Threat behavior
TrojanDownloader:JS/Agent.GG is a JavaScript Trojan that downloads malicious programs. JS/Agent.GG uses obfuscation techniques, sometimes in multiple layers, in order to hide its functionality.
Payload
TrojanDownloader:JS/Agent.GG is typically found encoded into malicious Web pages. The downloader attempts to exploit several different vulnerabilities, should they occur on the user’s machine, in order to download and execute additional code. To accomplish this task, the downloader uses techniques encountered in the MPack Malware Kit:
- MDAC Exploit (MS06-014)
- WinZip ActiveX Overflow
- Internet Explorer "WebViewFolderIcon" ActiveX Exploit (MS06-057)
Additional Information
Several methods that may be used to trick users into executing this code have been observed in the wild. One method is to display false and misleading messages when connecting to malicious Web sites, such as the following:
- “To view your foto, you need to have Microsoft Data Access installed on your computer To obtain a free copy of Microsoft Data Access, please <a href="/msdataaccess.exe">click here</a>”
- “Your Download Should Begin Shortly. If your download does not start in approximately 15 seconds, you can <a href="/ecard.exe">click here</a> to launch the download.”
An attacker may also distribute e-mail messages containing a link to malicious Web pages that host this code. See below for an example of one such e-mail message that was observed in the wild:
Subject: “Your ecard is waiting!”
Body: “Be the first to get your Psycho Cat Card. [malicious link]”
Prevention
