English
The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1

Exploit.JS.CVE-2010-1885.h

Detected Mar 16 2011 12:54 GMT
Released Mar 16 2011 17:48 GMT
Published Apr 05 2011 12:14 GMT

Technical Details
Payload
Removal instructions

Technical Details

This exploit program uses vulnerability in Microsoft Windows Help and Support Center to execute itself on the user's computer. It is an HTML document containing Java Script. It is 103 972 bytes in size.


Payload

Once launched, the malware attempts to launch a malicious Java-applet in the user's browser from the following link:

http://<domain_name_of_infected_server>/games/plugins.jar
At the time of writing, this link was inactive.

The following class file is specified for this applet as the main class file:

powerColor.p3.class
The parameter called "biint" is sent to the applet as argument. It has the following value:
rOOSqttzS1eEk-E3zt?ESrSIWA&nU-An
This parameter is an encrypted link, which the malicious applet uses to download the malware.

The malware uses Java Script scenarios to decrypt its obfuscated code. This exploit program then uses ActiveX objects with the following unique identifiers:

{BD96C556-65A3-11D0-983A-00C04FC29E30}
{BD96C556-65A3-11D0-983A-00C04FC29E36}
{AB9BCEDD-EC7E-47E1-9322-D4A210617116}
{0006F033-0000-0000-C000-000000000046}
{0006F03A-0000-0000-C000-000000000046}
{6E32070A-766D-4EE6-879C-DC1FA91D2FC3}
{6414512B-B978-451D-A0D8-FCFDF33E833C}
{7F5B7F63-F06F-4331-8A26-339E03C0AE3D}
{06723E09-F4C2-43C8-8358-09FCD1DB0766}
{639F725F-1B2D-4831-A9FD-874847682010}
{BA018599-1DB3-44F9-83B4-461454C84BF8}
{D0C07D56-7C69-43F1-B4A0-25F5A11FAB19}
{E8CCCDDF-CA28-496B-B050-6C07C962476B}
It also exploits a vulnerability in "MSXML2.XMLHTTP", "Microsoft.XMLHTTP" and "MSXML2.ServerXMLHTTP" (CVE-2006-0003) ActiveX components, and attempts to download a file located at the following link:
http://gzn***o.cc/d.php?f=19&e=0
It uses the "ADODB.Stream" ActiveX object to save this file under the following name:
%Temp%\mxmt.exe
This file is 537 600 bytes in size. It will be detected by Kaspersky Anti-Virus as Trojan-Spy.Win32.Zbot.bfxb.

The downloaded file is then launched. At the time of writing, this link was inactive.

The Trojan exploits a vulnerability in Java Deployment Toolkit (JDT) that arises due to the incorrect handling of URL. This allows the malicious user to send random parameters to Java Web Start (JWS). The malicious user generates a specially crafted link and sends it as the parameter of vulnerable "launch()" function. This way the malware disguised as a file is placed on the network resource:

\\91.217.162.19\pub\new.avi
downloads and launches the malicious file for execution from the following link:
http://gzn***o.cc/d.php?f=19&e=1
The Trojan uses ActiveX objects with unique identifiers to run its malicious script in MS Internet Explorer:
{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA}
{8AD9C840-044E-11D1-B3E9-00805F499D93}
To execute its script in Mozilla Firefox and other NPAPI browsers, the Trojan determines the following MIME types:
application/npruntime-scriptable-plugin;deploymenttoolkit
application/java-deployment-toolkit
The malware will then in a hidden frame execute a script to exploit a vulnerability in MS Windows Help and Support Center. The malware exploits a vulnerability that arises due to the incorrect handling of URL escape sequences in the function "MPC::HexToNum" in Microsoft Windows Help and Support Center applications (helpctr.exe) (MS10-042, CVE-2010-1885). After exploiting the vulnerability, the malicious user can execute commands that are delivered through a specially generated "hcp://" URL. The Microsoft products MS Internet Explorer 8 and Windows Media Player 9 are vulnerable. The malware then with a specially crafted request creates a VBS script:
%Temp%\l.vbs
It then launches this script for execution. The exploit program uses the command line to terminate the Microsoft Windows Help and Support Center's process:
helpctr.exe
Once the VBS script is launched, the malware uses the "MSXML2.XMLHTTP" ActiveX object to download a file located at the following link:
http://gzn***o.cc/games/hcp_vbs.php?f=19
and saves it in the current user's temporary files directory under the name:
%Temp%\l.vbs
At the time of writing, this link was inactive.

The malware then determines the plugins installed in the browser and Adobe Reader and Adobe Acrobat ActiveX objects. The Trojan uses the ActiveX object with unique identifier to run its malicious script in MS Internet Explorer:

{CA8A9780-280D-11CF-A24D-444553540000}
To execute its script in Mozilla Firefox and other NPAPI browsers, the Trojan determines the following MIME types:
application/vnd.adobe.pdfxml
application/vnd.adobe.x-mars
Then, depending on the PDF Reader version, it opens malicious PDF documents from one of the following links:
http://<domain_name_of_infected_server>/games/pdf.php?f=19
http://<domain_name_of_infected_server>/games/pdf2.php?f=16
Adobe Reader 8.0.0 and earlier versions as well as all Adobe Reader versions up to 9.3.1 are vulnerable.

This malware exploits a vulnerability that exists in Microsoft Internet Explorer due to the "use-after-free" error in the "Peer Objects" component in "lepers.dll" during incorrect processing of the PersistUserData::setAttribute() method (CVE-2010-0806). As a result, the exploit tries to download a file located at the following link:

http://gzn***o.cc/d.php?f=19&e=5
and save it in the browser's temporary files directory under the name:
%Temporary Internet Files%\d<tmp>.php
where tmp is the serial number of the temporary file. The downloaded file is then launched for execution. The Trojan then opens the following page in the browser:
http://pillrx***orechains.net/?cid=ntinst


Removal instructions

If your computer does not have antivirus protection and has been infected by this malicious program, follow the instructions below to delete it:

  1. Delete the original exploit file (its location will depend on how the program originally penetrated the infected computer).
  2. Delete the following files:
    %Temp%\mxmt.exe
    %Temp%\l.vbs
    
  3. Install these updates:
    http://www.microsoft.com/technet/security/Bulletin/MS10-042.mspx
  4. Empty the Temporary Internet Files directory, which contains infected files (see How to delete infected files from Temporary Internet Files folder?):
    %Temporary Internet Files%
  5. Update Sun Java JRE and JDK to the latest versions.
  6. Install the most recent version of Adobe Reader and Adobe Acrobat.
  7. Disable the vulnerable ActiveX objects (see How to disable an ActiveX control in Internet Explorer).
  8. Perform a full scan of the computer using Kaspersky Anti-Virus with up-to-date antivirus databases (download a trial version).


[MD5: 9010667cc79db8557e04c90c337c2c0d]
[SHA1: 7d3801de560f4200383632eab1c5dd1327d1fa7a]


Bookmark and Share
Share
Exploit

Exploits are programs that contain data or executable code which take advantage of one or more vulnerabilities in software running on a local or remote computer for clearly malicious purposes.

Often, malicious users employ an exploit to penetrate a victim computer in order to subsequently install malicious code (for example, to infect all visitors to a compromised website with a malicious program). Additionally, exploits are commonly used by Net-Worms in order to hack a victim computer without any action being required from the user.

Nuker programs are notable among exploits; such programs send specially crafted requests to local or remote computers, causing the system to crash.


Aliases

Exploit.JS.CVE-2010-1885.h (Kaspersky Lab) is also known as:

  • Trojan-Downloader.JS.Agent.fuk (Kaspersky Lab)
  • VirTool:JS/Obfuscator.AS (MS(OneCare))
  • JS:Downloader-ANM [Trj] (AVAST)
  • Exploit.JS.CVE-2010-1885 (Ikarus)
  • NseCheckFile2() returned 0x00010018 (Norman)