Download.Ject Trojan - Threat Level: Severe

Overview: Zone Labs has identified a new delivery mechanism for a previously-known malicious Trojan Horse, referred to as Download.Ject, which is spreading rapidly across the Internet. The Download.Ject Trojan has been rated "High Risk." Computer users should apply the recommended actions listed below to protect their systems.

This exploit only works against computer systems using Internet Explorer to browse the Internet. Computer users running other web browsers will not be impacted. At this time, Microsoft has not provided an Internet Explorer patch to prevent compromise.

Date Published: June 25, 2004
Date Last Revised: June 25, 2004

Impact: Download.Ject attempts to:

Install malicious software on computers
Capture usernames, passwords, and credit card information
Send the captured information to a server on the Internet
Description: Download.Ject Download.Ject compromises system integrity through a multi step process:

A vulnerable IIS web server is compromised and malicious JavaScript code is appended to the web pages. IIS servers vulnerable to MS04-011 are the apparent target.
Vulnerable Internet Explorer web browsers that view the compromised website will execute the malicious JavaScript code.
The JavaScript code will install several malicious files on the client system.
Upon execution, the Trojan horse creates the following files:
[6_character_random_name]32.exe
[8_character_random_name].exe
Surf.dat
The worm also attempts to connect to the malicious server at:

217.107.218.147
Zone Labs Products

Zone Labs Integrity™

The firewall built into Integrity will proactively prevent the infection. "Program Control" will alert the computer user if the malicious application attempts to access the network; Program Events Reports can also be used to audit and identify Trojan horse activity.

Currently, Microsoft has not provided an Internet Explorer patch to prevent compromise.

To verify and assure endpoint protection, Integrity administrators can monitor the Program Events Report for processes named:

[6_character_random_name]32.exe
[8_character_random_name].exe
Surf.dat
Recommended Actions for Zone Labs Integrity: Within Policy Studio | Classic Firewall Rules | Add Rule, add the following rules:

Source Addresses: Any
Destination Address: 217.107.218.147
Destination port: TCP, Src: Any, Dest: Any
This will rule will prevent infection of Integrity protected endpoints. This rule can be implemented to mitigate Trojan horse infection.

Monitor the Integrity Program Events Report for processes named:

[6_character_random_name]32.exe
[8_character_random_name].exe
Surf.dat
Monitor events within the Integrity Firewall Events Report to identify infected hosts making connection attempts to:

o 217.107.218.147
Update antivirus products to provide the most up-to-date protection.

ZoneAlarm®, ZoneAlarm® Pro, ZoneAlarm® Security Suite

Customers using ZoneAlarm Security Suite are protected from this Trojan horse. The antivirus feature will identify the malicious application and prevent it from compromising the system.

The firewall built into all versions of ZoneAlarm will proactively prevent the infection. "Program Control" will alert the computer user if the malicious application attempts to access the network. When prompted, Zone Labs users can select "No" to deny the malicious application access and prevent further compromise by this Trojan horse.

Computer users will receive a "New Program Alert" if this Trojan horse infects their system and attempts connect to the Internet. When prompted, Zone Labs users can select "No" to deny this application network access.

Recommended Actions:

Monitor Program Control alerts for processes named:

[6_character_random_name]32.exe
[8_character_random_name].exe
Surf.dat
Do not allow processes to connect outbound to:

217.107.218.147
Update antivirus products to provide the most up-to-date protection.

Related Resources:

What You Should Know About Download.Ject:
http://www.microsoft.com/security/incident/download_ject.mspx


Win32.Webber:
http://vic.zonelabs.com/tmpl/body/CA/virusDetails.jsp?VId=35848


js.toofer:
http://vic.zonelabs.com/tmpl/body/CA/virusDetails.jsp?VId=39438


Zone Labs Enterprise Documentation Center:
http://www.zonelabs.com/store/support/enterprise/documentation/index.jsp


Increase Your Browsing and E-Mail Safety:
http://www.microsoft.com/security/incident/settings.mspx


Computer Associates Threat Information Center:
http://www3.ca.com/threatinfo/