Follow:

 

Trojan:JS/Redirector.H


Microsoft security software detects and removes this threat.

This threat can redirect you to a malicious or hacked website, which may then use exploits to download malware onto your PC.

It can run when you visit a malicious or compromised web page, or click on a link in a spam email.

Find out ways that malware can get on your PC



What to do now

Use the following free Microsoft software to detect and remove this threat:

You should also run a full scan. A full scan might find other hidden malware.

Get more help

You can also visit our advanced troubleshooting page or search the Microsoft virus and malware community for more help.

If you’re using Windows XP, see our Windows XP end of support page.

Threat behavior

Installation
We have found this trojan inserted into numerous Web pages through a blanket SQL injection attack using an automated tool.
Payload
IFrame Code Execution
Trojan:JS/Redirector.H may execute the following scripts within an IFrame:
  • am6.htm
  • am7.htm
  • hei.htm
  • a3a.htm
  • am2.htm
  • b11.htm
  • b19.htm
  • 3.html
  • index.html
  • set2.htm
  • set4.htm

When we downloaded the referenced script (detected as "Exploit:JS/Repl.B"), we saw that it can contain five or more exploits executed within IFrames:

 
 
The itemized IFrames use the following execution methods:
  1. This IFrame executes a Microsoft Data Access Component (MDAC) ADO ActiveX control known as "RDS.DataSpace". This control contains a vulnerability that could allow the execution of arbitrary code on systems that have not updated with Microsoft Security Bulletin MS06-014. The IFrame references an HTML script named "ax14.htm" (ActiveX MS06-014) which is identified as "TrojanDownloader:JS/Psyme.BA" or "TrojanDownloader:VBS/Psyme.gen!E".
  2. This IFrame executes an ActiveX control for "RealPlayer" known as "IERPCtl". This control contains a buffer overflow vulnerability that could allow the execution of arbitrary code on systems that have not updated with a security patch update from RealNetworks. There are two IFrames that are referenced, executing "re10.htm" (RealPlayer 10 exploit) and "re11.htm" (RealPlayer 11 exploit) - both are identified as "Exploit:JS/Repl.C" or "Exploit:HTML/Repl.D"
  3. This IFrame executes an ActiveX control for "Ourgame GLWorld" known as "GLAvatar". This control contains an undisclosed (0 day) vulnerability that could allow the execution of arbitrary code. This IFrame references an HTML script named "axlz.htm" (ActiveX Lianzong game platform) identified as "Exploit:JS/Gdow.A". See "GLAvatar Control" in "Additional Information" for more about this vulnerability.

    A variant of this IFrame executes an ActiveX control for "Ourgame GLWorld" known as "GLIEDown". This control contains a vulnerability that could allow the execution of arbitrary code. This variant also references an HTML script named "axlz.htm".
  4. This IFrame executes an ActiveX control for "Baofeng Storm StormPlayer" known as "MPS.StormPlayer". This ActiveX control contains multiple remote buffer overflow vulnerabilities that could allow the execution of arbitrary code in systems running Storm versions prior to 2.7.9.10, as mentioned on various security forums and Web sites. This IFrame references an HTML script named "bb.htm" which is identified as "Exploit:Win32/Senglot.J".
  5. This IFrame executes an ActiveX control for "Xunlei Thunder DapPlayer" known as "DPClient.vod". This ActiveX control contains a buffer overflow vulnerability(CVE-2007-5064) that could allow the execution of arbitrary code. According to FrSIRT, there is no known update to mitigate this vulnerability. This IFrame references a file "xl.gif" (Xunlei) however the file was unavailable at the time of this writing.
 
Additional Information
GLAvatar Control
This vulnerability is considered a 0 day exploit and it joins three other known vulnerabilities in the GLWorld online game application:
  • CVE-2008-0647: Multiple Buffer Overflow Vulnerabilities within "HanGamePluginCn18.dll"
  • CVE-2007-5722: Stack-based Buffer Overflow Vulnerability within "GLChat.ocx"
  • Bugtraq ID 29118: Ourgame ActiveX Control Remote Code Execution Vulnerability within "GLIEDown2.dll"
 
Analysis by Cristian Craioveanu & Patrick Nolan

Symptoms

There are no common symptoms associated with this threat - links are activated within IFrames while viewing Web content on maliciously modified pages. Alert notifications from installed Antivirus software may be the only symptom(s).

Prevention


Alert level: Severe
First detected by definition: 1.45.287.0
Latest detected by definition: 1.111.1301.0 and higher
First detected on: Oct 07, 2008
This entry was first published on: May 27, 2008
This entry was updated on: May 18, 2015

This threat is also detected as:
  • JS/TrojanDownloader.Iframe.NAI (ESET)