Securing yourself from Download.Ject (a.k.a JS.Scob.Trojan, Scob, JS.Toofeer)

Hopefully you have heard of the new Download.Ject virus that is also known as JS.Scob.Trojan, Scob, JS.Toofeer and have taken the corrective steps to fix it. Like most other users, I primarily use IE ( about 85% of the time and FireFox the rest of the time) and need to be careful of this threat - especially on what it does.

If you have not done anything to prevent this I seriously recommend that you do ASAP. I have a brief description on how to fix this and what it does.

What is it?

It is a Trojan downloader written in JavaScript. It has been found from a number of web sites on June 24th, 2004. The Trojan has been found to be appended to existing files at those web servers, for example pictures such as jpeg files. According to reports, the script has not been appended by modifying the actual files on the server but using the so called footer feature from IIS. When executed, the Trojan attempts to use an invisible frame to connect to a page at a remote web site. At the time of writing, the page in the web site is not available. While the page is not currently available, there has been reports that this downloader has been used to install variants of Padodor backdoor.

Padodor backdoor was created by a Russian hacker group called HangUp Team. This backdoor steals users personal information including credit card numbers, logins and password that a user types and other sensitive information. The backdoor’s file is a PE executable 51712 bytes long. The backdoor’s file is encrypted and the decryption routine is polymorphic. Every time the backdoor installs itself, it changes its decryptor, so its file will look different after every installation.

What does this do on the Web Server (IIS):

1. Drops ads.vbs into the current folder/
2. Drops three files, named %System%\inetsrv\iisXXX.dll, where XXX are three hexadecimal digits.
3. Modifies the configuration of IIS Web sites on the infected computer to make one of the iisXXX.dll files the document footer.

What does this do on the client site (i.e. your Browser):

When the backdoor’s file is run, it installs itself to system. It copies its file to Windows System directory with a random name that can contain ‘32’ in the end. The name can be for example ‘amackg32.exe’. Also the backdoor extracts and writes a small DLL file to Windows System folder. That file also has a randomly generated name that can contain ‘32’ in the end, for example ‘bnldnl32.dll’. That DLL file is a starter for the dropped backdoor’s executable file. It already contains the name of the dropped backdoor file - it is inserted there before extraction.

1. The file is not accessed through HTTPS and the Trojan has not set a currently valid cookie on the computer, it launches a JavaScript file located at 217.107.218.147.
2. The Trojan then sets a cookie which expires in one week. The cookie begins with the characters “trk716”.
3. Created the following registry keys:

   • [HKCR\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32] @ = “%WinSysDir%\.dll” “ThreadingModel” = “Apartment”

   • [HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad] “Web Event Logger” = “{79FEACFF-FFCE-815E-A900-316290B5B738}”

When the backdoor is active, one of its threads looks for certain text strings in open application windows:

• .paypal.com

• signin.ebay.

• .earthlink.

• .juno.com

• my.juno.com/s/

• webmail.juno.com

• .yahoo.com

• Sign In

• Log In

If such text strings are found, the backdoor tracks user’s login and password and saves it to a file

that will be sent to a hacker. The backdoor steals credit card information that a user inputs in

webforms and sends this data to a hacker. Once the Trojan is triggered, it will not be triggered

again until a week later.

How do I detect it?

To determine if the malicious code is on your computer, search for the following files:

• Kk32.dll
• Surf.dat

Steps for Windows XP users:

1. On the taskbar at the bottom of your screen, click Start, and then click Search.
2. Under What do you want to search for? click All files and folders.
3. Under All or part of the file name:
   type: Kk32.dll
   and then click the Search button.
4. Under All or part of the file name:
   type: Surf.dat
   and then click the Search button.

If either of these files is present, your computer may be infected.

How do I clean it?

1. Disable System Restore (Windows Me/XP).
2. Update the virus definitions.
3. Run a full system scan, repair all the files detected as JS.Scob.Trojan!inf, and delete all files detected as JS.Scob.Trojan, JS.Scob.Trojan!inf or JS.Scob.Trojan!dr.
4. Reset the document footer setting of IIS web sites.

What if I am running Windows 2000 Server?

You can Check document footers on the IIS server:

1. Click Start, and then click Run.

2. In the Open box, type the following, and then click OK:

   %SystemRoot%\System32\inetsrv\iis.msc

3. In the IIS MMC, expand Computer_Name (local computer), and then expand Web Sites. Note Computer_Name is a placeholder for the name of your computer.

4. Right-click a Web site, and then click Properties.

5. Click the Documents tab, and then locate the Enable document footer check box. You may be infected with Download.Ject if the Enable document footer check box is selected and the path to the document footer file points to a file that has a name that is similar to %Systemroot%\Winnt\System32\Inetsrv\Iis<3 random digits>.dll

For more information check out he following links:

• http://tinyurl.com/2p9ns
• http://tinyurl.com/2tdrg
• http://tinyurl.com/2wy6e
• http://tinyurl.com/yutrx
• http://tinyurl.com/2hmlb
• http://tinyurl.com/2h8p3