Trojan-Downloader.JS.Agent.gsv
Threat Scorecard
EnigmaSoft Threat Scorecard
EnigmaSoft Threat Scorecards are assessment reports for different malware threats which have been collected and analyzed by our research team. EnigmaSoft Threat Scorecards evaluate and rank threats using several metrics including real-world and potential risk factors, trends, frequency, prevalence, and persistence. EnigmaSoft Threat Scorecards are updated regularly based on our research data and metrics and are useful for a wide range of computer users, from end users seeking solutions to remove malware from their systems to security experts analyzing threats.
EnigmaSoft Threat Scorecards display a variety of useful information, including:
Ranking: The ranking of a particular threat in EnigmaSoft’s Threat Database.
Severity Level: The determined severity level of an object, represented numerically, based on our risk modeling process and research, as explained in our Threat Assessment Criteria.
Infected Computers: The number of confirmed and suspected cases of a particular threat detected on infected computers as reported by SpyHunter.
See also Threat Assessment Criteria.
Threat Level: | 90 % (High) |
Infected Computers: | 3 |
First Seen: | August 2, 2012 |
Last Seen: | October 18, 2020 |
OS(es) Affected: | Windows |
JavaScript Trojans are designed usually to direct computer users to malware-laced websites. Malware-laced websites will use malicious components such as the BlackHole Exploit Kit to take advantage of vulnerabilities in the infected computer in order to infect them with malware. While most of these JavaScript redirect Trojans inject an iFrame which takes the victim's computer to an attack website, the Trojan-Downloader.JS.Agent.gsv Trojan uses a different approach. Trojan-Downloader.JS.Agent.gsv generates a domain name with a seemingly random URL. To generate this domain name it uses the current date. Although ESG security analysts have observed this approach before, it is not common in the case of browser redirect Trojans such as the many variants of Java redirect scripts used in spam email.
The Trojan-Downloader.JS.Agent.gsv Infection
The kind of pseudo-random domain generation that the Trojan-Downloader.JS.Agent.gsv uses has been observed in botnets and backdoor Trojans generating domains for command and control servers. This approach is quite new in the case of browser redirect Java scripts. The Trojan-Downloader.JS.Agent.gsv itself is a Trojan downloader that uses a malicious iFrame that is attached to an HTML file. It generates a random domain name with sixteen characters, with a .RU ending (indicating that the domain is located in the Russian Federation).
The Trojan-Downloader.JS.Agent.gsv HTML file is encrypted; both the malicious iFrame and the harmless content. This is definitely a problem. While other malicious JavaScript redirect Trojans would inject obfuscated code into an HTML file, making the different between the malicious content and the harmless content apparent, the Trojan-Downloader.JS.Agent.gsv obfuscates the whole HTML file as well. This means that this Trojan infection can be difficult to detect and remove while leaving the affected website intact.
Why the Trojan-Downloader.JS.Agent.gsv Generates New Domains
The technique of randomly generating new domain names allows criminals to avoid blacklisting. Every day, the Trojan-Downloader.JS.Agent.gsv generates a new domain name. This means that adding malicious URLs to a blacklist can be pointless due to the fact that new ones are generated constantly. Fortunately, these domain names are not entirely random and use an algorithm that takes its seed from the current date. With this information, PC security researchers can predict future domain names, allowing them to blacklist them preemptively. If you administrate a website, it is important to update your website's software and to apply all available security patches. ESG security analysts also advise changing all sensitive passwords, especially for FTP, SFTP and SSH accounts.
Submit Comment
Please DO NOT use this comment system for support or billing questions. For SpyHunter technical support requests, please contact our technical support team directly by opening a customer support ticket via your SpyHunter. For billing issues, please refer to our "Billing Questions or Problems?" page. For general inquiries (complaints, legal, press, marketing, copyright), visit our "Inquiries and Feedback" page.