Author Topic: New spawn of JS/Agent aka JSTrojanDownloader.HackLoad.AH trojan (Read 2282 times)

polonus · « **on:** May 07, 2012, 10:20:19 PM »

Various predecessors of this malware have been closed, this however was given to-day: htxp://zulu.zscaler.com/submission/show/dd0f84734642ce05094392411b2bbc74-1336420983
avast should detect this as JS:Redirector-RO [Trj]aka Blackhole aka JSTrojanDownloader.HackLoad.AH trojan
Suricata /w Emerging Threats
Timestamp   Source IP   Destination IP   Alert
2012-05-07 22:04:16   urlQuery Client   31.210.50.42   ET CURRENT_EVENTS Possible Blackhole Landing to 8 chr folder plus index.html
the above according to IDS at: htxp://urlquery.net/report.php?id=52043

reported to virus AT avast dot com,

polonus

!Donovan · « **Reply #1 on:** May 07, 2012, 10:57:34 PM »

URLVoid 3/31: http://urlvoid.com/scan/sebatemlak.net/

I wish it stayed up a little longer. To see how the exploit looked like $:-\$

polonus · « **Reply #2 on:** May 07, 2012, 11:40:24 PM »

Hi !Donovan,

Here the analysis of an exemplar that is still alive and "kicking mischief": http://anubis.iseclab.org/?action=result&task_id=105cf5c44479650b4a59457f0df870487
Avast is detecting this malware as JS:Redirector-RO [Trj],

polonus

Author Topic: New spawn of JS/Agent aka JSTrojanDownloader.HackLoad.AH trojan (Read 2282 times)

polonus

New spawn of JS/Agent aka JSTrojanDownloader.HackLoad.AH trojan

!Donovan

Re: New spawn of JS/Agent aka JSTrojanDownloader.HackLoad.AH trojan

polonus

Re: New spawn of JS/Agent aka JSTrojanDownloader.HackLoad.AH trojan