JS/RenWish
26/08/2009 by: AnwarOverview -
– Update August 26, 2009 –
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.theregister.co.uk/2009/08/25/pink_floyd_worm/
–
JS/RenWish is a detection for malicious javascript that is executed by clicking a crafted Macromedia Flash file. As the website being communicated is normally controlled by the malware author, any files being downloaded can be remotely modified and the behavior of these new binaries altered – possibly with every user infection.
Characteristics
Characteristics -
The malicious javascript is executed as part of clicking a specially crafted Macromedia Flash file. This Flash file is detected as W32/RenWish.
The Macromedia Flash file is being circulated through the Chinese social networking site Renren.com. Propogation is occuring due to a cross-site scripting flaw within the web site that does not allow script blocking. This is exhibited in playswf=function via ‘allowScriptAccess=\?always\’.
Upon execution of the javascript file, ‘friends’ information will be harvested and it will share the message with them.
Communication may be made with the following domains:
- [removed]img.cn
- [removed]ou.com
Symptoms
Symptoms -
- Presence of the aforementioned files
- Presence of unexpected network connections
Method of Infection
Method of Infection -
Users of the social network site renren.com receive messages on their profile that purports to be a Macromedia Flash video of Pink Floyd’s “Wish You Were Here”. Clicking the Macromedia Flash file will access this external Javascript malware.
Removal -
Removal -
All Users:
Use current engine and DAT files for detection and removal.
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).
Additional Windows ME/XP removal considerations
Source : http://vil.nai.com