Home / malware Trojan.Exploit.ANOH
First posted on 21 November 2011.
Source: BitDefenderAliases :
There are no other names known for Trojan.Exploit.ANOH.
Explanation :
It downloads a code which will try to exploit a vulnerability of the SFWObject ActiveX Control add-on that runs in Explorer or Mozilla. The SWFObject is used to access Flash media content. System can be infected during visits on malicious sites hosting web pages with this malware inside (the access of those pages is usually forced; by example from http://www.wrmfwy.cn/[removed]/18.htm due to an injection of a linked Iframe component in the accessed page).
Once the script is launched it checks to see which of the two browsers is used an then it downloads another Javascript file which will continue the process of infection. In order to do so, it creates an invisible frame in accessed web page linked to a HTML file (resident on same site) that contains the Javascript code.(ilink.html, xlink.html (downloaded from IE), flink.html, mlink.html (from Mozilla) ). The HTML code is of this kind:
docume[nt.w]rite("[<] [iFra]me src ilink.html width=100 ...
. The newly downloaded scripts are also detected by BitDefender as Trojan.Exploit.ANOI and Trojan.Exploit.SSX. Those scripts download and run a fake media file according to the SWFObject add-on version installed on the victim's machine:
var so=new SWFObject("./i17.swf","mynmovie",...);
so.write("flashcontent").
The fake SWF (ShockWave Flash - animations or applets) files are detected as Exploit.SWF.Gen. Their code tries to download aditional malware (Trojan.Downloader.JLCQ) from www.oiuytr.net/[removed]/a264.css and then launch it.Last update 21 November 2011
