JS_DLOADER.SMGA

JS_DLOADER.SMGA is a JavaScript Trojan that exploits a vulnerability CVE-2012-1875 in Internet Explorer, which is addressed in MS12-037 bulletin. The certain vulnerability is known as (MS12-037) Cumulative Security Update for Internet Explorer (2699988), which is used to drop possibly infectious files. When JS_DLOADER.SMGA exploits the vulnerability, it drops and runs infected files on the affected PC. JS_DLOADER.SMGA can spread via remote insecure websites. JS_DLOADER.SMGA also invades the particular websites for distributing malicious files. JS_DLOADER.SMGA can distribute another malware infection, a backdoor Trojan found as BKDR_AGENT.BCSG. Unlike exploit document files, JS_DLOADER.SMGA collects the operating system version and language used in the targeted PC by using a simple script. When JS_DLOADER.SMGA exploits CVE-2012-1875, it runs a Heap Spray method for executing a specific shellcode. Though JS_DLOADER.SMGA successfully exploits CVE-2012-1875, its code cannot jump to the specified Heap Spray because of Data Execution Prevention (DEP) found on affected programs such as IE8 and IE9. To evade DEP, this exploit uses return-oriented programming (ROP) method to check system environment like operating systems and languages. JS_DLOADER.SMGA uses a specific script in order to recognize the loaded modules in memory at different addresses, which are based on operating system and language information. Then, depending on the affirmed system information, JS_DLOADER.SMGA creates a specific ROP code.

SpyHunter Detects & Remove JS_DLOADER.SMGA