Home / malware

PDF

Trojan:JS/Pagins.gen!A

First posted on 11 April 2012.
Source: Microsoft

Aliases :

Trojan:JS/Pagins.gen!A is also known as JS/Agent.NEZ (ESET), MalJSAppLd-A (Sophos).

Explanation :

Trojan:JS/Pagin.gen!A is an obfuscated JavaScript trojan that can be injected into a legitimate webpage; the JavaScript may quietly direct the affected user to a specified URL, from which it attempts to load a Java class file. Such Java class files can have virtually any purpose.


Top

Trojan:JS/Pagin.gen!A is an obfuscated JavaScript trojan that can be injected into a legitimate webpage; the JavaScript may quietly direct the affected user to a specified URL, from which it attempts to load a Java class file. Such Java class files can have virtually any purpose.

In the wild, we have observed the trojan attempting to connect to the following URLs to load the Java class files:

• "over.tetono.in/0267" to load "cltrcslhvbea.jtkjqshyqcu.class"
• "of.towyb.in/0577" to load "jmennvlywkscqdbp.acjalqklkfvfltadas.class"
• "what.qecuqe.in/0103" to load "seyvrnwkujkvhfperjc.jatcuajstlkdeb.class"
• "they.lazuc.in/0752" to load "jmennvlywkscqdbp.acjalqklkfvfltadas.class"
• "think.lazuc.in/0824" to load "jmennvlywkscqdbp.acjalqklkfvfltadas.class"
• "go.loanxs.in/0348" to load "edmkrbvtkvusjbqh.njfrdtcatahhtruydb.class"
• "stat.qytul.in/0731" to load "jmennvlywkscqdbp.acjalqklkfvfltadas.class"

Note: The above list is not exhaustive, and at the time of writing, these sites were no longer available.



Analysis by Hong Jia

Last update 11 April 2012

 

TOP