Description
JS.Toofer is a trojan which loads an external page in an iframe, which attempts to download a malicious program. Currently we have seen that the downloaded file(s) have been polymorphic variants of
Win32.Webber. JS.Toofer will be detected in content served by compromised IIS servers, where the malicious JavaScript is served as a footer.
JS.Toofer is installed on compromised IIS servers with the executable agent.exe (detected as Win32.Toofer) which drops a Microsoft IIS administration utility as ads.vbs. For more information, please visit Microsoft:
http://www.microsoft.com/resources/documentation/iis/6/all/proddocs/en-us/prog_use_adsutil.mspx
Win32.Toofer then executes "csript.exe ads.vbs enum /p w3svc" writing the output to w3enum.txt: the output of which is then parsed for the IIS directory. If found, it drops JS.Toofer to the inetsrv\ directory with random filenames such as:
iis750.dll
iis72c.dll
Win32.Toofer then uses ads.vbs to set
EnableDocFooter 1
DefaultDocFooter FILE <randomname.dll>
The footer is then appended to HTTP content served by the server, such as html, and css files.
JS.Toofer loads a page on a Russian website which attempts to download a file by exploiting various vulnerabilities in Internet Explorer, one of which, as of late June 2004, remains unpatched. The html which attempts to do this will be detected as:
JS.ModalDZoneBypass.exploit (Unpatched)
HTML.MHTMLRedir.exploit (MS04-013)
HTML.MHTMLRedir.exploit is a generic detection of web pages or e-mail messages which attempt to exploit the "MHTML URL Processing" vulnerability in Internet Explorer. For more information specific to this vulnerability, please visit our Vulnerability Information Center or Microsoft for further information:
http://www.microsoft.com/technet/security/bulletin/ms04-013.mspx
Note: Microsoft have also published a bulletin regarding JS.Toofer here: http://www.microsoft.com/security/incident/download_ject.mspx
Analysis by Scott Molenkamp