I though you wanted to get rid of them, not write a thesis on them
JS/Exploit-BO.genType Trojan SubType Generic Discovery Date 01/05/2005 Length Varies Minimum DAT 4417 (12/29/2004) Updated DAT 4811 (07/20/2006) Minimum Engine 4.4.00 Description Added 12/29/2004 Description Modified 04/01/2006 8:02 AM (PT)
This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.
JS_WINDEXP.A (Trend) TrojanDownloader:Win32/Delf.DH (Microsoft) Characteristics
-- Update March 31, 2006 --
Source code was released that produces more efficient exploit files. The 4732 DAT files contain enhanced Exploit-BO.gen detection to cover these exploits. Exploit-CreateTxtRnd detection proactively covers these.
-- Update March 24, 2006 --
Exploit-CreateTxtRng detection was created for raw exploit code (this covers the pure DoS exploit that was previously not detected. Those exploits that attempt code execution will still be handled under JS/Exploit-BO.gen as noted below.
-- Update March 23, 2006 --
JS/Exploit-BO.gen detection is being updated to cover proof of concept code released today that exploits a recent 0-day vulnerability, Microsoft Internet Explorer "createTextRange()" Code Execution. This change will be represented in the 4726 DAT files and does not cover DoS versions of the exploit, only known code execution exploits.
Due to the fact that Internet Explorer (IE) executes scripts prior to writing them to disk (stored in IE's internal cache), McAfee VirusScan's ScriptScan (VSE8.0i feature) must be enabled to protect vulnerable clients that access an exploit from a malicious website. Files saved to disk prior to being opened by IE would be detected by the On Access Scanner. Email and gateway scanners would also protect by detecting recognized exploits prior to execution.
References:http://www.cve.mitre...e=CVE-2006-1359 http://www.microsoft...ory/917077.mspx http://www.kb.cert.org/vuls/id/876678 http://blogs.technet.../22/422849.aspx
-- Update December 1, 2005 --
The first known trojan to exploit the "Window()" remote code execution vulnerability was discovered recently (aka TrojanDownloader:Win32/Delf.DH). This threat was proactively detected as JS/Exploit-BO.gen with the 4633 DAT files or newer.
Microsoft has posted a security advisory on this vulnerability. For more information see: Microsoft Security Advisory (911302)
VirusScan Enterprise 8.0i / Managed VirusScan
Generic Buffer Overflow Protection protects against code execution that may result from exploiting this vulnerability.
Entercept's Generic Buffer Overflow Protection protects against code execution that may result from exploiting this vulnerability.
Updated signatures are available for Trimble release with http response support.
Updated signatures have been released.
-- Update November 21, 2005 --
This detection was modified to cover a 0-day "Window()" remote code execution exploit targeting Internet Explorer. The change is represented in the 4633 DAT release.
This is a non-specific, generic, detection of script code that intends to exploit various buffer overflow vulnerabilities (such as those that are known to exist in Microsoft Internet Explorer).
Due to the fact that Internet Explorer executes scripts prior to writing them to disk (stored in IE's internal cache), either McAfee VirusScan's ScriptScan must be enabled in order to block this exploit prior to execution or else Buffer Overflow protection must be enabled, which will also protect the system from the malicious effects of the script.
If both ScriptScan and Buffer Overflow Protection are disabled, the On Access Scanner will detect identifiable exploit code but not block execution.
This detection is sufficiently generic, such that it can cover an endless number of threats that contain the exploit code. Therefore, it is not possible to describe specific symptoms or details about system charges that can occur from this threat. However, simply seeing this detection does not mean that any exploit code was run at all as such exploit code could only run on a vulnerable system.
Method of Infection
This threat could be delivered via an email message, or an infectious web page.
Use current engine and DAT files for detection. Delete any file which contains this detection.
Exploit-WMFType Trojan SubType Exploit Discovery Date 12/27/2005 Length Varies Minimum DAT 4661 (12/28/2005) Updated DAT 4770 (05/25/2006) Minimum Engine 4.4.00 Description Added 12/27/2005 Description Modified 01/05/2006 5:03 PM (PT)
Bloodhound.Exploit.56 (Symantec) Exploit.WMF PFV-Exploit Characteristics
-- January 5, 2006 --
Microsoft has released a patch for the vulnerability attacked by Exploit-WMF, see: http://www.microsoft...n/MS06-001.mspx
-- January 3, 2006 --
Exploit-WMF detection was enhanced in today's DAT release, version 4666, to proactively protect against exploits that may use slightly different WMF properties. As always, McAfee AVERT urges customers to update to the latest DAT files.
To date, McAfee is aware of over 120,000 McAfee VirusScan Online customers who have reported detecting Exploit-WMF files attempting to execute on their systems.
A kit program was recently discovered, which is believed to be responsiable for the first wave of Exploit-WMF files. It's known as the WMFMaker trojan.
-- December 31, 2005 --
Source code for a tool that creates Exploit-WMF files has been posted to the web. This source creates malicious WMF files that exploit the vulnerability in a slightly different way than previous ones. While generic detection has existed since the discovery of Exploit-WMF, this new code requires the first adjustment to that detection in order to cover some exploits that may be created by this source code. The updated detection has been released in the 4664 DAT files.
-- Update 1 --
An email message containing an Exploit-WMF sample built from this new code has been spammed. The message appears as follows:
Subject: Happy New Year
Body: picture of 2006
Attachment: HappyNewYear.jpg (actually a WMF file with a .JPG extension)
The attachment causes a new BackDoor-CEP variant to be downloaded and run from www.ritztours.com.
-- Update 2 --
Due to the serious nature of the WMF vulnerability and recent discovery of new exploit code, the 4664 DAT files were released out of cycle to detect these new Exploit-WMF samples.
-- December 28, 2005 --
Microsoft has posted information on this vulnerability:
Microsoft Security Advisory (912840)
Vulnerability in Graphics Rendering Engine Could Allow Remote Code Executionhttp://www.microsoft...ory/912840.mspx
-- December 27, 2005 --
A 0-day vulnerability was discovered on December 27, 2005. Exploit WMF files are currently being hosted on 2 known web sites. The exploit code attacks a vulnerability in the way in which Windows handles Windows Meta Files resulting in the execution of arbitrary code.
Known exploit files will be detected and blocked with the 4661 DAT files or newer.
The 2 known exploits download a trojan identified as Downloader-ASE with the 4660 DAT files, and Generic Downloader.q with the 4661 DAT files.
Vary. This detection covers WMF files attempting to exploit a Windows vulnerability. This can result in arbitrary code execution; meaning that any number of events may subsequently take place on a compromised system.
Method of Infection
This threat is likely to be delivered when viewing a website hosting the malicious code.
Microsoft released a patch for the vulnerability targeted by this exploit. See: http://www.microsoft...n/MS06-001.mspx
McAfee DAT Files
The current DAT files contain detection of threats attempting to exploit this vulnerability.
McAfee Entercept blocks code execution as a result of the buffer overflow.
McAfee VirusScan Enterprise 8.0i / Managed VirusScan
McAfee VirusScan Enterprise 8.0i blocks code execution as a result of the buffer overflow if the malicious file is opened in Internet Explorer or Windows explorer. Exploit files may be downloaded by Internet Explorer, rather than being rendered by IE, and subsequently launched by internal applications thus by passing VSE8.0i/MVS buffer overflow protection in this scenario.