Content
JS/Wonka
- Type
- Trojan
- SubType
- Script
- Discovery Date
- 09/08/2005
- Length
- various
- Minimum DAT
- 4577 (09/08/2005)
- Updated DAT
- 6423 (07/30/2011)
- Minimum Engine
- 5.1.00
- Description Added
- 09/08/2005
- Description Modified
- 08/24/2007 8:01 PM (PT)
Risk Assessment
- Corporate User
- Low-Profiled
- Home User
- Low-Profiled
Tab Navigation
Characteristics
-- Update August 24, 2007 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.computerworlduk.com/management/security/cybercrime/news/index.cfm?newsid=4825
--
-- Update September 28, 2005 --
Several cases have been reported to AVERT as potential incorrect identifications of JS/Wonka, which turned out to be accurate hits. These observations were typically made upon visiting hacked web pages. These hacked pages have an IFRAME inserted that point to an external website containing malware such as Exploit-Codebase, Exploit-ANIFile, W32/Dumaru.gen, and Exploit-MhtRedir.gen.
This is a generic detection for highly obfuscated JavaScript. The signature is based on specfic characteristics of the encryption.
Because this is a generic detection there is no specific description of the activity undertaken by JavaScript detected under this name, however these can include malicious activity such as downloading and executing files.
Please submit samples that you think may be false alarms to virus_research@avertlabs.com.
Symptoms
Vary
Method of Infection
JS/Wonka may be used as a means to load other malicious scripts and exploit trojans.
Removal
All Users:
Use current engine and DAT files for detection. Delete any file which contains this detection.
Variants
Variants
N/A
All Information
Overview -
-- Update August 24, 2007 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.computerworlduk.com/management/security/cybercrime/news/index.cfm?newsid=4825
--
This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.
Characteristics
Characteristics -
-- Update August 24, 2007 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.computerworlduk.com/management/security/cybercrime/news/index.cfm?newsid=4825
--
-- Update September 28, 2005 --
Several cases have been reported to AVERT as potential incorrect identifications of JS/Wonka, which turned out to be accurate hits. These observations were typically made upon visiting hacked web pages. These hacked pages have an IFRAME inserted that point to an external website containing malware such as Exploit-Codebase, Exploit-ANIFile, W32/Dumaru.gen, and Exploit-MhtRedir.gen.
This is a generic detection for highly obfuscated JavaScript. The signature is based on specfic characteristics of the encryption.
Because this is a generic detection there is no specific description of the activity undertaken by JavaScript detected under this name, however these can include malicious activity such as downloading and executing files.
Please submit samples that you think may be false alarms to virus_research@avertlabs.com.
Symptoms
Symptoms -
Vary
Method of Infection
Method of Infection -
JS/Wonka may be used as a means to load other malicious scripts and exploit trojans.
Removal -
Removal -
All Users:
Use current engine and DAT files for detection. Delete any file which contains this detection.
Variants
Variants -
N/A