News | Forum | Free Software | Online Scanners | Tutorials - HowTo
Been infected with spyware? Tell us about your problem.
For fast automatic spyware removal, try CounterSpy, SUPERAntiSpyware

BHO malware used IE vulnerability for install

BHO malware used IE vulnerability for install. Sans reported

There are several sites that have been compromised and now contain the exploit code. These sites all run the exploit code and get a file called ca.exe which in turn gets a file called calc.exe and installs it. It is calc.exe that we want to focus on briefly.

This malware installs a dll that is used as a Browser Helper Object (BHO) and also runscopies itself to directory you see below as nm32.exe and runs as a process. The malware creates the following on install:

C:\WINNT\fyt\mn32.dll
C:\WINNT\fyt\nm32.exe
C:\WINNT\fyt\~ipcfg636
C:\WINNT\fyt\~start636
C:\WINNT\fyt\~tmp636
C:\WINNT\fyt\~view636

It also creates one called sub.txt when you surf the internet and records everything that it can about where you surf and do and any information.

Anyway, please keep your eyes and ears open for any new sites exploiting this vulnerability!

Don`t forget, you can block vulnerability, only disable Active Scripting support.

March 26, 2006 on 10:57 am | In Exploits & Vulnerabilities | |
Submit to: Digg | SlashDot | Del.icio.us

No Comments yet »

RSS feed for comments on this post. TrackBack URI

Leave a comment

XHTML: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

This is a captcha-picture. It is used to prevent mass-access by robots. (see: www.captcha.net)

You must read and type the 4 chars within 0..9 and A..F, and submit the form.

  

Oh no, I cannot read this. Please, generate a


MY ANTI SPYWARE Powered by WordPress with Pool theme design by Borja Fernandez.
Entries and comments feeds. Valid XHTML and CSS. ^Top^