Internet threat level: 1
Home→Descriptions→Exploit.JS.CVE-2010-1885.h
Exploit.JS.CVE-2010-1885.h
| Detected | Mar 16 2011 12:54 GMT |
| Released | Mar 16 2011 17:48 GMT |
| Published | Apr 05 2011 12:14 GMT |
Payload
Removal instructions
Technical Details
This exploit program uses vulnerability in Microsoft Windows Help and Support Center to execute itself on the user's computer. It is an HTML document containing Java Script. It is 103 972 bytes in size.
Payload
Once launched, the malware attempts to launch a malicious Java-applet in the user's browser from the following link:
http://<domain_name_of_infected_server>/games/plugins.jarAt the time of writing, this link was inactive.
The following class file is specified for this applet as the main class file:
powerColor.p3.classThe parameter called "biint" is sent to the applet as argument. It has the following value:
rOOSqttzS1eEk-E3zt?ESrSIWA&nU-AnThis parameter is an encrypted link, which the malicious applet uses to download the malware.
The malware uses Java Script scenarios to decrypt its obfuscated code. This exploit program then uses ActiveX objects with the following unique identifiers:
{BD96C556-65A3-11D0-983A-00C04FC29E30}
{BD96C556-65A3-11D0-983A-00C04FC29E36}
{AB9BCEDD-EC7E-47E1-9322-D4A210617116}
{0006F033-0000-0000-C000-000000000046}
{0006F03A-0000-0000-C000-000000000046}
{6E32070A-766D-4EE6-879C-DC1FA91D2FC3}
{6414512B-B978-451D-A0D8-FCFDF33E833C}
{7F5B7F63-F06F-4331-8A26-339E03C0AE3D}
{06723E09-F4C2-43C8-8358-09FCD1DB0766}
{639F725F-1B2D-4831-A9FD-874847682010}
{BA018599-1DB3-44F9-83B4-461454C84BF8}
{D0C07D56-7C69-43F1-B4A0-25F5A11FAB19}
{E8CCCDDF-CA28-496B-B050-6C07C962476B}
It also exploits a vulnerability in "MSXML2.XMLHTTP", "Microsoft.XMLHTTP" and "MSXML2.ServerXMLHTTP" (CVE-2006-0003) ActiveX components, and attempts to download a file located at the following link:
http://gzn***o.cc/d.php?f=19&e=0It uses the "ADODB.Stream" ActiveX object to save this file under the following name:
%Temp%\mxmt.exeThis file is 537 600 bytes in size. It will be detected by Kaspersky Anti-Virus as Trojan-Spy.Win32.Zbot.bfxb.
The downloaded file is then launched. At the time of writing, this link was inactive.
The Trojan exploits a vulnerability in Java Deployment Toolkit (JDT) that arises due to the incorrect handling of URL. This allows the malicious user to send random parameters to Java Web Start (JWS). The malicious user generates a specially crafted link and sends it as the parameter of vulnerable "launch()" function. This way the malware disguised as a file is placed on the network resource:
\\91.217.162.19\pub\new.avidownloads and launches the malicious file for execution from the following link:
http://gzn***o.cc/d.php?f=19&e=1The Trojan uses ActiveX objects with unique identifiers to run its malicious script in MS Internet Explorer:
{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA}
{8AD9C840-044E-11D1-B3E9-00805F499D93}
To execute its script in Mozilla Firefox and other NPAPI browsers, the Trojan determines the following MIME types:
application/npruntime-scriptable-plugin;deploymenttoolkit application/java-deployment-toolkitThe malware will then in a hidden frame execute a script to exploit a vulnerability in MS Windows Help and Support Center. The malware exploits a vulnerability that arises due to the incorrect handling of URL escape sequences in the function "MPC::HexToNum" in Microsoft Windows Help and Support Center applications (helpctr.exe) (MS10-042, CVE-2010-1885). After exploiting the vulnerability, the malicious user can execute commands that are delivered through a specially generated "hcp://" URL. The Microsoft products MS Internet Explorer 8 and Windows Media Player 9 are vulnerable. The malware then with a specially crafted request creates a VBS script:
%Temp%\l.vbsIt then launches this script for execution. The exploit program uses the command line to terminate the Microsoft Windows Help and Support Center's process:
helpctr.exeOnce the VBS script is launched, the malware uses the "MSXML2.XMLHTTP" ActiveX object to download a file located at the following link:
http://gzn***o.cc/games/hcp_vbs.php?f=19and saves it in the current user's temporary files directory under the name:
%Temp%\l.vbsAt the time of writing, this link was inactive.
The malware then determines the plugins installed in the browser and Adobe Reader and Adobe Acrobat ActiveX objects. The Trojan uses the ActiveX object with unique identifier to run its malicious script in MS Internet Explorer:
{CA8A9780-280D-11CF-A24D-444553540000}
To execute its script in Mozilla Firefox and other NPAPI browsers, the Trojan determines the following MIME types:
application/vnd.adobe.pdfxml application/vnd.adobe.x-marsThen, depending on the PDF Reader version, it opens malicious PDF documents from one of the following links:
http://<domain_name_of_infected_server>/games/pdf.php?f=19 http://<domain_name_of_infected_server>/games/pdf2.php?f=16Adobe Reader 8.0.0 and earlier versions as well as all Adobe Reader versions up to 9.3.1 are vulnerable.
This malware exploits a vulnerability that exists in Microsoft Internet Explorer due to the "use-after-free" error in the "Peer Objects" component in "lepers.dll" during incorrect processing of the PersistUserData::setAttribute() method (CVE-2010-0806). As a result, the exploit tries to download a file located at the following link:
http://gzn***o.cc/d.php?f=19&e=5and save it in the browser's temporary files directory under the name:
%Temporary Internet Files%\d<tmp>.phpwhere tmp is the serial number of the temporary file. The downloaded file is then launched for execution. The Trojan then opens the following page in the browser:
http://pillrx***orechains.net/?cid=ntinst
Removal instructions
If your computer does not have antivirus protection and has been infected by this malicious program, follow the instructions below to delete it:
- Delete the original exploit file (its location will depend on how the program originally penetrated the infected computer).
- Delete the following files:
%Temp%\mxmt.exe %Temp%\l.vbs
- Install these updates:
http://www.microsoft.com/technet/security/Bulletin/MS10-042.mspx - Empty the Temporary Internet Files directory, which contains infected files (see How to delete infected files from Temporary Internet Files folder?):
%Temporary Internet Files%
- Update Sun Java JRE and JDK to the latest versions.
- Install the most recent version of Adobe Reader and Adobe Acrobat.
- Disable the vulnerable ActiveX objects (see How to disable an ActiveX control in Internet Explorer).
- Perform a full scan of the computer using Kaspersky Anti-Virus with up-to-date antivirus databases (download a trial version).
[MD5: 9010667cc79db8557e04c90c337c2c0d]
[SHA1: 7d3801de560f4200383632eab1c5dd1327d1fa7a]
Exploits are programs that contain data or executable code which take advantage of one or more vulnerabilities in software running on a local or remote computer for clearly malicious purposes.
Often, malicious users employ an exploit to penetrate a victim computer in order to subsequently install malicious code (for example, to infect all visitors to a compromised website with a malicious program). Additionally, exploits are commonly used by Net-Worms in order to hack a victim computer without any action being required from the user.
Nuker programs are notable among exploits; such programs send specially crafted requests to local or remote computers, causing the system to crash.
Exploit.
- Trojan-Downloader.
JS. Agent. fuk (Kaspersky Lab) - VirTool:
JS/Obfuscator. AS (MS(OneCare)) - JS:
Downloader-ANM [Trj] (AVAST) - Exploit.
JS. CVE-2010-1885 (Ikarus) - NseCheckFile2() returned 0x00010018 (Norman)
© 1997-2013 Kaspersky Lab ZAO. All Rights Reserved.
Industry-leading Antivirus Software.
Registered trademarks and service marks are the property of their respective owners.
The authors' opinions do not necessarily reflect the official positions of Kaspersky Lab.