Malware type: Trojan

Aliases: Exploit.JS.RealPlr.im (Kaspersky), Downloader (Symantec), JS/Agent.ES (Avira),

In the wild: Yes

Destructive: No

Language: English

Platform: Windows 2000 and XP

Encrypted: No

Description: 

To get a one-glance comprehensive view of the behavior of this malware, refer to the Behavior Diagram shown below.

Malware Overview

This Trojan may be downloaded after a series of redirections triggered by JS_DLDR.AW.

It takes advantage of a known vulnerability in several versions of the media player RealPlayer. The said vulnerability causes a stack overflow and allows the download of possibly malicious files on the affected system.

More information on this vulnerability can be found on here.

Before exploiting the above-mentioned vulnerability, this Trojan first checks if the affected machine is running on Windows 2000 or Windows XP with Internet Explorer 6 or 7. It also checks if RealPlayer is installed on the system and what version of the player is installed to determine the first few bytes of shell code that it writes on the affected system.

It uses a certain import function to send the shell code to the installed RealPlayer application, thus triggering the said exploit.

Once it successfully exploits the said vulnerability, this Trojan connects to a certain URL to download TROJ_AGENT.AKVP. As a result, the routines of the downloaded Trojan may be exhibited on the system.

For additional information about this threat, see:
Solution
Technical Details

Description created: May. 7, 2008 8:47:23 AM GMT -0800

Search a new malware

Tell us how we did. Take our quick survey.