Počet zobrazení stránky

pondělí 12. března 2012

Exploit.JS.ADODB.Stream.aw


Technical Details

This exploit program uses vulnerabilities in components of Microsoft Data Access (MDAC) and MS Internet Explorer 7 (Uninitialized Memory Corruption) to run on the user's computer. It is an HTML document containing a malicious Java Script. The malicious script is 13 073 bytes in size.

Payload

Once launched, the malware decrypts its obfuscated code and launches it for execution. It then uses ActiveX objects with the following unique identifiers:
{BD96C556-65A3-11D0-983A-00C04FC29E30}
{BD96C556-65A3-11D0-983A-00C04FC29E36}
{AB9BCEDD-EC7E-47E1-9322-D4A210617116}
{0006F033-0000-0000-C000-000000000046}
{0006F03A-0000-0000-C000-000000000046}
{6E32070A-766D-4EE6-879C-DC1FA91D2FC3}
{6414512B-B978-451D-A0D8-FCFDF33E833C}
{7F5B7F63-F06F-4331-8A26-339E03C0AE3D}
{06723E09-F4C2-43C8-8358-09FCD1DB0766}
{639F725F-1B2D-4831-A9FD-874847682010}
{BA018599-1DB3-44F9-83B4-461454C84BF8}
{D0C07D56-7C69-43F1-B4A0-25F5A11FAB19}
{E8CCCDDF-CA28-496B-B050-6C07C962476B}
It uses vulnerabilities in the following ActiveX components: "MSXML2.XMLHTTP", "Microsoft.XMLHTTP" and "MSXML2.ServerXMLHTTP" (CVE-2006-0003), and also vulnerability in MS Internet Explorer 7 (uninitialized memory corruption) (CVE-2009-0075) (MS09-002) to attempt to download a file located at the following link:
http://<XXX>/zcv.gif
It uses the ActiveX object "ADODB.Stream" to save this file under the following name:
%Temp%:\sys<rnd>.exe
where
<rnd> is 4 random letters, for example "gmde" or "ipns";
<XXX> is the malicious user's server from which the exploit file was launched.
The saved file is then launched for execution. At the time of writing, this link was inactive.

Removal instructions

If your computer does not have antivirus protection and has been infected by this malicious program, follow the instructions below to delete it:
  1. Delete the original exploit file (its location will depend on how the program originally penetrated the infected computer).
  2. Delete the following file:
    c:\sys.exe
  3. Empty the current user's temporary folder:
    %Temp % \
  4. Install these updates: http://www.microsoft.com/technet/security/bulletin/ms06-057.mspx
    http://www.microsoft.com/technet/security/Bulletin/MS09-002.mspx
Vystavil v
Štítky:

Žádné komentáře:

Okomentovat

Přihlásit se k odběru: Komentáře k příspěvku (Atom)