Content

Exploit-Comele

Type
Trojan
SubType
Exploit
Discovery Date
01/13/2010
Length
17,310 bytes
Minimum DAT
5860 (01/13/2010)
Updated DAT
5925 (03/19/2010)
Minimum Engine
5.3.01
Description Added
01/13/2010
Description Modified
01/19/2010 2:00 PM (PT)
Risk Assessment
Corporate User
Low-Profiled
Home User
Low-Profiled

Tab Navigation

Characteristics

This exploit was used during stage I of Operation Aurora, for more information on Operation Aurora, see:

  • Roarur.dr - Operation Aurora (stage II - downloaded malware)
  • Roarur.dll - Operation Aurora (stage III - dropped/installed malware)

Analysis of the initial heavily-encrypted javascript exploit revealed that, if successful, the exploit would cause a connection to 'hxxp://demo[remove].jpg' downloading a malicious, XOR-encrypted binary that we detect as Roarur.dr. This file is saved to %Application Data%\a.exe, such as "C:\Documents and Settings\User\Application Data\a.exe".  A.exe is decrypted to b.exe in the same directory and executed.

Currently the aforementioned website is down.

Exploit-Comele affects all version of Internet Explorer which have JavaScript enabled. DEP (Data Execution Prevention) currently blocks against this generation of the exploit, however this cannot be confirmed for future generations and users are requested to keep their machines up to date on Patches.

Please click here to view more information on this vulnerability and McAfee IPS coverage information.

The MS Security advisory can be found here

Within 48 hours after the public disclosure of this vulnerability, exploit code was made public.  Therefore many new variants carrying customized payloads are likely to emerge.  McAfee DAT files will be updated as necessary to provide both proactive and reactive coverage.

Symptoms

Outbound network connections to the aforementioned website (initial variant).

Method of Infection

This maliciously crafted script attempts to exploit a vulnerability during handling of certain DOM operations.

Removal

All Users :
Use specified engine and DAT files for detection and removal. Delete files which contain this detection.

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

This detection covers a maliciously crafted script which attempts to exploit a vulnerability during handling of certain DOM operations.

An attacker may exploit this issue to execute remote code.

Aliases

  • ~JS.Elecom.A (VisrusBuster)
  • EXP/Comele.A (Avira)
  • Exploit.Comele (Ikarus)
  • Exploit.Comele.A (BDC)
  • Exploit/ComeIE (Panda)
  • Exploit:JS/Elecom.A (Microsoft)
  • JS/Elecom.A (Cat Quick Heal)
  • Operation Aurora

Characteristics

Characteristics -

This exploit was used during stage I of Operation Aurora, for more information on Operation Aurora, see:

  • Roarur.dr - Operation Aurora (stage II - downloaded malware)
  • Roarur.dll - Operation Aurora (stage III - dropped/installed malware)

Analysis of the initial heavily-encrypted javascript exploit revealed that, if successful, the exploit would cause a connection to 'hxxp://demo[remove].jpg' downloading a malicious, XOR-encrypted binary that we detect as Roarur.dr. This file is saved to %Application Data%\a.exe, such as "C:\Documents and Settings\User\Application Data\a.exe".  A.exe is decrypted to b.exe in the same directory and executed.

Currently the aforementioned website is down.

Exploit-Comele affects all version of Internet Explorer which have JavaScript enabled. DEP (Data Execution Prevention) currently blocks against this generation of the exploit, however this cannot be confirmed for future generations and users are requested to keep their machines up to date on Patches.

Please click here to view more information on this vulnerability and McAfee IPS coverage information.

The MS Security advisory can be found here

Within 48 hours after the public disclosure of this vulnerability, exploit code was made public.  Therefore many new variants carrying customized payloads are likely to emerge.  McAfee DAT files will be updated as necessary to provide both proactive and reactive coverage.

Symptoms

Symptoms -

Outbound network connections to the aforementioned website (initial variant).

Method of Infection

Method of Infection -

This maliciously crafted script attempts to exploit a vulnerability during handling of certain DOM operations.

Removal -

Removal -

All Users :
Use specified engine and DAT files for detection and removal. Delete files which contain this detection.

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A