McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• Unsafe Script

• VBS/OverBuf.gen

• VBS/RunScript.gen

• VBS/RunScript.gen1

• VBS/RunScript.gen2

• VBS/RunScript.gen3

• VBS/RunScript.gen4

Characteristics

This is heuristic detection (possible if using heuristic scanning option) of script or Typelib (.HTA) files containing scripts that use the Windows Scripting Host ActiveX implementations which use harmful technique and/or code. AVERT received several samples which could be categorized as malicious or harmful, and were abusing a discovered exploit of running ActiveX objects which were "signed as safe".

Microsoft has a patch available for download to help prevent such attacks which also require Windows Scripting Host be installed, as well as IE5 such that the .HTA file can be interpreted. For various patches for Microsoft IE5, visit this web location - www.microsoft.com/security and follow the links provided.

Since this detection is a heuristic one, detections are for probable exploit code and AVERT recommends submitting a copy of this file to us for analysis if this detection is made.

Symptoms

Unexplained or new .HTA file created on the hard drive after running an ActiveX object, either intentionally or accidentally. (This is a symptom only and is not a full diagnosis.)

Method of Infection

Opening HTML coded email or web pages which contain the harmful VB Script and/or ActiveX exploit will directly affect the local system.

Removal

All Users:
Use current engine and DAT files for detection. Delete any file which contains this detection.

Variants

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• Unsafe Script

• VBS/OverBuf.gen

• VBS/RunScript.gen

• VBS/RunScript.gen1

• VBS/RunScript.gen2

• VBS/RunScript.gen3

• VBS/RunScript.gen4

Characteristics

Characteristics -

This is heuristic detection (possible if using heuristic scanning option) of script or Typelib (.HTA) files containing scripts that use the Windows Scripting Host ActiveX implementations which use harmful technique and/or code. AVERT received several samples which could be categorized as malicious or harmful, and were abusing a discovered exploit of running ActiveX objects which were "signed as safe".

Microsoft has a patch available for download to help prevent such attacks which also require Windows Scripting Host be installed, as well as IE5 such that the .HTA file can be interpreted. For various patches for Microsoft IE5, visit this web location - www.microsoft.com/security and follow the links provided.

Since this detection is a heuristic one, detections are for probable exploit code and AVERT recommends submitting a copy of this file to us for analysis if this detection is made.

Symptoms

Symptoms -

Unexplained or new .HTA file created on the hard drive after running an ActiveX object, either intentionally or accidentally. (This is a symptom only and is not a full diagnosis.)

Method of Infection

Method of Infection -

Opening HTML coded email or web pages which contain the harmful VB Script and/or ActiveX exploit will directly affect the local system.

Removal -

Removal -

All Users:
Use current engine and DAT files for detection. Delete any file which contains this detection.

Variants

Variants -

N/A