Windows Security Tutorials - Herong's Tutorial Examples - v3.01, by Dr. Herong Yang
JS/Downloader.gen - JavaScript Downloader Malware
This section describes a real case where a JavaScript download malware was partially detected by McAfee VirusScan on a Windows XP system. The Trojan downloader successfully downloaded and executed a PWS Trojan installer program.
A couple of weeks ago, my computer got infected by a Trojan after visiting a .cn Website. Since I have McAfee VirusScan running on my Windows XP system. So I reviewed the McAfee OnAccessScanLog.txt log file as the first step to find out how this Trojan infected by computer.
In the OnAccessScanLog.txt, I found a section of records indicating a PWS Trojan infection happened on my computer. The infection started with a malicious JavaScript code as shown by these log record:
... 10/26/2008 5:58:21 PM Deleted hyang C:\Program Files\Internet Explorer \IEXPLORE.EXE C:\Documents and Settings\hyang\Local Settings \Temporary Internet Files\Content.IE5\UVQLMT01\ilink[1].htm \000000a0.js JS/Downloader.gen (Trojan) 10/26/2008 6:58:24 PM Script execution blocked hyang IEXPLORE.EXE (http://x.x.cn/swf/fx.htm) Script executed by IEXPLORE.EXE JS/Downloader.gen (Trojan) 10/26/2008 6:01:07 PM Deleted hyang C:\WINDOWS\system32\heb.exe C:\WINDOWS\SYSTEM32\PCAXYOQRXA.EXE PWS-Mmorpg.gen (Trojan) ...
I did a search on Google with JS/TrojanDownloader.gen, and learned that JS/TrojanDownloader.gen is a family of Trojan scripts written in JavaScript language. When executed, a JS/TrojanDownloader.gen script will connect to the Internet, download and execute another malware program on my computer.
According to the log file, McAfee VirusScan seems to deleted the JavaScript file and blocked the script execution initiated by the IE browser. But somehow, the PWS Trojan installer program, heb.exe, was downloaded and executed on my computer.
There are only two scenarios for what happened: (1). McAfee VirusScan did not really delete the Trojan downloader and did not really block the execution of the Trojan downloader; (2). The malicious Web page from .cn contains multiple Trojan downloaders. Some of them were too new for McAfee VirusScan to detect and delete. I have no way to confirm which scenario was really happened.
Conclusion, VirusScan did not a good job to fully protecting this computer against this Trojan JavaScript downloader. Read sections below to see what the PWS Trojan installer, heb.exe, did on this computer.
Table of Contents
About This Windows Security Book
Windows 8: System Security Review
Windows 8: System Security Protection
Windows 8 Defender for Real-Time Protection
Windows 7: System Security Review
Windows 7: System Security Protection
Windows 7 Forefront Client Security
Norton Power Eraser - Anti-Virus Scan Tool
McAfee Virus and Malware Protection Tools
Spybot - Spyware Blocker, Detection and Removal
Keeping IE (Internet Explorer) Secure
Malware (Adware, Spyware, Trojan, Worm, and Virus)
HijackThis - Browser Hijacker Diagnosis Tool
IE Add-on Program Listing and Removal
"Conduit Search" - Malware Detection and Removal
"Tube Dimmer", "Scorpion Saver" or "Adpeak" Malware
Malware Manual Removal Experience
Vundo (VirtuMonde/VirtuMundo) - vtsts.dll Removal
Trojan and Malware "Puper" Description and Removal
VSToolbar (VSAdd-in.dll) - Description and Removal
►PWS (Password Stealer) Trojan Infection Removal
What Is PWS (Password Stealer) Trojan?
►JS/Downloader.gen - JavaScript Downloader Malware
PWS-Mmorpg.gen - A Password Stealer Trojan
heb.exe - The Trojan Installer Program
.exe and .dll Files Installed by the Trojan
my.exe - A Second PWS Trojan Infection
.exe and .dll Files of the Second Trojan
Explorer.EXE Trying to Install a Trojan
AccessProtectionLog.txt Log File Records
ATF-Cleaner.exe - Temporary File Remover
Trajon Files Left in the System Folder
Removing PWS Trojan Startup Entries
Command Processor AutoRun - Registry Value
UserInit - Winlogon Registry Key
js.users.51.la - hosts File Entries
Image File Execution Options - Registry Key