Trojan-Ransom.JS.Agent.v

From Total Malware Info

Jump to: navigation, search
The description for Trojan-Ransom.JS.Agent.v was created during beta-test of «Malware description on demand» service. Learn more about at: www.dnt-lab.com/en/services.

It is a trojan designed to download other malicious programs. It is an html page containing a Java Script. Its size is 26,707 bytes.

Payload

To spread malicious files an attacker has registered many domains: 

http://pornorab.info
http://pornotod.info
http://pornoraf.info
http://pornoraj.info
http://pornotol.info
http://pornotoq.info
http://pornotot.info
http://pornoclipclub.ru
http://apornovid.ru
http://1pornomovie.ru
http://apornomovie.ru
http://1pornompeg.ru
http://1pornorolik.ru
http://apornovideo.ru
http://1pornokino.ru
http://doliydoblin.info
http://eeporno.info
http://eesex.info
http://givemesex.ru
http://qqporno.info
http://rrporno.info
http://rrsex.info
http://ttporno.info
http://ttsex.info
http://uuporno.info
http://uusex.info
http://yyporno.info
http://pornotoh.info

At these domains, the attacker published a web-page, looking like an online video service (with an "adult" content), which is indictated by a number of views and pictures shown on a background of a standard player:

When one tries to watch any video, the trojan shows a window asking you to download an update to Adobe Flash Player, supposedly necessary for viewing:

Following the link to terms, one can be accessed with a user agreement, which describes the work of the program being downloaded by the trojan, as well as the conditions under which it completes its execution:

If one presses the "Cancel" button, then the trojan shows another window, closing or cancellation leads to its re-appearing:

When one clicks "OK" or "Download Update" button, the trojan downloads a file called "flash_player.exe" which is located at the same domain: 

http://<domain name>/flash_player.exe

At the time of writing, the attacker's web-sites hosted malicous files, which are detected by Kaspersky Antivirus as modifications of Trojan-Ransom.Win32.XBlocker.

Removal Instructions

If your computer was not protected by an antivirus and was infected with this malware, follow these steps to remove it:

  1. Leave the attacker's website.
  2. Purge Temporary Internet Files folder. 
    %Temporary Internet Files%
  3. Perform a full system scan using an antivirus with updated antivirus databases (download a trial version).

Can't find a description for a specific malware?
You can order a description for any computer malware, virus, trojan or worm.
Retrieved from "http://totalmalwareinfo.com/eng/Trojan-Ransom.JS.Agent.v"
Language
© 2010 "Design and Test Lab", LLC. All rights reserved.