This page shows details and results of our analysis on the malware JS/Exploit-Blacole!heur

Download Current DAT

Threat Detail

  • Malware Type: Trojan
  • Malware Sub-type: Exploit
  • Protection Added: 2013-05-03

This is a Trojan detection. Unlike viruses, Trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include e-mail, malicious or hacked Web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Aliases –

Microsoft    -    Exploit:JS/Blacole.GB
Drweb        -    Exploit.BlackHole.129
Avast        -    JS:Decode-AGV
Avira        -    JS/Blacole.GB.155 Java script

Minimum Engine


File Length


Description Added


Description Modified


Malware Proliferation

“JS/Exploit-Blacole!heur” is detection for malicious Java code that exploits like CVE2012-1723, CVE2012-0507.

“JS/Exploit-Blacole!heur” is a generic detection for malicious Java code that exploits a vulnerability that allows the execution of arbitrary code. Also it will checks for the OS, browser and installed components such as Java, PDF and flash plug-in and it looks for vulnerable version of java.

“JS/Exploit-Blacole!heur” is a generic detection for obfuscated JavaScript that points to an Iframe to a remote malicious site.

is an obfuscated JavaScript that could be embedded into compromised websites. This Trojan will redirect the user to malicious websites and download other payload or executes browser exploits.

The "Backhole" exploit kit may exploit vulnerabilities in certain software that may be installed in the victim computer. After the successful exploitation, it may lead to the download and execution of other malicious files.

Upon execution, tries to load the java script and redirect the user to the following website with help of hidden iframe
  • hxxp://129.121.[Removed].207/70b86e9a04cec710/70b86e9a04cec710/a.php?vf=2w:1l:2v:30:31&ke=1i:31:32:1g:1n:1h:1l:1l:1n:31&o=1f&md=k&pg=o&jopa=6809998
Upon successful exploitation it also tries to connect the following URL to download other payloads
  • go[Removed]
  • hxxp://129.121.[Removed].207/70b86e9a04cec710/70b86e9a04cec710/a.php?jnlp=3de182668d
  • hxxp://129.121.[Removed].207/70b86e9a04cec710/a.php?nbbdfjz=iqaaty&pjoaxd=xtu
  • hxxp://74.125.[Removed].114/gate.php
The following are the payloads download by the Trojan
  • %APPDATA%\Sun\Java\Deployment\cache\6.0\26\2418615a-1276e216
  • %APPDATA%\Sun\Java\Deployment\cache\6.0\26\2418615a-1276e216.idx
  • %APPDATA%\Sun\Java\Deployment\cache\6.0\28\440395dc-6d048d92
  • %APPDATA%\Sun\Java\Deployment\cache\6.0\28\440395dc-6d048d92.idx
  • %APPDATA%\Sun\Java\Deployment\cache\6.0\8\1f62e308-48c68e3e
  • %APPDATA%\Sun\Java\Deployment\cache\6.0\8\1f62e308-48c68e3e.idx
  • %APPDATA%\Sun\Java\Deployment\cache\6.0\8\1f62e308-6.0.lap
  • %USERPROFILE%\6809998.exe
Because this is a generic detection there is no specific description of the activity undertaken by JavaScript detected under this name, however these can include malicious activity such as downloading and executing files or scripts.

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, e-mail, etc.