[Dshield] js.jjblack

Richard Roy RoyR at justicetrax.com
Thu Jun 12 14:28:12 GMT 2003


A quick search at google got me this link.  

http://www3.ca.com/virusinfo/virus.aspx?ID=35404

JS.JJBlack 
Alias: Java.JJBlack  
Category: Java Script  
Type: Trojan, Worm  
Last Modified: 6/6/2003  
 Wild:  
Destructiveness:  
Pervasiveness:  
 

CHARACTERISTICS 
JS.JJBlack (Java.JJBlack) is a worm which spreads through a hidden link
at the bottom of e-mail messages created with Outlook Express.

The link appears in an HTML IFRAME tag, and points to a particular web
site. This web site contains a Java applet that attempts to exploit a
vulnerability in Microsoft's Java virtual machine to gain unauthorised
access to the affected machine. Information on the vulnerability can be
found here:

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/secur
ity/bulletin/MS03-011.asp

The applet exploits this vulnerability to modify the registry and create
files on the system. It creates several files, overwriting existing
files if necessary:

%windows%\s.htm
%windows%\hosts
%windows%\system32\drivers\etc\hosts
%favorites%\Nude Nurses.url
%favorites%\Search You Trust.url
%favorites%\Your Favorite Porn Links.url

Where %windows% is the Windows directory, and %favorites% is the
Internet Explorer favorites folder, read from this registry value:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\She
ll Folders\Favorites

The first file, "s.htm", is an HTML file that contains the link to the
worm's web site. The worm modifies the registry to make this the
signature file for the current user of Outlook Express. From this point
on, any messages sent by Outlook Express will contain the hidden link to
the worm's web site.

The three .url files are shortcuts to harmless web pages. There are two
copies of the "hosts" file made, the first in the default location for
Win9x/ME, the second for WinNT/2000/XP. The "hosts" file causes many
Internet host names to be redirected to one IP address, probably owned
by the worm author.

These are some of the host names which are redirected by the worm:
auto.search.msn.com
search.msn.com
srd.yahoo.com
www.n69.com
www.pillscash.com
cart.penispill.com
www.pillsmoney.com
www.pillmedics.com
www.big-penis.com
www.pluspills1.com
www.morepenis.com
www.1shoppingcart.com
www.herbalo.com
www.penilesecrets.com
www.penispill.com
penismedical.net
www.penismedical.net
www.herbalbucks.com
www.tv69.com
the.sextracker.com
lobby.sexlist.com
in.paycounter.com
adv.sexcounter.com
rd1.hitbox.com
refer.ccbill.com
www.ccbill.com
select.2000charge.com
secure.2000charge.com
www.signup.globill-systems.com
www.rsac.org
www.netnanny.com
www.cyberpatrol.com
www.safesurf.com
www.spyglass.com
www.asacp.org
www.icra.org
www.cybersitter.com
www.surfwatch.com

The worm also creates registry values to hide the "Security" and
"Advanced" tabs in the Internet Options window:

HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control
Panel\SecurityTab="1"
HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control
Panel\AdvancedTab="1"

These values can be deleted to make the tabs reappear.

JJBlack makes additional registry changes which seem to be intended to
create more hits on the worm author's web site:

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Page
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Bar
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Search Page
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Search Bar
HKEY_CURRENT_USER\Software\Microsoft\Internet
Explorer\Main\SearchAssistant
HKEY_CURRENT_USER\Software\Microsoft\Internet
Explorer\Main\CustomizeSearch
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet
Explorer\Main\SearchAssistant
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet
Explorer\Main\CustomizeSearch
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL\Default
Prefix

Analysis by Hamish O'Dea
 
 

MINIMUM SIGNATURE/ENGINE INFORMATION  Product/Engine  Minimum Signature/
Engine Information *  Virus Removal Instructions 
eTrust Antivirus 7.0  23.61.42  Update your Antivirus software with the
latest signature files and scan all affected machines with the cure
option activated.  
eTrust EZ Antivirus 5.x  5.x/2483  Update your Antivirus software with
the latest signature files and scan all affected machines with the cure
option activated.  
eTrust EZ Antivirus 6.x  6.x/4669  Update your Antivirus software with
the latest signature files and scan all affected machines with the cure
option activated.  
eTrust InoculateIT 6.0
eTrust Antivirus 6.0  23.61.42  Update your Antivirus software with the
latest signature files and scan all affected machines with the cure
option activated.  
InoculateIT 4.x  43.42  Update your Antivirus software with the latest
signature files and scan all affected machines with the cure option
activated.  
Vet 10.5x  10.5x/4669     
* Protection provided with these signatures and later releases. If the
signature files currently available for download are earlier versions
than the ones listed here, the required signature has not yet passed QA
testing but will be available shortly.  

-----Original Message-----
From: Graham K. Dodd [mailto:g.dodd at falk-ross.de] 
Sent: Thursday, June 12, 2003 7:15 AM
To: General DShield Discussion List
Subject: [Dshield] js.jjblack


Has anyone out there run across js.jjblack

Our Sales Manager in Spain keeps getting pop-up windows with jjblack,
the path points to the temp internet files which we have removed.

Sometimes the message windows appears when he moves his cursor over an
email in Outlook Express, these email's have been deleted and removed
from the trash........ but this *@@!%! window keeps popping up.

Searches on all the AV sites have not come up with anything.

Any ideas would be greatly appreciated.

thanks,

Graham

~~~~~~~~~~~~~~~~~~~~~
Graham K. Dodd
Director of Operation
Falk & Ross GmbH
Tel. +49(6301)717-0
Fax. +49(6301)717-270


_______________________________________________
list mailing list
list at dshield.org
To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list




More information about the list mailing list