Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Exploits, Trojans, and Questions Oh My!


  • Please log in to reply

#1
granoladude

granoladude

    Member

  • Member
  • PipPip
  • 25 posts
Hey there everyone. I've got a bit of a problem, but luckily nothing is serious YET. One of the few times I use Internet Explorer was today, otherwise I use Mozilla Firefox as my main browser. Anyway, McAfee brings up their Trojan Alert window at the bottom right hand side of my screen alerting me to a trojan on my computer. I copied down the information on it so that I could go back later and investigate (you can't actually shrink these "More Information Windows", they tend to stay right on top of everything as I tried to get information on these files). Anway the two trojans were Exploit-WMF and JS/Exploit-BO.gen. I copied down their file names and locations so that I could attempt to find them later. Anyway, McAfee also alerted me to the fact that these files could not be deleted, cleaned, or quarantined due to the fact that there may be some a user-agreement or something and to try again. I did a search on my computer for the actual file names, but nothing turned up. I then proceeded to dump my cookies, temporary files (and the offline ones too), and cleared my history on Internet Explorer; wipe the slate clean hoping these files went with it.

A bit of good news though, McAfee was able to find two other trojans and was able to clean and delete them, so whatever is on my computer doesn't seem to be having a big effect. I feel like the eerie music in the horror movie is starting to play... The innocent computer user thinks that nothing is wrong, and then... AURORA AGAIN!!! :whistling: I just don't want something like the Aurora spyware program or a similar problem to arise out of this seeming trivial trojan. Any help would be great about the seriousness of the problem and anyway to rid my computer of these items. Thanks a bunch!

PS: I'm running Windows XP (Service Pack 1)
  • 0

Advertisements


#2
Retired Tech

Retired Tech

    Retired Staff

  • Retired Staff
  • 20,563 posts
Please follow the procedures outlined here: Malware Removal Guide

You will need a PC which can connect to the internet

Run all the programmes as advised then post a current Hijack This Log in a new topic in the Malware Forum

For the purpose of accurate malware analysis, Hijack This Logs are only dealt with in the Malware Forum. Posting them anywhere else will result in a delayed response

If you are unable to run any of the programmes, please ask for advice in the Malware Forum
  • 0

#3
granoladude

granoladude

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
before I download all of these programs though, I am just kind of looking for information on these two items... I just did an Ad-Aware scan which turned up nothing, so I'm thinking whatever these items were, are gone now... Anyone else know anything about these two trojans? Thanks!
  • 0

#4
Retired Tech

Retired Tech

    Retired Staff

  • Retired Staff
  • 20,563 posts
I though you wanted to get rid of them, not write a thesis on them :whistling:

JS/Exploit-BO.genType Trojan SubType Generic Discovery Date 01/05/2005 Length Varies Minimum DAT 4417 (12/29/2004) Updated DAT 4811 (07/20/2006) Minimum Engine 4.4.00 Description Added 12/29/2004 Description Modified 04/01/2006 8:02 AM (PT)

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Aliases
JS_WINDEXP.A (Trend) TrojanDownloader:Win32/Delf.DH (Microsoft) Characteristics
-- Update March 31, 2006 --
Source code was released that produces more efficient exploit files. The 4732 DAT files contain enhanced Exploit-BO.gen detection to cover these exploits. Exploit-CreateTxtRnd detection proactively covers these.
--

-- Update March 24, 2006 --
Exploit-CreateTxtRng detection was created for raw exploit code (this covers the pure DoS exploit that was previously not detected. Those exploits that attempt code execution will still be handled under JS/Exploit-BO.gen as noted below.
--

-- Update March 23, 2006 --
JS/Exploit-BO.gen detection is being updated to cover proof of concept code released today that exploits a recent 0-day vulnerability, Microsoft Internet Explorer "createTextRange()" Code Execution. This change will be represented in the 4726 DAT files and does not cover DoS versions of the exploit, only known code execution exploits.

Due to the fact that Internet Explorer (IE) executes scripts prior to writing them to disk (stored in IE's internal cache), McAfee VirusScan's ScriptScan (VSE8.0i feature) must be enabled to protect vulnerable clients that access an exploit from a malicious website. Files saved to disk prior to being opened by IE would be detected by the On Access Scanner. Email and gateway scanners would also protect by detecting recognized exploits prior to execution.

References:
http://www.cve.mitre...e=CVE-2006-1359
http://www.microsoft...ory/917077.mspx
http://www.kb.cert.org/vuls/id/876678
http://blogs.technet.../22/422849.aspx
--

-- Update December 1, 2005 --
The first known trojan to exploit the "Window()" remote code execution vulnerability was discovered recently (aka TrojanDownloader:Win32/Delf.DH). This threat was proactively detected as JS/Exploit-BO.gen with the 4633 DAT files or newer.

Microsoft has posted a security advisory on this vulnerability. For more information see: Microsoft Security Advisory (911302)

VirusScan Enterprise 8.0i / Managed VirusScan
Generic Buffer Overflow Protection protects against code execution that may result from exploiting this vulnerability.

McAfee Entercept
Entercept's Generic Buffer Overflow Protection protects against code execution that may result from exploiting this vulnerability.

McAfee IntruShield
Updated signatures are available for Trimble release with http response support.

McAfee Foundstone
Updated signatures have been released.

-- Update November 21, 2005 --
This detection was modified to cover a 0-day "Window()" remote code execution exploit targeting Internet Explorer. The change is represented in the 4633 DAT release.

This is a non-specific, generic, detection of script code that intends to exploit various buffer overflow vulnerabilities (such as those that are known to exist in Microsoft Internet Explorer).

Due to the fact that Internet Explorer executes scripts prior to writing them to disk (stored in IE's internal cache), either McAfee VirusScan's ScriptScan must be enabled in order to block this exploit prior to execution or else Buffer Overflow protection must be enabled, which will also protect the system from the malicious effects of the script.

If both ScriptScan and Buffer Overflow Protection are disabled, the On Access Scanner will detect identifiable exploit code but not block execution.

Symptoms

This detection is sufficiently generic, such that it can cover an endless number of threats that contain the exploit code. Therefore, it is not possible to describe specific symptoms or details about system charges that can occur from this threat. However, simply seeing this detection does not mean that any exploit code was run at all as such exploit code could only run on a vulnerable system.
Method of Infection
This threat could be delivered via an email message, or an infectious web page.
Removal
All Users:
Use current engine and DAT files for detection. Delete any file which contains this detection.
Variants
Variants
N/A

Exploit-WMFType Trojan SubType Exploit Discovery Date 12/27/2005 Length Varies Minimum DAT 4661 (12/28/2005) Updated DAT 4770 (05/25/2006) Minimum Engine 4.4.00 Description Added 12/27/2005 Description Modified 01/05/2006 5:03 PM (PT)

Aliases
Bloodhound.Exploit.56 (Symantec) Exploit.WMF PFV-Exploit Characteristics
-- January 5, 2006 --
Microsoft has released a patch for the vulnerability attacked by Exploit-WMF, see: http://www.microsoft...n/MS06-001.mspx

-- January 3, 2006 --
Exploit-WMF detection was enhanced in today's DAT release, version 4666, to proactively protect against exploits that may use slightly different WMF properties. As always, McAfee AVERT urges customers to update to the latest DAT files.

To date, McAfee is aware of over 120,000 McAfee VirusScan Online customers who have reported detecting Exploit-WMF files attempting to execute on their systems.

A kit program was recently discovered, which is believed to be responsiable for the first wave of Exploit-WMF files. It's known as the WMFMaker trojan.

-- December 31, 2005 --
Source code for a tool that creates Exploit-WMF files has been posted to the web. This source creates malicious WMF files that exploit the vulnerability in a slightly different way than previous ones. While generic detection has existed since the discovery of Exploit-WMF, this new code requires the first adjustment to that detection in order to cover some exploits that may be created by this source code. The updated detection has been released in the 4664 DAT files.

-- Update 1 --
An email message containing an Exploit-WMF sample built from this new code has been spammed. The message appears as follows:

Subject: Happy New Year
Body: picture of 2006
Attachment: HappyNewYear.jpg (actually a WMF file with a .JPG extension)

The attachment causes a new BackDoor-CEP variant to be downloaded and run from www.ritztours.com.

-- Update 2 --
Due to the serious nature of the WMF vulnerability and recent discovery of new exploit code, the 4664 DAT files were released out of cycle to detect these new Exploit-WMF samples.

-- December 28, 2005 --
Microsoft has posted information on this vulnerability:

Microsoft Security Advisory (912840)
Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution

http://www.microsoft...ory/912840.mspx

-- December 27, 2005 --
A 0-day vulnerability was discovered on December 27, 2005. Exploit WMF files are currently being hosted on 2 known web sites. The exploit code attacks a vulnerability in the way in which Windows handles Windows Meta Files resulting in the execution of arbitrary code.

Known exploit files will be detected and blocked with the 4661 DAT files or newer.

The 2 known exploits download a trojan identified as Downloader-ASE with the 4660 DAT files, and Generic Downloader.q with the 4661 DAT files.

Symptoms
Vary. This detection covers WMF files attempting to exploit a Windows vulnerability. This can result in arbitrary code execution; meaning that any number of events may subsequently take place on a compromised system.

Method of Infection
This threat is likely to be delivered when viewing a website hosting the malicious code.

Removal
Microsoft released a patch for the vulnerability targeted by this exploit. See: http://www.microsoft...n/MS06-001.mspx

McAfee DAT Files
The current DAT files contain detection of threats attempting to exploit this vulnerability.

McAfee Entercept
McAfee Entercept blocks code execution as a result of the buffer overflow.

McAfee VirusScan Enterprise 8.0i / Managed VirusScan
McAfee VirusScan Enterprise 8.0i blocks code execution as a result of the buffer overflow if the malicious file is opened in Internet Explorer or Windows explorer. Exploit files may be downloaded by Internet Explorer, rather than being rendered by IE, and subsequently launched by internal applications thus by passing VSE8.0i/MVS buffer overflow protection in this scenario.

Variants
Variants
N/A
  • 0

#5
granoladude

granoladude

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts

I though you wanted to get rid of them, not write a thesis on them :)

:blink:

thanks a bunch for the info... now I can move ahead with removal and stuff :help: I just don't know if i need to though, for instance: if these files were on my computer, wouldn't they show up in a regular ol' computer search? This was the case with Aurora and the nail.exe. I mean, don't get me wrong, I am very thankful for all the resources you've researched for me, I just don't know if they are necessary. I guess the big thing is, are they even still on my computer anymore? :whistling:

thanks again
  • 0

#6
Retired Tech

Retired Tech

    Retired Staff

  • Retired Staff
  • 20,563 posts
When some prawn with nothing better to do than turn other people's PC's sets about releasing something, an aim is to make it undetectable, so I wouldn't put too much store by freebies finding everything

Once you reach the part where you submit the HJT Log in the malware forum you get a reply to say, nothing found, or you have this on your PC

It is optional, as is the priority you place on it, however, even if you run through it in stages, the advice has to be, check for malware if you have any doubts
  • 0

#7
granoladude

granoladude

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
alrighty - thanks for the tips... I went ahead and got a HiJackThis log and posted it in the Malware forum. Do you think anyone will be able to identify such a vague problem? :whistling:
  • 0

#8
Retired Tech

Retired Tech

    Retired Staff

  • Retired Staff
  • 20,563 posts
If there is anything unwanted in the log, the Malware Team will find it
  • 0

#9
granoladude

granoladude

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
okay excellent - thanks for your help... Now if no one responds for a bit, should I just sit tight and give it some time, or if there are no responses does that possibly mean everything is okay? Thanks again for all of your help Keith!
  • 0

#10
Retired Tech

Retired Tech

    Retired Staff

  • Retired Staff
  • 20,563 posts
It can take a while, but you will get a reply
  • 0

Advertisements


#11
granoladude

granoladude

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
excellent :whistling: Thanks so much!
  • 0

#12
granoladude

granoladude

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
The patch which covers the WMF exploit was downloaded successfully, but it recomended that I backup my computer before installing the patch. Correct me if I'm wrong, but isn't the patch supposed to clean up my computer rather than force me to revert back to a now possibly corrupt system set!? :whistling: Do you guys reguraly backup your files and if so, should I do so before installing this patch?
  • 0

#13
Retired Tech

Retired Tech

    Retired Staff

  • Retired Staff
  • 20,563 posts
Where was the patch downloaded from?
  • 0

#14
granoladude

granoladude

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
the official Microsoft website.. I'm still on pause waiting for an analysis of the HJT log, so all this may not be necessary, but it would still be useful to know about how to handle these patches. Thanks!
  • 0

#15
Retired Tech

Retired Tech

    Retired Staff

  • Retired Staff
  • 20,563 posts
Does it say, close any programmes and back up data you are working with, not back up the computer?
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP