Internet threat level: 1
Home→Descriptions→Exploit.HTML.CVE-2010-1885.b
Exploit.HTML.CVE-2010-1885.b
| Published | Mar 06 2012 16:01 GMT |
Payload
Removal instructions
Technical Details
This exploit program uses vulnerability in Microsoft Windows Help and Support Center to execute itself on the user's computer. It is an HTML page containing Java Script. It is 15 374 bytes in size.
Payload
Once the document is opened in the user's browser, the malware decrypts the obfuscated code and launches malicious scripts. Every 5 seconds the malware attempts to redirect the user to a resource, which, in relation to the malicious document, is located at the following link:
http://<X>?view=MSIE&showforum=9b6a2179a0ac9a27668e10868 06926f5.jar&showuser=15851733&s=7.0&showtopic=2where X is the location of the original exploit file on the malicious user's server. It will then execute the malicious script in a hidden frame to exploit vulnerability in MS Windows Help and Support Center. The malicious program exploits a vulnerability that arises due to the incorrect handling of URL escape sequences in the function MPC::HexToNum in the Microsoft Windows Help and Support Center applications (helpctr.exe) (MS10-042, CVE-2010-1885). After exploiting the vulnerability, the malicious user can run commands sent to the special protocol "hcp://". The Microsoft products MS Internet Explorer 8 and Windows Media Player 9 are vulnerable. The malware uses the ActiveX object "MSXML.XMLHTTP" to download the file located at the following URL:
http://bos***lves.com/pages/bb34c4b95337a12c688e67b26ae2f158.php?showtopic=12&showuser=15851733&showforum=9b6a2179a0ac9a27668e10 86806926f5.jar&and saves it under the name:
%Documents and Settings%\%Current User%\update.exeUsing the command line, the malicious program launches the downloaded file and terminates the Microsoft Windows Help and Support Center process:
helpctr.exeAt the time of writing, these links were inactive.
Removal instructions
If your computer does not have antivirus protection and has been infected by this malicious program, follow the instructions below to delete it:
- Delete the original exploit file (its location will depend on how the program originally penetrated the infected computer).
- Delete the following file:
%Documents and Settings%\%Current User%\update.exe
- Install these updates: http://www.microsoft.com/technet/security/Bulletin/MS10-042.mspx
- Empty the Temporary Internet Files directory, which contains infected files (see How to delete infected files from Temporary Internet Files folder?):
- Perform a full scan of the computer using Kaspersky Anti-Virus with up-to-date antivirus databases (download a trial version).
[MD5: 9498d09c1f23d10bae4cf89c6812b078]
[SHA1: b41528f2aa297dacdc1c7ee1321d8a2a9de932ed]
Exploits are programs that contain data or executable code which take advantage of one or more vulnerabilities in software running on a local or remote computer for clearly malicious purposes.
Often, malicious users employ an exploit to penetrate a victim computer in order to subsequently install malicious code (for example, to infect all visitors to a compromised website with a malicious program). Additionally, exploits are commonly used by Net-Worms in order to hack a victim computer without any action being required from the user.
Nuker programs are notable among exploits; such programs send specially crafted requests to local or remote computers, causing the system to crash.
© 1997-2013 Kaspersky Lab ZAO. All Rights Reserved.
Industry-leading Antivirus Software.
Registered trademarks and service marks are the property of their respective owners.
The authors' opinions do not necessarily reflect the official positions of Kaspersky Lab.