Secunia - Stay Secure
Gartner
Home Corporate Website Jobs Updated Mailing Lists RSS Blog  Online Shop Advertise
Software Inspectors
  Scan Online
  Personal (PSI)
  Network (NSI 2.0)

Solutions For
  Security Professionals
  Security Vendors

Free Solutions For
  Open Communities
  Journalists & Media

Secunia Advisories
  Search
  Historic Advisories
  Listed By Product
  Listed By Vendor
  Statistics / Graphs
  Secunia Research
  Report Vulnerability
  About Advisories

Virus Information
  Chronological List
  Last 10 Virus Alerts
  About Virus Information

Secunia Customers
  Customer Area


TROJ_REALPLAY.BR

First Report: 2008-05-08 04:46
Last Update: 2008-06-06 05:31
Aliases: Downloader
Exploit.JS.RealPlr.im
In
JS/Agent.ES
TROJ_REALPLAY.BR
Information From AntiVirus Vendors


Below you will find virus information from different antivirus vendors included in this Secunia Virus Profile. Information about the virus along with links to removal tools will be listed below when available.

The information provided is sorted by the date on which the information first became publicy available on the antivirus vendors' websites. The earliest available reports are displayed first. Please note timestamps are in GMT+1.



#1 - TREND MICRO

TROJ_REALPLAY.BR

 Severity:
- 		File Size:
-
Reported:
2008-05-08 04:46 		Last Update:
2008-06-06 05:31
Description:
This Trojan may be downloaded after a series of redirections triggered by JS_DLDR.AW. It takes advantage of a known vulnerability in several versions of the media player RealPlayer. The said vulnerability causes a stack overflow and allows the download of possibly malicious files on the affected system. More information on this vulnerability can be found on here. Before exploiting the above-mentioned vulnerability, this Trojan first checks if the affected machine is running on Windows 2000 or Windows XP with Internet Explorer 6 or 7. It also checks if RealPlayer is installed on the system and what version of the player is installed to determine the first few bytes of shell code that it writes on the affected system. It uses a certain import function to send the shell code to the installed RealPlayer application, thus triggering the said exploit. Once it successfully exploits the said vulnerability, this Trojan connects to a certain URL to download TROJ_AGENT.AKVP. As a result, the routines of the downloaded Trojan may be exhibited on the system.
Full Report From Vendor  View/Hide ChangeLog

ChangeLog:

Changes are listed in chronological order with the latest changes first.


2008-05-10 18:42 Name was changed.

New:
"TROJ_REALPLAY.BR"

Old:
"TROJAN"

2008-05-10 18:42 Description was changed.

New:
"This Trojan may be downloaded after a series
of redirections triggered by JS_DLDR.AW.
It takes advantage of a known vulnerability
in several versions of the media player
RealPlayer. The said vulnerability causes a
stack overflow and allows the download of
possibly malicious files on the affected
system. More information on this
vulnerability can be found on here. Before
exploiting the above-mentioned vulnerability,
this Trojan first checks if the affected
machine is running on Windows 2000 or Windows
XP with Internet Explorer 6 or 7. It also
checks if RealPlayer is installed on the
system and what version of the player is
installed to determine the first few bytes of
shell code that it writes on the affected
system. It uses a certain import function
to send the shell code to the installed
RealPlayer application, thus triggering the
said exploit. Once it successfully
exploits the said vulnerability, this Trojan
connects to a certain URL to download
TROJ_AGENT.AKVP. As a result, the routines of
the downloaded Trojan may be exhibited on the
system."

Old:
"N/A"

2008-05-10 17:46 Name was changed.

New:
"TROJAN"

Old:
"TROJ_REALPLAY.BR"

2008-05-10 17:46 Description was changed.

New:
"N/A"

Old:
"This Trojan may be downloaded after a series
of redirections triggered by JS_DLDR.AW.
It takes advantage of a known vulnerability
in several versions of the media player
RealPlayer. The said vulnerability causes a
stack overflow and allows the download of
possibly malicious files on the affected
system. More information on this
vulnerability can be found on here. Before
exploiting the above-mentioned vulnerability,
this Trojan first checks if the affected
machine is running on Windows 2000 or Windows
XP with Internet Explorer 6 or 7. It also
checks if RealPlayer is installed on the
system and what version of the player is
installed to determine the first few bytes of
shell code that it writes on the affected
system. It uses a certain import function
to send the shell code to the installed
RealPlayer application, thus triggering the
said exploit. Once it successfully
exploits the said vulnerability, this Trojan
connects to a certain URL to download
TROJ_AGENT.AKVP. As a result, the routines of
the downloaded Trojan may be exhibited on the
system."

2008-05-10 10:42 Name was changed.

New:
"TROJ_REALPLAY.BR"

Old:
"TROJAN"

2008-05-10 10:42 Description was changed.

New:
"This Trojan may be downloaded after a series
of redirections triggered by JS_DLDR.AW.
It takes advantage of a known vulnerability
in several versions of the media player
RealPlayer. The said vulnerability causes a
stack overflow and allows the download of
possibly malicious files on the affected
system. More information on this
vulnerability can be found on here. Before
exploiting the above-mentioned vulnerability,
this Trojan first checks if the affected
machine is running on Windows 2000 or Windows
XP with Internet Explorer 6 or 7. It also
checks if RealPlayer is installed on the
system and what version of the player is
installed to determine the first few bytes of
shell code that it writes on the affected
system. It uses a certain import function
to send the shell code to the installed
RealPlayer application, thus triggering the
said exploit. Once it successfully
exploits the said vulnerability, this Trojan
connects to a certain URL to download
TROJ_AGENT.AKVP. As a result, the routines of
the downloaded Trojan may be exhibited on the
system."

Old:
"N/A"

2008-05-10 09:46 Name was changed.

New:
"TROJAN"

Old:
"TROJ_REALPLAY.BR"

2008-05-10 09:46 Description was changed.

New:
"N/A"

Old:
"This Trojan may be downloaded after a series
of redirections triggered by JS_DLDR.AW.
It takes advantage of a known vulnerability
in several versions of the media player
RealPlayer. The said vulnerability causes a
stack overflow and allows the download of
possibly malicious files on the affected
system. More information on this
vulnerability can be found on here. Before
exploiting the above-mentioned vulnerability,
this Trojan first checks if the affected
machine is running on Windows 2000 or Windows
XP with Internet Explorer 6 or 7. It also
checks if RealPlayer is installed on the
system and what version of the player is
installed to determine the first few bytes of
shell code that it writes on the affected
system. It uses a certain import function
to send the shell code to the installed
RealPlayer application, thus triggering the
said exploit. Once it successfully
exploits the said vulnerability, this Trojan
connects to a certain URL to download
TROJ_AGENT.AKVP. As a result, the routines of
the downloaded Trojan may be exhibited on the
system."

2008-05-08 05:16 Description was changed.

New:
"This Trojan may be downloaded after a series
of redirections triggered by JS_DLDR.AW.
It takes advantage of a known vulnerability
in several versions of the media player
RealPlayer. The said vulnerability causes a
stack overflow and allows the download of
possibly malicious files on the affected
system. More information on this
vulnerability can be found on here. Before
exploiting the above-mentioned vulnerability,
this Trojan first checks if the affected
machine is running on Windows 2000 or Windows
XP with Internet Explorer 6 or 7. It also
checks if RealPlayer is installed on the
system and what version of the player is
installed to determine the first few bytes of
shell code that it writes on the affected
system. It uses a certain import function
to send the shell code to the installed
RealPlayer application, thus triggering the
said exploit. Once it successfully
exploits the said vulnerability, this Trojan
connects to a certain URL to download
TROJ_AGENT.AKVP. As a result, the routines of
the downloaded Trojan may be exhibited on the
system."

Old:
"N/A"



Please note: The information that this Secunia Virus Profile is based on comes from a third party unless stated otherwise.

The grouping process is done completely automatically, therefore minor inconsistencies may occur. For more information about Secunia Virus Information, please read: About Virus Information.







Secunia PSI
Scan | Patch | Track
Free Download

Secunia Poll

Do you think it's important to read Setup/User Guides for applications for use within your network?


See Results   


Most Popular Advisories

1.
OpenBSD BIND Query Port DNS Cache Poisoning
2.
Drupal Session Fixation Vulnerability
3.
Red Hat update for kernel
4.
Linux Kernel LDT Buffer Size Handling Vulnerability
5.
Debian update for clamav
6.
dnsmasq Denial of Service and DNS Cache Poisoning
7.
Ubuntu update for php
8.
Red Hat update for thunderbird
9.
Apple Safari Cross-Domain Cookie Injection Vulnerability
10.
YouTube Blog Multiple Vulnerabilities





Vulnerability Management - Terms & Conditions - Copyright 2002-2008 Secunia - Compliance - Contact Secunia