Technical Details
This exploit program uses vulnerability in Microsoft Windows Help and Support Center to execute itself on the user's computer. It is an HTML page containing Java Script. It is 15 140 bytes in size.
Payload
Once the document is opened in the user's browser, the malware decrypts the obfuscated code and launches malicious scripts. Every 5 seconds the malware attempts to redirect the user to a resource, which, in relation to the malicious document, is located at the following link:
http://<X>?showuser=29727214&view=MSIE&showforum=60595eb79c774b77025982e905faf5df.jar&showtopic=2&s=7.0
where X is the location of the original exploit file on the malicious user's server. It will then execute the malicious script in a hidden frame to exploit vulnerability in MS Windows Help and Support Center. The malicious program exploits a vulnerability that arises due to the incorrect handling of URL escape sequences in the function MPC::HexToNum in the Microsoft Windows Help and Support Center applications (helpctr.exe) (MS10-042, CVE-2010-1885). After exploiting the vulnerability, the malicious user can run commands sent to the special protocol "hcp://". The Microsoft products MS Internet Explorer 8 and Windows Media Player 9 are vulnerable. The exploit creates and launches a Java Script file named:%Documents and Settings%\%Current User%\.js
The Trojan uses it to decrypt the remaining part of its code. The malware then uses the ActiveX object "MSXML.XMLHTTP" to download the file located at the following URL:http://sal***hleb.ru/phpbb/04cf55378a0b333614c01a416d72c3c1.php?
showtopic=12&showuser=29727214&showforum=60595eb79c774b77025
982e905faf5df.jar&
and saves it under the name:%Documents and Settings%\%Current User%\update.exe
The exploit uses a command line to launch the downloaded "update.exe" file and terminates the processes that start with:help
As the result the exploit terminates the Microsoft Windows Help and Support Center process:helpctr.exe
The malware also deletes the file:%Documents and Settings%\%Current User%\.js
At the time of writing, these links were inactive.Removal instructions
If your computer does not have antivirus protection and has been infected by this malicious program, follow the instructions below to delete it:
- Delete the original exploit file (its location will depend on how the program originally penetrated the infected computer).
- Delete the following file:
%Documents and Settings%\%Current User%\update.exe - Install these updates:
http://www.microsoft.com/technet/security/Bulletin/MS10-042.mspx
Žádné komentáře:
Okomentovat