picture Corporation DXSurface.LivePicture.FlashPix.1 trong DXTLIPI.DLL khi x? l� "SourceUrl()" (CVE-2007-4336)



2. trong plug-in c?a Windows Media Player khi x? l� m?t tham s? ?src? qu� d�i trong th? "embed" (MS06-006). L? h?ng n�y hi?n di?n khi plug-in ???c kh?i ch?y trong c�c tr�nh duy?t kh�ng ph?i IE.



3. Trong ??i t??ng QuickTime.QuickTime" ActiveX (CVE-2004-0431);



?? download m?t file c� t�n "ldr.exe" t? URL sau:



    http://java62.com/load.php****



File download v? n�y c� dung l??ng 48640 byte. N� s? ???c ph�t hi?n b?i Kaspersky Anti-Virus nh? virus Backdoor.Win32.Agent.ich. File n�y s? ???c l?u v�o th? m?c h? th?ng Windows d??i t�n:


    %System%~.exe



File n�y sau ?� kh?i ch?y qu� tr�nh th?c thi. Trojan s? s? d?ng ??i t??ng ActiveX "Msxml2.XMLHTTP" v� c�c ??i t??ng c� ??nh danh duy nh?t trong h? th?ng:



    {BD96C556-65A3-11D0-983A-00C04FC29E30}
    {BD96C556-65A3-11D0-983A-00C04FC29E36}
    {AB9BCEDD-EC7E-47E1-9322-D4A210617116}
    {0006F033-0000-0000-C000-000000000046}
    {0006F03A-0000-0000-C000-000000000046}
    {6E32070A-766D-4EE6-879C-DC1FA91D2FC3}
    {6414512B-B978-451D-A0D8-FCFDF33E833C}
    {7F5B7F63-F06F-4331-8A26-339E03C0AE3D}
    {06723E09-F4C2-43C8-8358-09FCD1DB0766}
    {639F725F-1B2D-4831-A9FD-874847682010}
    {BA018599-1DB3-44F9-83B4-461454C84BF8}
    {D0C07D56-7C69-43F1-B4A0-25F5A11FAB19}
    {E8CCCDDF-CA28-496B-B050-6C07C962476B}



?? download m?t file c� t�n g?i "ldr.exe" t? ???ng d?n sau:


    http://java62.com/load.php?MSIE



N� s? d?ng ??i t??ng ActiveX "ADODB.Stream" ?? l?u file n�y d??i t�n:



    c:sys.exe



v� b?n k� t? ??ng sau nh? v� d? sau:



    syskmtz.exe
    syskqoq.exe



File ???c download v? sau ?� s? kh?i ch?y qu� tr�nh th?c thi.


H??ng d?n g? b?



N?u m�y t�nh c?a b?n kh�ng c� m?t ch??ng tr�nh di?t virus t? ??ng c?p nh?t, ho?c kh�ng c� m?t gi?i ph�p di?t virus to�n v?n, h�y th?c hi?n theo c�c h??ng d?n sau ?? x�a b? m� ??c kh?i m�y t�nh:



1. X�a file g?c c?a Trojan (v? tr� file t�y thu?c v�o c�ch n� x�m nh?p ban ??u v�o m�y t�nh n?n nh�n).



2. X�a c�c file sau:



    %System%~.exe
    c:sys.exe


3. V� hi?u h�a c�c ??i t??ng ActiveX b? l? h?ng



4. C�i ??t c�c b?n v� b?o m?t sau:



    http://www.microsoft.com/technet/security/Bulletin/MS06-006.mspx



5. C�i ??t phi�n b?n m?i nh?t c?a QuickTime.



6. C?p nh?t c? s? d? li?u virus v� th?c hi?n qu�t to�n b? m�y t�nh.

Submit Article :- Digg + Technorati + del.icio.us + Stumbleupon + Reddit + BlinkList + Furl + Yahoo+ Blogmarks + Ekstreme Socializer

|