This Trojan may be downloaded unknowingly by a user when visiting malicious Web sites.
This malicious JavaScript may be hosted on a Web site and run when a user accesses the said Web site.
It takes advantage of a known vulnerability in several versions of the media player RealPlayer that causes a stack overflow and allows the download of possibly malicious files on the affected system.
More information on this vulnerability can be found on the following Web site:

• http://service.real.com/realplayer/s...007_player/en/

Before exploiting the abovementioned vulnerability, this JavaScript first checks if the affected machine is running Windows 2000 or Windows XP with Internet Explorer 6 or 7. It also checks if RealPlayer is installed on the system and what version of the player is installed to determine the first few bytes of shell code that it writes on the affected system.
It uses an import function to send the shell code to the installed RealPlayer, thus triggering the said exploit.
Once it successfully exploits the said vulnerability, this JavaScript connects to a certain URL to download possibly malicious files. The said file will then be saved in Windows system folder. As a result, malicious routines of the downloaded files may be exhibited on the affected system.


More...