JS/Gumblar!generic

Date Published:
6 Feb 2010

Last Updated:
6 Feb 2010

Threat Assessment

Overall Risk: Medium

Wild: Medium

Destructiveness: Medium

Pervasiveness: Medium

Characteristics

Type : Trojan

Category : JavaScript

Also known as: Trojan:JS/Gamburl.C (MS OneCare), Trojan-Downloader.JS.Gumblar.x (Kaspersky)

Immediate Protection Info

Signature	Product	Removal Instructions
35.1.7218	CA Antivirus 2007	View
35.1.7218	eTrust Antivirus v7/8*	View
7.x/7218	eTrust EZ Antivirus 7.x	View
35.1.7218	Vet 7	View

Tools

Signature file information

Scan for viruses

Submit a Virus Sample

Description

Method of Infection

Method of Distribution

Payload

Description

JS/Gumblar!generic is a Trojan JavaScript embedded in compromised websites.

Method of Infection

JS/Gumblar!generic is a malicious JavaScript which is embedded in compromised websites, when the user access these websites this malicious encoded JavaScript will redirects the user to a website where malicious JavaScript files are hosted.

These malicious JavaScript files will try to exploit different known browser exploits on the user browser. On successful exploitation they download a malware binary and execute it to compromise the user computer.

Method of Distribution

Via compromised websites.

Payload

When user visits any compromised website with embedded JS/Gumblar Trojan, it will redirect the user to a malicious websites to exploit the user browser. Majority of the JS/Gumblar variants will try to download a malicious PDF or ShockWave files to compromise the user computer.

In general JS/Gumblar variants will redirect to gumblar.cn and martuz.cn, but not limited to these domains. Web sites accessed by JS/Gumblar may vary.

CA antivirus solutions detect these Gumblar infections as JS/Gumblar generic.

Analysis by Satyendra Kumar Teppalavalasa

Virus Detail