Low Risk 

Description

This Trojan may be downloaded after a series of redirections triggered by JS_DLDR.AW. It takes advantage of a known vulnerability in several versions of the media player RealPlayer. The said vulnerability causes a stack overflow and allows the download of possibly malicious files on the affected system. More information on this vulnerability can be found on here. Before exploiting the above-mentioned vulnerability, this Trojan first checks if the affected machine is running on Windows 2000 or Windows XP with Internet Explorer 6 or 7. It also checks if RealPlayer is installed on the system and what version of the player is installed to determine the first few bytes of shell code that it writes on the affected system. It uses a certain import function to send the shell code to the installed RealPlayer application, thus triggering the said exploit. Once it successfully exploits the said vulnerability, this Trojan connects to a certain URL to download TROJ_AGENT.AKVP. As a result, the routines of the downloaded Trojan may be exhibited on the system. For additional information about this threat, see:SolutionTechnical DetailsStatistics Description created:May. 7, 2008 8:47:23 AM GMT -0800 Search a new malwareTell us how we did. Take our quick survey. Search: Worldwide This site is for customers in the United States & Canada . **. **frsirt** Contact Us Careers About Us . **. **frsirt** Home Home & Home Office Small Business Medium Business Enterprise Business Partners . **. **frsirt** Quick Links See All Products & Solutions Support Purchase Update Center . **. **frsirt** Copyright (c) 1989-2007 Trend Micro Incorporated. All rights reserved.

References

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_REALPLAY.BR

Credits

Reported by Trend Micro

ChangeLog

2008-05-09 - Initial Release
2008-05-19 - Updated Aliases

Disclaimer

The information contained herein was obtained from third party sources and is solely based upon the data available at the time of publication.