JS/Downloader.gen - JavaScript Downloader Malware

This section describes a real case where a JavaScript download malware was partially detected by McAfee VirusScan on a Windows XP system. The Trojan downloader successfully downloaded and executed a PWS Trojan installer program.

A couple of weeks ago, my computer got infected by a Trojan after visiting a .cn Website. Since I have McAfee VirusScan running on my Windows XP system. So I reviewed the McAfee OnAccessScanLog.txt log file as the first step to find out how this Trojan infected by computer.

In the OnAccessScanLog.txt, I found a section of records indicating a PWS Trojan infection happened on my computer. The infection started with a malicious JavaScript code as shown by these log record:

...
10/26/2008 5:58:21 PM Deleted hyang C:\Program Files\Internet Explorer
   \IEXPLORE.EXE C:\Documents and Settings\hyang\Local Settings
   \Temporary Internet Files\Content.IE5\UVQLMT01\ilink[1].htm
   \000000a0.js JS/Downloader.gen (Trojan)

10/26/2008 6:58:24 PM Script execution blocked hyang IEXPLORE.EXE
   (http://x.x.cn/swf/fx.htm) Script executed by IEXPLORE.EXE
   JS/Downloader.gen (Trojan)

10/26/2008 6:01:07 PM Deleted hyang C:\WINDOWS\system32\heb.exe
   C:\WINDOWS\SYSTEM32\PCAXYOQRXA.EXE PWS-Mmorpg.gen (Trojan)
...

I did a search on Google with JS/TrojanDownloader.gen, and learned that JS/TrojanDownloader.gen is a family of Trojan scripts written in JavaScript language. When executed, a JS/TrojanDownloader.gen script will connect to the Internet, download and execute another malware program on my computer.

According to the log file, McAfee VirusScan seems to deleted the JavaScript file and blocked the script execution initiated by the IE browser. But somehow, the PWS Trojan installer program, heb.exe, was downloaded and executed on my computer.

There are only two scenarios for what happened: (1). McAfee VirusScan did not really delete the Trojan downloader and did not really block the execution of the Trojan downloader; (2). The malicious Web page from .cn contains multiple Trojan downloaders. Some of them were too new for McAfee VirusScan to detect and delete. I have no way to confirm which scenario was really happened.

Conclusion, VirusScan did not a good job to fully protecting this computer against this Trojan JavaScript downloader. Read sections below to see what the PWS Trojan installer, heb.exe, did on this computer.

Table of Contents

 About This Windows Security Book

 Windows 8: System Security Review

 Windows 8: System Security Protection

 Windows 8 System Recovery

 Windows 8 Defender for Real-Time Protection

 Windows 7: System Security Review

 Windows 7: System Security Protection

 Windows 7 System Recovery

 Windows 7 Forefront Client Security

 Norton Power Eraser - Anti-Virus Scan Tool

 McAfee Virus and Malware Protection Tools

 Spybot - Spyware Blocker, Detection and Removal

 Keeping Firefox Secure

 Keeping IE (Internet Explorer) Secure

 Malware (Adware, Spyware, Trojan, Worm, and Virus)

 HijackThis - Browser Hijacker Diagnosis Tool

 IE Add-on Program Listing and Removal

 "Conduit Search" - Malware Detection and Removal

 "Tube Dimmer", "Scorpion Saver" or "Adpeak" Malware

 Malware Manual Removal Experience

 Vundo (VirtuMonde/VirtuMundo) - vtsts.dll Removal

 Trojan and Malware "Puper" Description and Removal

 VSToolbar (VSAdd-in.dll) - Description and Removal

PWS (Password Stealer) Trojan Infection Removal

 What Is PWS (Password Stealer) Trojan?

JS/Downloader.gen - JavaScript Downloader Malware

 PWS-Mmorpg.gen - A Password Stealer Trojan

 heb.exe - The Trojan Installer Program

 .exe and .dll Files Installed by the Trojan

 my.exe - A Second PWS Trojan Infection

 .exe and .dll Files of the Second Trojan

 Explorer.EXE Trying to Install a Trojan

 AccessProtectionLog.txt Log File Records

 ATF-Cleaner.exe - Temporary File Remover

 Trajon Files Left in the System Folder

 Removing PWS Trojan Files

 Removing PWS Trojan Startup Entries

 Command Processor AutoRun - Registry Value

 UserInit - Winlogon Registry Key

 js.users.51.la - hosts File Entries

 Image File Execution Options - Registry Key

 regedit.exe Not Working

 MS08-001 Vulnerability on Windows Systems

 Antivirus System PRO

 References

 Full Version in PDF/ePUB