F-Secure
Tools
Trojan-Downloader:JS/Psyme.CK
| Name : | Trojan-Downloader:JS/Psyme.CK |
| Category: | Malware |
| Type: | Trojan-Downloader |
| Platform: | JS |
Summary
Trojan-Downloader:JS/Psyme.CK exploits vulnerabilities found in the affected system and also redirects to other sites.
It then attempts to download and execute a binary from a specific URL.
It then attempts to download and execute a binary from a specific URL.
Additional Details
Trojan-Downloader:JS/Psyme.CK exploits vulnerabilities in Microsoft Data Access Components (MDAC) (MS06-014), Baofeng Storm MPS.StormPlayer.1 ActiveX control, PPStream PowerPlayer ActiveX control, and Baidu Soba ActiveX control. It uses the vulnerabilities in order to redirect to other sites.
Psyme.CK redirects to the following URLs:
A function from the Baidu Soba ActiveX control is exploited to download the following CAB file to the Windows Internet Explorer temporary directory:
It then extracts and executes the file bd.exe, which is contained within the CAB file.
Note: The URLs were offline during our investigations.
Psyme.CK redirects to the following URLs:
• http://9gg.biz/0614.js
• http://9gg.biz/MPS.js
• http://9gg.biz/PowerPlayerCtrl.js
A function from the Baidu Soba ActiveX control is exploited to download the following CAB file to the Windows Internet Explorer temporary directory:
• http://9gg.biz/4.CAB
It then extracts and executes the file bd.exe, which is contained within the CAB file.
Note: The URLs were offline during our investigations.