F-Secure Malware Information Pages: Trojan-Downloader:JS/Psyme.CK

Main Index

Security Guide

F-Secure World Map

Security Alerts

Virus Statistics

Malware Removal Tools

Malware Code Glossary

Submit Malware Sample

Select local site

Main Index » Security Centre » Descriptions

F-Secure Malware Information Pages: Trojan-Downloader:JS/Psyme.CK

[Summary] \| [Detailed Description]
Name :	Trojan-Downloader:JS/Psyme.CK
Alias:	Trojan-Downloader.JS.Psyme.ck
Type:	Trojan-Downloader
Category:	Malware
Platform:	JS

Radar

Summary

Trojan-Downloader:JS/Psyme.CK exploits vulnerabilities found in the affected system and also redirects to other sites.

It then attempts to download and execute a binary from a specific URL.

Back to the Top

Detailed Description

Trojan-Downloader:JS/Psyme.CK exploits vulnerabilities in Microsoft Data Access Components (MDAC) (MS06-014), Baofeng Storm MPS.StormPlayer.1 ActiveX control, PPStream PowerPlayer ActiveX control, and Baidu Soba ActiveX control. It uses the vulnerabilities in order to redirect to other sites.

Psyme.CK redirects to the following URLs:

http://9gg.biz/0614.js
http://9gg.biz/MPS.js
http://9gg.biz/PowerPlayerCtrl.js

A function from the Baidu Soba ActiveX control is exploited to download the following CAB file to the Windows Internet Explorer temporary directory:

http://9gg.biz/4.CAB

It then extracts and executes the file bd.exe, which is contained within the CAB file.

Note: The URLs were offline during our investigations.

Back to the Top

F-Secure Corporation

Last Modified: April 29, 2008