Follow:

 

Exploit:JS/Neclu.C


Microsoft security software detects and removes this threat.

This threat is on a website that downloads malware onto your PC. You might be redirected to this website when you visit a hacked webpage.

It tries to use vulnerabilities in your software to infect your PC.

You might get an alert about this threat even if you're not using a vulnerable version of Java. This is because we detect when a website tries to use the vulnerability, even if it isn't successful.

See our page about exploits and learn how to update common software.

Find out ways that malware can get on your PC.



What to do now

The following free Microsoft software detects and removes this threat:

Even if we've already detected and removed this particular threat, running a full scan might find other malware that is hiding on your PC.

Get more help

You can also visit our advanced troubleshooting page or search the Microsoft virus and malware community for more help.

If you’re using Windows XP, see our Windows XP end of support page.

Update Java

Make sure you install all available Java updates.

You should remove older versions of Java, as keeping old and unsupported versions of Java on your PC is a serious security risk:

If you continue to get alerted about this threat, deleting your temporary Java files can help:

It's also important to keep your other software up to date:

Threat behavior

This threat is a component of the Nuclear exploit kit. It is malicious JavaScript code embedded in an HTML page.

Installation

The threat checks to see if your PC is running a vulnerable version of Java or Adobe Reader.

We have seen it try to use the following vulnerabilities:

  • CVE-2010-0188 (Adobe Reader and Acrobat 8.x before 8.2.1 and 9.x before 9.3.1)
  • CVE-2012-1723 (Oracle Java SE 7 update 4 and earlier, 6 update 32 and earlier, 5 update 35 and earlier, and 1.4.2_37 and earlier)
  • CVE-2013-1493 (Oracle Java SE 7 update 15 and earlier, 6 update 41 and earlier, and 5.0 update 40 and earlier)
  • CVE-2013-2423 (Java SE 7 update 17 and earlier, and OpenJDK 7)

We have seen the threat hosted on pages at the following URLs:

  • http://mqs3sbee.polarquarterback.pw/<removed>_3-c89dff037-ee-19See1C0-f/202/86293d224dad755bb9bd0f13d34119f0.html
  • http://exk8zn.wintercoach.pw/<removed>_a0ac04_8ac_a4-1Ncc8-c/187/33b2e12e14fbd7a7eaf380ef1437bc5d.html
  • http://j46ix0.slipperyjavelin.pw/<removed>-4LaMa4096c3c_f32Rc_2-0_0Z/145/3438ee91374eac5ad5146f1ca848e85b.html

The landing page might look like the following:

 

Payload

Downloads malware

If your PC has vulnerable software installed this threat can download other malware, including:

Analysis by Shawn Wang


Symptoms

Alerts from your security software may be the only symptom.


Prevention


Alert level: Severe
First detected by definition: 1.165.3520.0
Latest detected by definition: 1.169.260.0 and higher
First detected on: Feb 07, 2014
This entry was first published on: Feb 18, 2014
This entry was updated on: Jul 11, 2014

This threat is also detected as:
  • Nuclear (other)