Trojan:HTML/Redirector.CF

Installation

Trojan:HTML/Redirector.CF is obfuscated JavaScript contained within a webpage.

Payload

Opens other websites

If you visit a webpage containing Trojan:HTML/Redirector.CF, the script runs and automatically redirects to, or opens, another website, which may open another website, which may open another website, and so on.

At any point during the redirection, any of the opened websites may have other malware or perform other actions.

One such redirection routine is as follows:

1. You visit "www.googleadsl.com/<removed>/cp.js"
2. Which opens "www.want2free.com/<removed>/notepad/include/sizer.js"
3. Which opens "www.joinin.com.cn/en/flash/<removed>/adk.asp"
4. Which opens "www.want2free.com/<removed>/notepad/include/resed.js"
5. Which opens "www.want2free.com/PHONYGuard/<removed>/sct.html"
6. Which opens "www.esph.com.cn/<removed>/<removed>.html?id=http://www.wedsfcreqqerty.com/"

The last website may look like the following:

Opens pop-ups

Trojan:HTML/Redirector.CF may open pop-ups, which may appear similar to the following:

Analysis by Patrik Vicol