Trojan.JS.PornPopUp.a

by Atlantis on March 29th, 2012 in Malware Descriptions.

Detect: Trojan.JS.PornPopUp.a

Platform: JS

Type: Trojan

Size: 1838 bytes

Language: Java Script

md5: D4C78EF9B5EC79A947D509B149B884FA

sha1: 54F2B99C60B1D77882FA2D724951FDAACB3A38A7

Summary

This is a Trojan program which opens various web pages in the browser. This Trojan is represented by the malicious JavaScript.

Technical Details

Payload

Once an infected HTML page is opened, the Trojan executes the malicious script.

The Trojan adds the “click” and “onclick” event handlers to the page. Thus, the Trojan keeps track of clicks performed by a user on the HTML page, and then opens the web resource in a new browser window. The site’s URL is as follows:

http://promo.aw***ire.com/tr/?id=99

The Trojan installs a cookie with the “popundr” name and the “1” value for the 24 hour period. Once the web resource is opened by clicking the link, it redirects a user to a porno web resource. Its URL is as follows:

http://creatives.live***min.com/

If a “popundr” cookie has been already installed, the Trojan finishes its execution upon opening an infected page.

Removal Recommendations

To delete a malicious program, proceed through the steps listed below:

  1. Delete an original Trojan file (its location on the infected PC depends on the way the program has been installed on the PC).
  2. Clean the Temporary Internet Files folder which contains infected files.
  3. Run a full scan of your computer using the Antivirus program with the updated definition database.