• Downloads
  • Threats
    • Adware
    • Browser Hijacking
    • Phishing
    • Ransomware
  • Questions and Answers
  • Recover Encrypted Files
  • Free Malware Removal Tools

MyAntiSpyware

Menu
  • Downloads
  • Threats
    • Adware
    • Browser Hijacking
    • Phishing
    • Ransomware
  • Questions and Answers
  • Recover Encrypted Files
  • Free Malware Removal Tools

100 confirmed sites now using the IE vulnerability

Myantispyware team March 24, 2006    

100 confirmed sites now using the IE vulnerability, as reported on security lists by Dan Hubbard (alert) at WebSense and Joe Stewart at Lurhq.

These can be very nasty. SunBelt analysed one site – www(dot)textrum(dot)se (since shutdown):
The exploit calls a file, updater.exe. It file is W32/Spybot (W32/Backdoor, Adware.NaviPromo.M)
Norman sandbox report:

Found Sandbox: W32/Backdoor; [ General information ]

* Anti debug/emulation code present.
* Creating several executable files on hard-drive.
* File length: 46644 bytes.

[ Changes to filesystem ]
* Creates file C:\WINDOWS\SYSTEM32\Updater.exe.
* Creates directory C:\WINDOWS\SYSTEM32\kazaabackupfiles.
* Creates file C:\WINDOWS\SYSTEM32\kazaabackupfiles\download_me.exe.

[ Changes to registry ]
* Creates value “Windsupdate”=”Updater.exe” in key “HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce”.
* Creates value “Windsupdate”=”Updater.exe” in key “HKLM\Software\Microsoft\Windows\CurrentVersion\Run”.
* Modifies value “Dir0″=”012345:C:\WINDOWS\SYSTEM32\kazaabackupfiles\” in key “HKCU\Software\Kazaa\LocalContent”.

[ Network services ]
* Connects to “kronkrak.servequake.com” on port 6667 (IP).
* Connects to IRC server.
* IRC: Uses nickname CurrentUser7.
* IRC: Uses username CurrentUser7.

[ Security issues ]
* Possible backdoor functionality [Authenticate] port 113.

[ Process/window information ]
* Enumerates running processes.
* Will automatically restart after boot (I’ll be back…).
* Attemps to open C:\WINDOWS\SYSTEM32\Updater.exe NULL.
* Enumerates running processes several parses….
* Creates a mutex coolbot1.c4.

There is no patch available for this exploit. The only way to avoid it is
– turn off Active Scripting
– use a non-IE browser (although the latest version of IE 7, the March 20 beta 2 preview, is not affected).
Your standard protections should be in place — antivirus, firewall, antispyware.

Exploits & Vulnerabilities

 Previous Post

RealNetworks Products Multiple Buffer Overflow Vulnerabilities

Next Post 

New rogue anti spyware Spyware Quake

Author: Myantispyware team

Myantispyware is an information security website created in 2004. Our content is written in collaboration with Cyber Security specialists, IT experts, under the direction of Patrik Holder and Valeri Tchmych, founders of Myantispyware.com.

Leave a Reply Cancel reply

New Guides

Orivelle Nail Fungus Pen Review, Scam or Legit? What You Need to Know
Buffalo Trace 250th Anniversary Advent Calendar Scam, What You Need to Know
Tradeverse.site Scam Alert: Fake Bitcoin Promo Codes
scam alert
Beware of Zetwex.com: A Bitcoin Promo Code Scam Analysis
scam alert
Avoid the SMONTEX.com Scam: How to Spot Fake Bitcoin Giveaways

Follow Us

Search

Useful Guides

Smart Captcha Virus redirect
What is a Virus that Redirects Web Pages? A Comprehensive Guide
Iphone Calendar virus spam
Iphone Calendar Virus/Spam 2022 (Removal guide)
How to remove browser hijacker virus (Chrome, Firefox, IE, Edge)
How to remove pop-up ads [Chrome, Firefox, IE, Opera, Edge]
DNSChanger
How to remove DNSChanger malware virus [Updated Apr. 2018]

Recent Guides

RealNetworks Products Multiple Buffer Overflow Vulnerabilities
New Internet Explorer vulnerability
Top 10 spyware threats discovered for last 24 hours
Coolwebsearch.info – new site from the Coolwebsearch family
New unpatched vulnerability in the Internet Explorer (mshtml.dll) found

Myantispyware.com

Myantispyware has been a trusted source for computer security and technology advice since 2004. Our mission is to provide reliable tech guidance and expert, practical solutions to help you stay safe online and protect your digital life.

Social Links

Pages

About Us
Contact Us
Privacy Policy

Copyright © 2004 - 2024 MASW - Myantispyware.com.