F-Secure Virus Descriptions : Scob

[Summary] | [Detection]

NAME:	Scob
ALIAS:	JS.Scob.Trojan, JS/Scob
ALIAS:	JS.Toofer, JS/Exploit-DialogArg.b, Download.Ject

Summary

Scob is a trojan downloader written in JavaScript. It has been found from a number of web sites on late June 24th, 2004.

The trojan has been found to be appended to existing files at those web servers, for example pictures such as jpeg and gif files. According to reports, the script has not been appended by modifying the actual files on the server but using the footer feature from Microsoft's Internet Information Server.

When executed, the trojan attempts to use an invisible frame to connect to a page at a remote web site. At the time of writing, the page in the web site is not available. While the page is not currently available, there has been reports that this downloader has been used to install variants of Padodor backdoor. Further information about Padodor is available at:

http://www.f-secure.com/v-descs/padodorw.shtml

The trojan also sets a cookie on the system, causing that it will attempt to connect the remote site no often than once every week.

Further information about this case is also available from Microsoft:

http://www.microsoft.com/security/incident/download_ject.mspx

In addition Microsoft has released a new KB (871277) on the Download.Ject Detection and Recovery Advisory:

http://support.microsoft.com/?kbid=871277

Detection

Detection in F-Secure Anti-Virus was published on June 25th, 2004 in update:

[FSAV_Database_Version]

Version=2004-06-25_02

Back to the Top

Description: Sami Rautiainen and Katrin Tocheva, June 24th-25th, 2004;

Description Updated:

Jarno Niemela, June 25th, 2004;

Katrin Tocheva, June 28th, 2004

F-Secure Corporation