McAfee > Theat Center > Virus Detail Page

Overview

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Aliases

• Bloodhound.exploit.6.html (Symantec)

• Exploit-MhtRedir

Characteristics

-- Update June 24, 2004--
It has recently been made known that some IIS servers have been remotely hacked. This exploit was utilized to redirect the client's browser to the  location http://217.107.218.147  containing an infected webpage causing unsolicited files to be downloaded and executed.

Certain downloaded files are detected as BackDoor-AXJ.dll , JS/Exploit-DialogArg.b , and VBS/Psyme  with the current DAT files.

For further details concerning this threat, and details of available Microsoft patches see:
http://www.microsoft.com/security/incident/download_ject.mspx

-- Update June 10, 2004 --

The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://news.com.com/Pop-up+toolbar+spreads+via+IE+flaws/2100-1002_3-5229707.html?tag=nefd.top

A new attack vector was discovered recently, which by passes the MS04-013 patch.  Generic detection of this new exploit code will be included in the 4366 DAT release.

This detection covers code designed to exploit an Internet Explorer vulnerability.

The exploit results in a CHM (Microsoft Compiled Help) file being written to the local system allowing for additional exploit code to then execute the downloaded file.

The end result is the execution of arbitrary code at the permission level of the current user.

Microsoft has released a patch for this vulnerability.
See: http://www.microsoft.com/technet/security/bulletin/ms04-013.mspx

Symptoms

This exploit code could be used to execute a variety of different programs/malware.  Therefore it is not possible to give specific details about how to recognize an infection.

Method of Infection

This threat exploits an Internet Explorer vulnerability.

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Aliases

• Bloodhound.exploit.6.html (Symantec)

• Exploit-MhtRedir

Characteristics

Characteristics -

-- Update June 24, 2004--
It has recently been made known that some IIS servers have been remotely hacked. This exploit was utilized to redirect the client's browser to the  location http://217.107.218.147  containing an infected webpage causing unsolicited files to be downloaded and executed.

Certain downloaded files are detected as BackDoor-AXJ.dll , JS/Exploit-DialogArg.b , and VBS/Psyme  with the current DAT files.

For further details concerning this threat, and details of available Microsoft patches see:
http://www.microsoft.com/security/incident/download_ject.mspx

-- Update June 10, 2004 --

The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://news.com.com/Pop-up+toolbar+spreads+via+IE+flaws/2100-1002_3-5229707.html?tag=nefd.top

A new attack vector was discovered recently, which by passes the MS04-013 patch.  Generic detection of this new exploit code will be included in the 4366 DAT release.

This detection covers code designed to exploit an Internet Explorer vulnerability.

The exploit results in a CHM (Microsoft Compiled Help) file being written to the local system allowing for additional exploit code to then execute the downloaded file.

The end result is the execution of arbitrary code at the permission level of the current user.

Microsoft has released a patch for this vulnerability.
See: http://www.microsoft.com/technet/security/bulletin/ms04-013.mspx

Symptoms

Symptoms -

This exploit code could be used to execute a variety of different programs/malware.  Therefore it is not possible to give specific details about how to recognize an infection.

Method of Infection

Method of Infection -

This threat exploits an Internet Explorer vulnerability.

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A