McAfee > Theat Center > Virus Detail Page

Overview

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Aliases

• Bloodhound.Exploit.19 (Symantec)

Characteristics

-- Update Jan 11, 2005 --
Microsoft has released a patch for the vulnerability targeted by this exploit:
http://www.microsoft.com/technet/security/bulletin/MS05-002.mspx

-- Update April 08, 2005 --

This detection covers files which can cause the Microsoft Windows LoadImage API Integer Buffer overflow vulnerability that was announced on December 23, 2004.  This detection provides generic protection for all customers against samples which are attempting to utilise this vulnerability as well as those files which are simply "corrupt" or too large for the MS products to handle safely. Samples identified by this may or may not have active code hidden after the buffer overflow.

Reportedly, the vulnerability exists on the following operating systems:

• Windows NT4
• Windows 2000
• Windows XP SP0/SP1 (SP2 is not vulnerable)
• Windows 2003

Symptoms

Variable. This detection is intended for files which expose a vulnerability. The symptoms of the buffer overflow will vary depending upon the remote code executed, and if any such code is present.

Method of Infection

Samples can be delivered via a web page or email message, or installed by other applications.

Removal

All Users:
Use current engine and DAT files for detection. Delete any file which contains this detection.

Variants

Variants

N/A

All Information

Overview -

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Aliases

• Bloodhound.Exploit.19 (Symantec)

Characteristics

Characteristics -

-- Update Jan 11, 2005 --
Microsoft has released a patch for the vulnerability targeted by this exploit:
http://www.microsoft.com/technet/security/bulletin/MS05-002.mspx

-- Update April 08, 2005 --

This detection covers files which can cause the Microsoft Windows LoadImage API Integer Buffer overflow vulnerability that was announced on December 23, 2004.  This detection provides generic protection for all customers against samples which are attempting to utilise this vulnerability as well as those files which are simply "corrupt" or too large for the MS products to handle safely. Samples identified by this may or may not have active code hidden after the buffer overflow.

Reportedly, the vulnerability exists on the following operating systems:

• Windows NT4
• Windows 2000
• Windows XP SP0/SP1 (SP2 is not vulnerable)
• Windows 2003

Symptoms

Symptoms -

Variable. This detection is intended for files which expose a vulnerability. The symptoms of the buffer overflow will vary depending upon the remote code executed, and if any such code is present.

Method of Infection

Method of Infection -

Samples can be delivered via a web page or email message, or installed by other applications.

Removal -

Removal -

All Users:
Use current engine and DAT files for detection. Delete any file which contains this detection.

Variants

Variants -

N/A