Content

Exploit-MIME.gen.c

Type
Program
SubType
Generic
Discovery Date
05/05/2004
Minimum DAT
N/A (06/12/2007)
Updated DAT
5051 (06/12/2007)
Minimum Engine
4.4.00
Description Added
04/27/2004
Description Modified
02/15/2011 1:41 AM (PT)

Tab Navigation

Characteristics

This software is not a virus or a Trojan. It is detected as a "potentially unwanted program" (PUP). PUPs are any piece of software that a reasonably security- or privacy-minded computer user may want to be informed of and, in some cases, remove. PUPs are often made by a legitimate corporate entity for some beneficial purpose, but they alter the security state of the computer on which they are installed, or the privacy posture of the user of the system, such that most users will want to be aware of them.

File Information
    • MD5   - 98c60956b5b3a555c960d9afb576ba25
    • SHA1  - 3b9947f2692dc43012cd7731a549675fd6f94705

Aliases
    • F-Prot - HTML/IFrame
    • Microsoft - Exploit:HTML/IFrame_Exploit.G
    • NOD32 - Win32/Chir.B
    • TrendMicro - HTML_IFRAME.DY

Characterstics :

"Exploit-MIME.gen.c" is a detection for malicious .eml files that attempt to exploit the vulnerability addressed by  MS01-020 (Incorrect MIME Header Can Cause IE to Execute E-mail Attachment) in order to launch a malicious file.

The e-mail file has an attachment with the extension .EXE and McAfee detected this .exe as W32/Chir.b@MM.

When the user opens the e-mail attachment, it exploits the Incorrect MIME Header vulnerability which can cause an executable e-mail attachment to open automatically when an HTML-formatted e-mail is read or previewed.
 
W32/Chir.b@MM is a mass mailing worm that sends itself to all email addresses in a compromised user's Microsoft Outlook address book. It typically arrives as an email message with the following properties:

    • From :N0600000[removed]@yahoo.com
    • Subject: N0600000[removed] is comming
    • Attachment: PP.exe

 The worm "W32/Chir.b@MM" gathers email addresses by searching the Windows Address Book with the following file extensions:

    • .adc
    • r.db
    • .doc
    • .xls

Also the worm searches through all local and mapped drives to infect files with the following extensions:

    • .htm
    • .html
    • .exe
    • .scr

For more information about this vulnerability, please refer the following link http://support.microsoft.com/kb/290108

Removal

All Users:

Please use the following instructions for all supported versions of Windows to remove threats and other potential risks:

1.Disable System Restore (Windows ME/XP only).

2.Update to current engine and DAT files for detection and removal.

3.Run a complete system scan.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

General repair may be unsuccessful in some instances. If this occurs, please submit a sample for further evaluation.

Aliases

Aliases

    N/A