Exploit.HTML.CVE-2010-1885.aj

Technical Details
Payload
Removal instructions

Technical Details

This exploit program uses vulnerability in Microsoft Windows Help and Support Center to execute itself on the user's computer. It is an ASX (Advanced Stream Redirector) file. It is 152 bytes in size.

Payload

Once the file is opened in Windows Media Player using the player's "HTMLView" function, the Trojan downloads malicious web content from the following link:

http://sp0***e.ms/games/hcp.php?f=16

The following file icon is displayed as media content:

http://sp0***e.ms/games/L.gif

At the time of writing, these links were inactive.

The downloaded web content takes the form of an HTML document, which contains the exploit's main functionality.

The malware exploits a vulnerability that arises due to the incorrect handling of URL escape sequences in the function MPC::HexToNum in the Microsoft Windows Help and Support Center applications (helpctr.exe) (MS10-042, CVE-2010-1885). After exploiting the vulnerability, the malicious user can execute commands that are delivered through a specially generated "hcp://" URL. The Microsoft products MS Internet Explorer 8 and Windows Media Player 9 are vulnerable.

Removal instructions

If your computer does not have antivirus protection and has been infected by this malicious program, follow the instructions below to delete it:

1. Delete the original exploit file (its location will depend on how the program originally penetrated the infected computer).
2. Install these updates: http://www.microsoft.com/technet/security/Bulletin/MS10-042.mspx
3. Perform a full scan of the computer using Kaspersky Anti-Virus with up-to-date antivirus databases (download a trial version).

[MD5: ff26bb9bf3451114db8f5255a6a39866]
[SHA1: 9471581bf94c998e1782f6a9aa5758d579f72c9e]