| VID |
24074 |
| Severity |
40 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
BackDoor |
| Detailed Description |
Download.Ject Trojan has been detected as infected on the system.
Download.Ject is a simple Trojan written in JavaScript that infects Microsoft IIS servers (Download.Ject is also known as: JS.Scob.Trojan, Scob, and JS.Toofeer.). It has been found from a number of web sites at June 24th, 2004. According to reports, the script has not been appended by modifying the actual files on the server but using the so called footer feature from Microsoft's Internet Information Server. The Trojan's dropper sets it as the document footer for all pages served by IIS Web sites on the infected computer. Therefore, the trojan has been found to be appended to existing files at those web servers, for example pictures such as jpeg files.
When it is executed, the dropper performs the following actions on the IIS Web server:
1. Drops ads.vbs into the current folder.
2. Drops three files, named %System%\inetsrv\iisXXX.dll, where XXX are three hexidecimal digits.
3. Modifies the configuration of IIS Web sites on the infected computer to make one of the iisXXX.dll files as the document footer. This causes IIS to append JS.Scob.Trojan to pages served by the Web server, such as .html, .jpeg, and .gif files.
The Javascript, JS.Scob.Trojan and JS.Scob.Trojan!inf do the following on the client side:
1. If the file is not accessed through HTTPS and the Trojan has not set a currently valid cookie on the computer, it launches a JavaScript file located at 217.107.218.147.
2. The Trojan then sets a cookie which expires in one week. The cookie begins with the characters "trk716".
* References:
http://www.microsoft.com/security/incident/download_ject.mspx
http://www.symantec.com/avcenter/venc/data/js.scob.trojan.html
http://www.f-secure.com/v-descs/scob.shtml
* Platforms Affected:
Microsoft Windows Any version |
| Recommendation |
Remove it from the infected computer by using a anti-virus program (vaccine program), referring to the following steps:
1. Disable System Restore (Windows Me/XP).
2. Update the virus definitions.
3. Run a full system scan, repair or delete all files detected as JS.Scob.Trojan, JS.Scob.Trojan!inf or JS.Scob.Trojan!dr.
4. Reset the document footer setting of IIS web sites.
a. In the Internet Services Manager, right click on each Web site and go to Properties.
b. To restore the settings to their original values, delete the dll path in the text box and uncheck the "Enable Document Footer" check box. If you use a custom document footer in IIS, browse to the file's location and select it as your document footer.
More detailed removal instructions are available from Microsoft at http://www.microsoft.com/security/incident/download_ject.mspx
-- AND --
Apply the appropriate patch for your system, as listed in the Microsoft Security Bulletin MS04-011 at http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx |
| Related URL |
(CVE) |
| Related URL |
(SecurityFocus) |
| Related URL |
(ISS) |
|
