McAfee > Theat Center > Virus Detail Page

Overview

This detection covers an exploit that could be used to install other trojans, viruses, and potentially unwanted programs (adware, spyware, etc).  This method of exploitation is often referred to as "drive by installs" or "drive by downloads", meaning that upon visiting a site hosting malicious code, a vulnerable system is automatically instructed to install files.

Aliases

• EXPL_EXECOD.A (Trend Micro)

• Exploit:HTML/Levem.C (Microsoft)

• Trojan.Vimalov (Symantec)

Characteristics

-- Update September 26, 2006 --
Today Microsoft released an out-of-cycle patch to cover this exploit.
http://www.microsoft.com/technet/security/Bulletin/MS06-055.mspx

Many different exploits have been discovered.  All samples received to date by McAfee Avert Labs are detected as either Exploit-VMLFill or JS/Exploit-BO.gen.  However, attackers have been exploring ways to circumvent detection; some of which have reported success.  Detection will be modifies as necessary as such samples are discovered.  Additionally, some of the newer exploit scripts are not covered by VirusScan's generic buffer overflow protection.  Administrators are urged to patch as soon as possible.
--

-- Update September 22, 2006 --
While some variants of this threat are detected as Exploit-VMLFill proactively, others are detected as JS/Exploit-BO.gen.  JS/Exploit-BO.gen also detects other threats, so observing detection with this name is not a direct indication of a VML exploit.
--

-- Update September 19, 2006 --
McAfee Avert Labs has confirmed that VirusScan's generic Buffer Overflow Protection protects against this exploit by default.
--

This detection covers a VML Fill Method zero day exploit affecting Microsoft Internet Explorer.

For more information on this vulnerability, see: http://vil.nai.com/vil/Content/v_vul26881.htm

Symptoms

Internet Explorer may silently quit upon execution of the exploit.  Any number of subsequent actions may be taken by the malware.

Method of Infection

Users may be lured (such as through spam or spim) to visit a malicious site.  Upon loading the web page, a vulnerable web browser will execute the payload.

Removal

All Users:
Use current engine and DAT files for detection. Delete any file which contains this detection.

Variants

Variants

N/A

All Information

Overview -

This detection covers an exploit that could be used to install other trojans, viruses, and potentially unwanted programs (adware, spyware, etc).  This method of exploitation is often referred to as "drive by installs" or "drive by downloads", meaning that upon visiting a site hosting malicious code, a vulnerable system is automatically instructed to install files.

Aliases

• EXPL_EXECOD.A (Trend Micro)

• Exploit:HTML/Levem.C (Microsoft)

• Trojan.Vimalov (Symantec)

Characteristics

Characteristics -

-- Update September 26, 2006 --
Today Microsoft released an out-of-cycle patch to cover this exploit.
http://www.microsoft.com/technet/security/Bulletin/MS06-055.mspx

Many different exploits have been discovered.  All samples received to date by McAfee Avert Labs are detected as either Exploit-VMLFill or JS/Exploit-BO.gen.  However, attackers have been exploring ways to circumvent detection; some of which have reported success.  Detection will be modifies as necessary as such samples are discovered.  Additionally, some of the newer exploit scripts are not covered by VirusScan's generic buffer overflow protection.  Administrators are urged to patch as soon as possible.
--

-- Update September 22, 2006 --
While some variants of this threat are detected as Exploit-VMLFill proactively, others are detected as JS/Exploit-BO.gen.  JS/Exploit-BO.gen also detects other threats, so observing detection with this name is not a direct indication of a VML exploit.
--

-- Update September 19, 2006 --
McAfee Avert Labs has confirmed that VirusScan's generic Buffer Overflow Protection protects against this exploit by default.
--

This detection covers a VML Fill Method zero day exploit affecting Microsoft Internet Explorer.

For more information on this vulnerability, see: http://vil.nai.com/vil/Content/v_vul26881.htm

Symptoms

Symptoms -

Internet Explorer may silently quit upon execution of the exploit.  Any number of subsequent actions may be taken by the malware.

Method of Infection

Method of Infection -

Users may be lured (such as through spam or spim) to visit a malicious site.  Upon loading the web page, a vulnerable web browser will execute the payload.

Removal -

Removal -

All Users:
Use current engine and DAT files for detection. Delete any file which contains this detection.

Variants

Variants -

N/A