Technical Details
This exploit program uses vulnerability in Microsoft Windows Help and Support Center to execute itself on the user's computer. It is an HTML page containing Java Script. Depending on the variant, the size of the file varies from 544 to 24 110 bytes.
Payload
The malicious program exploits a vulnerability that arises due to the incorrect handling of URL escape sequences in the function MPC::HexToNum in the Microsoft Windows Help and Support Center applications (helpctr.exe) (MS10-042, CVE-2010-1885). After exploiting the vulnerability, the malicious user can run commands sent to the special protocol "hcp://". The Microsoft products MS Internet Explorer 8 and Windows Media Player 9 are vulnerable. The malware uses the ActiveX object "MSXML2.XMLHTTP" to download the file located at the following URL:
http://www.go***guys.com/zan/hcp.php?type=3&b=ff&o=xp
and saves it in the current user's temporary directory under the name:%Temp%\N.vbs
The file is 2919 bytes in size.
Using the command line, the exploit launches the downloaded file and terminates the Microsoft Windows Help and Support Center and Windows Media Player processes:
helpctr.exe
wmplayer.exe
Removal instructions
If your computer does not have antivirus protection and has been infected by this malicious program, follow the instructions below to delete it:
- Delete the original exploit file (its location will depend on how the program originally penetrated the infected computer).
- Empty the current user's temporary folder:
%Temp%\ - Install these updates:
http://www.microsoft.com/technet/security/Bulletin/MS10-042.mspx
Žádné komentáře:
Okomentovat