Microsoft security software detects and removes this threat.

You should also update your software to be fully protected.

This threat is a type of malware which tries to infect your computer with other malware, such as trojans and viruses.

It belongs to the Blacole family of malware, which together are known as the Blacole (or "Blackhole") exploit kit. 

See our page about exploits and learn how to update common software.

When you visit a malicious or compromised website, Blacole scans your computer for vulnerabilities or weaknesses in your software. It then uses those vulnerabilities to download malware onto your computer:

Typically, the Blacole exploit kit attempts to exploit vulnerabilities in applications such as Oracle Java, Sun Java, Adobe Acrobat and Adobe Reader.

What to do now

To detect and remove this threat and other malicious software that may be installed on your computer, run a full-system scan with an appropriate, up-to-date, security solution. The following Microsoft products detect and remove this threat:

After you have scanned your computer, you should update all of your software.

The more up-to-date your software, the better your chances at preventing Blacole from infecting your computer with more malware.

You can read more about this vulnerability and download software updates from these links:

You should remove older versions of Java that are still present. Keeping old and unsupported versions of Java on your system presents a serious security risk. You can read more about why you should remove older versions of Java in the following article:

A detection for this exploit may be triggered from your Java cache if a previous attempt at exploit has been made. We recommend that you delete your temporary Java files to prevent a persistent detection of this exploit. For instructions on how to delete temporary Java files, please see the following article:

Threat behavior

Your antivirus software may detect Blacole when you visit a compromised or malicious webpage. A compromised webpage is one in which an attacker has inserted malicious JavaScript code without the webpage owner's knowledge.

When you visit the webpage, the JavaScript code - detected as BlacoleRef - is run.

The Blacole family is designed to load a hidden IFrame that contacts a malicious page that is stored on a web server. This page determines information about your browser, such as what browser it is (for example, Internet Explorer or Firefox), what version it is, and what plugins or extensions you have installed.

The page then redirects the hidden IFrame to another page (or multiple pages) that specifically uses or exploits only those vulnerabilities that your browser is susceptible to. These vulnerabilities are then used to download malware onto your computer.

In this way, Blacole forms part of a larger process, all of which is designed to have the greatest success of infecting your computer with malware.

For more details, see the BlacoleRef and Blacole family descriptions.

Further reading

Get gamed and rue the day...


There are no common symptoms associated with this threat. Alert notifications from installed antivirus software may be the only symptoms.


Alert level: Severe
First detected by definition: 1.127.993.0
Latest detected by definition: 1.169.738.0 and higher
First detected on: May 29, 2012
This entry was first published on: May 29, 2012
This entry was updated on: Aug 14, 2013

This threat is also detected as:
No known aliases