Content

Exploit-XMLhttp.d

Type
Trojan
SubType
Exploit
Discovery Date
12/09/2008
Length
Varies
Minimum DAT
5459 (12/09/2008)
Updated DAT
5782 (10/25/2009)
Minimum Engine
5.1.00
Description Added
12/09/2008
Description Modified
02/17/2009 4:23 PM (PT)
Risk Assessment
Corporate User
Low-Profiled
Home User
Low-Profiled

Tab Navigation

Characteristics

-- Update February 17, 2009 --
Additional malware capitalizing on this exploit has been uncovered (Exploit-MSWord.k).

This exploit is patched by a Critical Security Update for Internet Explorer (961260):
http://www.microsoft.com/technet/security/Bulletin/MS09-002.mspx
--

-- Update December 11, 2008 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.theregister.co.uk/2008/12/09/zero_day_ie_flaw_exploited/
--

Exploit-XMLhttp.d is a generic detection for exploits attempting to exploit the CVE-2008-4844 (MS08-078) vulnerability or the CVE-2009-0075 (MS09-002) vulnerability affecting Internet Explorer 7.x Older DATs may detect this threat as Exploit-XMLhttp.c or JS/Exploit-BO.gen.

Active exploits were found to be downloading and installing the Downloader-AZN trojan onto vulnerable target machines from the following site(s):

  • http://www{blocked}yyy.cn/{blocked}.exe

This variant of Downloader-AZN is already proactively detected in the 5404 DATs since October 13th, 2008. Older DATs may already detect it as New Malware.n when program heuristics are enabled since 2005.

Symptoms

  • Unexpected network connections to the mentioned site(s).

Method of Infection

This exploit causes a buffer overflow targeting a vulnerability in Internet Explorer 7.x.

Removal

AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

Exploit-XMLhttp.d is a generic detection for exploits attempting to exploit the CVE-2008-4844 (MS08-078) vulnerability or the CVE-2009-0075 (MS09-002) vulnerability affecting Internet Explorer 7.x Older DATs may detect this threat as Exploit-XMLhttp.c or JS/Exploit-BO.gen.

Additionally, a malicious ".DOC" file has been discovered to take advantage of this exploit.  The file is detected as "Expoit-MSWord.k" in the 5525 DAT release of February 13, 2009, and later.

Characteristics

Characteristics -

-- Update February 17, 2009 --
Additional malware capitalizing on this exploit has been uncovered (Exploit-MSWord.k).

This exploit is patched by a Critical Security Update for Internet Explorer (961260):
http://www.microsoft.com/technet/security/Bulletin/MS09-002.mspx
--

-- Update December 11, 2008 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.theregister.co.uk/2008/12/09/zero_day_ie_flaw_exploited/
--

Exploit-XMLhttp.d is a generic detection for exploits attempting to exploit the CVE-2008-4844 (MS08-078) vulnerability or the CVE-2009-0075 (MS09-002) vulnerability affecting Internet Explorer 7.x Older DATs may detect this threat as Exploit-XMLhttp.c or JS/Exploit-BO.gen.

Active exploits were found to be downloading and installing the Downloader-AZN trojan onto vulnerable target machines from the following site(s):

  • http://www{blocked}yyy.cn/{blocked}.exe

This variant of Downloader-AZN is already proactively detected in the 5404 DATs since October 13th, 2008. Older DATs may already detect it as New Malware.n when program heuristics are enabled since 2005.

Symptoms

Symptoms -

  • Unexpected network connections to the mentioned site(s).

Method of Infection

Method of Infection -

This exploit causes a buffer overflow targeting a vulnerability in Internet Explorer 7.x.

Removal -

Removal -

AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A