TrendLabs Malware Blog
Glossary
TrendWatch
TrendLabs Twitter
TROJ_JUNKSURF.A
Overview
Solution

Malware type: Trojan

Aliases: Trojan-Downloader.Win32.Small.aq (Kaspersky), Downloader-ED (McAfee), Downloader.Aduent (Symantec), TR/Dldr.ED (Avira), Troj/JSurf-A (Sophos),

In the wild: Yes

Destructive: No

Language: English

Platform: Windows 95 , 98, ME, NT, 2000, XP

Encrypted: No

Overall risk rating:

Reported infections:

Damage potential:

 Medium

Distribution potential:

 Low

Description: 

TrendLabs has received several inquiries about this malware. Although it does not have any mechanism which allows it to propagate on its own, it has been reportedly sent via email to several target recipients and is now apparently circulating via email.

Some of the email samples which TrendLabs received are the following:

Sample 1

Subject: Whats Happening?
Message Body:Hey,
How have you been? What have you been doing lately?
Ive just been at home doing nothing :( bored at uni etc.
Anyway's lets catch up soon,
Luv,
You know who ;)
Attachment: None

Sample 2

Subject: Whats Happening?
Message Body: Why hello ;)
Whats been happening on your side of the woods?
We haven't been doing much at all really!
Anyways seeya tommorow.
Attachment: None

Sample 3

Subject: Hey
Message Body: Hello,
How have you been lately?
Our familys been fine, not a lot happening over here!
What are you doing this weekend?
Luv,
Your Pal!
Attachment: None

This Trojan program usually arrives as an embedded malicious script in a specially crafted HTML-based email or Web site. This script is detected as VBS_JUNKSURF.A.

It downloads a library file from a remote Web site, which is intended for tracking Internet activity. It is similar to some typical adware programs that can modify browser settings to facilitate the recording of user Internet activities. Gathered data is usually sent to remote users or commercial establishments for possible use in future advertising campaigns.

It is usually not destructive, but since it downloads a remote file, which may be malicious or non-malicious, it can be potentially dangerous.

It exploits a recently discovered vulnerability in Internet Explorer known as the Internet Explorer Object Data Remote Execution Vulnerability.

For more information on this particular exploit and to get hold of the critical patches, visit the following Microsoft page:

It runs on Windows 95, 98, NT, 2000, and XP systems.

For additional information about this threat, see:
Solution
Technical Details

Description created: Sep. 3, 2003 10:09:05 AM GMT -0800
Description updated: Sep. 4, 2003 12:00:00 AM GMT -0800

Search a new malware

Tell us how we did. Take our quick survey.