[Malware Review] Trojan.JS.Agent.ELA

Trojan.JS.Agent.ELA looks for vulnerabilities and exploits them for uploading malware

Last week, Bitdefender labs released the malware distribution tops for the last quarter of 2011. And aside from by the now consecrated online menaces such as Autorun-based malware, Downadup or adware pertaining to Hotbar and Yabector families, the malware top for Germany revealed a surprise Trojan – Trojan.JS.Agent.ELA.

This e-threat, which occupies a worrying 10th position in the regional chart, is a JavaScript file that starts the system infection with a bit of local research:

First it determines which platform the local browser is installed on – Windows, Mac or Linux. Next, it verifies the browser type and version to see if it is  Internet Explorer, Gecko (Mozilla Firefox), Safari, Chrome or Opera. Afterward it focuses on determining what plug-ins are installed on the browser.

These plugins and their versions will be useful when choosing the exploits that will be used to download further malware. Exploits are known to be “customized” for particular plugin versions in order to be compatible to the targeted system.

Trojan.JS.Agent.ELA displays in the browser the following message: “Please wait page is loading…” to distract the user from the actual installation of the malware on his PC. Some samples would display a “404 not found” blank page while others would redirect the user toward legitimate clean web locations.

In the meantime, in background, the malware will load a page selected in accordance with the findings of the search made by the script on the user’s computer. The weapon of choice will be either an infected applet if it found a vulnerable Java version, an infected film, if a flash player version proved vulnerable, or an infected PDF if the Adobe Reader version was the “weak link”.

To cover its tracks, Agent.ELA wipes out the memory it needed to set the ground for further malware and this way it also avoids detection. These exploits will enable the Trojan to connect the browser to infected site where it downloads further malware, amongst which Zeus itself.

Bitdefender malware researcher, Doina Cosovan points out that Trojan.JS.Agent.ELA usually spreads via social engineering tricks on social networks or via JS injects in valid sites which have been previously laden with malware.

This article is based on the technical information provided courtesy of Doina Cosovan, BitDefender Virus Analyst.

All product and company names mentioned herein are for identification purposes only and are the property of, and may be trademarks of, their respective owners.

About the author


A blend of teacher and technical journalist with a pinch of e-threat analysis, Loredana Botezatu writes mostly about malware and spam. She believes that most errors happen between the keyboard and the chair. Loredana has been writing about the IT world and e-security for well over five years and has made a personal goal out of educating computer users about the ins and outs of the cybercrime ecosystem.