McAfee > Theat Center > Virus Detail Page

Overview

This detection covers an exploit that could be used to install other trojans, viruses, and potentially unwanted programs (adware, spyware, etc).  This method of exploitation is often referred to as "drive by installs" or "drive by downloads", meaning that upon visiting a site hosting malicious code, a vulnerable system is automatically instructed to install files.

Characteristics

This detection covers an XMLHTTP 4.0 ActiveX Control zero day exploit affecting Microsoft Internet Explorer.  This exploit was discovered in the field. McAfee Avert Labs has confirmed that VirusScan's generic Buffer Overflow Protection protects against this exploit by default.

Due to the fact that Internet Explorer executes scripts prior to writing them to disk (stored in IE's internal cache), either McAfee VirusScan's ScriptScan must be enabled in order to block this exploit prior to execution or else Buffer Overflow protection must be enabled, which will also protect the system from the malicious effects of the script.

If both ScriptScan and Buffer Overflow Protection are disabled, the On Access Scanner will detect identifiable exploit code but not block execution.

Gateway scanners can also protect systems under this detection name.

For more information on the vulnerability targeted by this attack, see:
http://www.microsoft.com/technet/security/advisory/927892.mspx

Symptoms

Internet Explorer may appear to hang during exploitation.  Any number of subsequent actions may be taken by the malware.

Method of Infection

Internet Explorer may silently quit upon execution of the exploit.  Any number of subsequent actions may be taken by the malware.

Removal

All Users:
Use current engine and DAT files for detection. Delete any file which contains this detection.

Variants

Variants

N/A

All Information

Overview -

This detection covers an exploit that could be used to install other trojans, viruses, and potentially unwanted programs (adware, spyware, etc).  This method of exploitation is often referred to as "drive by installs" or "drive by downloads", meaning that upon visiting a site hosting malicious code, a vulnerable system is automatically instructed to install files.

Characteristics

Characteristics -

This detection covers an XMLHTTP 4.0 ActiveX Control zero day exploit affecting Microsoft Internet Explorer.  This exploit was discovered in the field. McAfee Avert Labs has confirmed that VirusScan's generic Buffer Overflow Protection protects against this exploit by default.

Due to the fact that Internet Explorer executes scripts prior to writing them to disk (stored in IE's internal cache), either McAfee VirusScan's ScriptScan must be enabled in order to block this exploit prior to execution or else Buffer Overflow protection must be enabled, which will also protect the system from the malicious effects of the script.

If both ScriptScan and Buffer Overflow Protection are disabled, the On Access Scanner will detect identifiable exploit code but not block execution.

Gateway scanners can also protect systems under this detection name.

For more information on the vulnerability targeted by this attack, see:
http://www.microsoft.com/technet/security/advisory/927892.mspx

Symptoms

Symptoms -

Internet Explorer may appear to hang during exploitation.  Any number of subsequent actions may be taken by the malware.

Method of Infection

Method of Infection -

Internet Explorer may silently quit upon execution of the exploit.  Any number of subsequent actions may be taken by the malware.

Removal -

Removal -

All Users:
Use current engine and DAT files for detection. Delete any file which contains this detection.

Variants

Variants -

N/A