3

Nod32 just warned me about a trojan which is embedded into a favicon.

I've copied the content of the favicon.ico here: http://pastebin.com/BkD4tKNy

Unfortunately I'm not really experienced with Javascript and the code looks very cryptic to me. Can anyone say what harm this code doing?

Thanks & kind regards

TheLostOne
  • 273
  • 2
  • 6
  • 15

1 Answers1

4

It looks cryptic because the code is intentionally obfuscated.

The actual name of the trojan is W32/Lipler.Gen. It downloads and executes malicious code, which is whatever the person infecting you wants to execute on your machine.

You can read more about it here: http://www.f-secure.com/v-descs/trojan-downloader_w32_lipler_gen.shtml

Tom Studee
  • 10,316
  • 4
  • 38
  • 42
  • How does it execute if it's in a .ico file though? Can an icon contain HTML? – Matthew Wilson Aug 01 '11 at 12:53
  • You can give any file any extension you want. It doesn't change the fact that the contents are html and javascript. The .ico is to throw you off by making it look harmless. – Tom Studee Aug 01 '11 at 14:20
  • OK, but let's say that the file is an .ico favicon on a website which contains HTML/JS. How does it actually get executed in that scenario? Presumably browsers won't execute JS in a file which they are trying to render as an icon. Is the assumption that the user will be tricked into navigating to the page because it looks like its a "safe" page? – Matthew Wilson Aug 01 '11 at 14:41
  • I would presume one way would be to trick you into clicking on something which would execute it. I'm not really familiar with other techniques, or which technique may have been used in the above example. – Tom Studee Aug 01 '11 at 14:51
  • Thank you Tom! Shouldn't all browsers be safe of such attacks by simply ignoring any executable code? A favicon will probably never need to execute any code. – TheLostOne Aug 02 '11 at 19:14