Threat Descriptions

Exploit:JS/Agent.IHL

Classification

Category :

Malware

Type :

Exploit

Platform :

JS

Aliases :

Exploit:JS/Agent.IHL

Summary

Exploit:JS/Agent.IHL is JavaScript, usually found on malicious or compromised websites.

It is used to silently install malicious software onto the website visitor's system.

Removal

Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

Exploit

Exploit:JS/Agent.IHL is JavaScript code that exploits a vulnerability found in versions of Microsoft Internet Explorer.

This exploit targets Internet Explorer 7 in and works on the Windows XP and Windows Server 2003 operating systems.

Note: It appears that this exploit may also work on Vista SP0 and SP1.

The exploit can be recognized as shown in the picture below:

If the exploit successfully executes, it will download a malicious file from the following URL address:

  • https://www.steoo.com/[...]/win.exe

We detect the downloaded file as Trojan:W32/Agent.IHN.

Vulnerability

Please see the following report for additional information on the vulnerability used:

Note: To be clear, scripts used by this particular exploit target IE7 while the vulnerability itself affects all versions of IE.

Network Connections

Attempts to connect with HTTP to:

  • https://www.steoo.com/[...]/win.exe