Content
Exploit-WinampPLS
- Type
- Trojan
- SubType
- Exploit
- Discovery Date
- 01/30/2006
- Length
- Varies
- Minimum DAT
- 4686 (01/31/2006)
- Updated DAT
- 4800 (07/05/2006)
- Minimum Engine
- 5.1.00
- Description Added
- 01/30/2006
- Description Modified
- 02/03/2006 12:39 AM (PT)
Tab Navigation
Characteristics
This detection covers a 0-day exploit targeting WinAmp 5.12 that allows remote code execution via a specially crafted play list (.pls) file. Such exploit files could be executed with little user intervention (such as visiting a website that hosted malicious files), and the end result could be the silent installation of any number of viruses, trojans, and potentially unwanted programs.
This trojan exploits a buffer overflow vulnerability described in CVE-2006-0476 . This vulnerability has been patched by the vendor, users of this application should update to version 5.13. More information on the vulnerability and the vendor's update can be found at:
- http://www.winamp.com/player/version_history.php
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0476
- http://www.kb.cert.org/vuls/id/604745
New variants of this trojan can be detected pro-actively as Exploit-WinampPLS.gen .
Symptoms
Vary. This is a generic detection identifying files attempting to exploit a buffer overflow vulnerability. As the detection searches for generic exploit code rather than a specific payload, it is not possible to list specific symptoms of this threat.
Method of Infection
This threats exploits a Winamp 5.x buffer overflow vulnerability.
Removal
All Users:
Use current engine and DAT files for detection. Delete any file which contains this detection.
Variants
Variants
N/A
All Information
Overview -
This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.
Characteristics
Characteristics -
This detection covers a 0-day exploit targeting WinAmp 5.12 that allows remote code execution via a specially crafted play list (.pls) file. Such exploit files could be executed with little user intervention (such as visiting a website that hosted malicious files), and the end result could be the silent installation of any number of viruses, trojans, and potentially unwanted programs.
This trojan exploits a buffer overflow vulnerability described in CVE-2006-0476 . This vulnerability has been patched by the vendor, users of this application should update to version 5.13. More information on the vulnerability and the vendor's update can be found at:
- http://www.winamp.com/player/version_history.php
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0476
- http://www.kb.cert.org/vuls/id/604745
New variants of this trojan can be detected pro-actively as Exploit-WinampPLS.gen .
Symptoms
Symptoms -
Vary. This is a generic detection identifying files attempting to exploit a buffer overflow vulnerability. As the detection searches for generic exploit code rather than a specific payload, it is not possible to list specific symptoms of this threat.
Method of Infection
Method of Infection -
This threats exploits a Winamp 5.x buffer overflow vulnerability.
Removal -
Removal -
All Users:
Use current engine and DAT files for detection. Delete any file which contains this detection.
Variants
Variants -
N/A
