EXPLOIT-- what is this and what do I do

[MZB]

AVG found a virus they call EXPLOIT.

It's location is:

c\Documents and Settings\My Name\Local Settings\Temporary Internet
Files\ContentIE5\OHUJGHAR\

It's filename is: 2_z[1].html

I've moved it to the Virus Vault.

Does that take care of the problem??

Is there anything else I should do??

Mel

 

[David H. Lipman]

From: "MZB" <[email protected]>

| AVG found a virus they call EXPLOIT.
|
| It's location is:
|
| c\Documents and Settings\My Name\Local Settings\Temporary Internet
| Files\ContentIE5\OHUJGHAR\
|
| It's filename is: 2_z[1].html
|
| I've moved it to the Virus Vault.
|
| Does that take care of the problem??
|
| Is there anything else I should do??
|
| Mel
|

AVG found Exploit code in a HTML file. It did NOT find a virus.

The questions are...

How long has the file existed there ?
What exploit ?
Was the Exploitation successful ?

If you restore the HTML file you can submit it to Virus Total and we can know more.

http://www.virustotal.com/flash/index_en.html
The submission will then be tested against many different AV vendor's scanners.
That will give you an idea what it is and who recognizes it. In addition, unless told
otherwise, Virus Total will provide the sample to all participating vendors.

You can also submit a suspect, one at a time, via the following email URL...
mailto:[email protected]?subject=SCAN

When you get the report, please post back the exact results.


Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file. http://www.ik-cs.com/multi-av.htm

Additional Instructions:
http://pcdid.com/Multi_AV.htm


* * * Please report back your results * * *

 

[MZB]

David:

I restored the file (to a different directory so I can access it quicker).

But I was unable to attach it to send it.

First AVG popped up.

I disabled AVG but OE wouldn't let me do it (it stripped the file
attachment).

I then tried it with my Yahoo email account and it wouldn't let me do it.

Any other ideas?? Also, why can't I attach the file?

This is frustrating.

I've put the file back into the AVG Virus Vault.

I am pretty sure this virus just arrived today (the AVG Resident Shield
picked it up).

I read your possible solution but it sure looks very complicated.

Do you think the banishment to the Virus Vault will take care of the
problem?

Mel

From: "MZB" <[email protected]>

| AVG found a virus they call EXPLOIT.
|
| It's location is:
|
| c\Documents and Settings\My Name\Local Settings\Temporary Internet
| Files\ContentIE5\OHUJGHAR\
|
| It's filename is: 2_z[1].html
|
| I've moved it to the Virus Vault.
|
| Does that take care of the problem??
|
| Is there anything else I should do??
|
| Mel
|

AVG found Exploit code in a HTML file. It did NOT find a virus.

The questions are...

How long has the file existed there ?
What exploit ?
Was the Exploitation successful ?

If you restore the HTML file you can submit it to Virus Total and we can
know more.

http://www.virustotal.com/flash/index_en.html
The submission will then be tested against many different AV vendor's
scanners.
That will give you an idea what it is and who recognizes it. In addition,
unless told
otherwise, Virus Total will provide the sample to all participating
vendors.

You can also submit a suspect, one at a time, via the following email
URL...
mailto:[email protected]?subject=SCAN

When you get the report, please post back the exact results.


Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to
go through your
FireWall to allow it to download the needed AV vendor related files.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in
Normal Mode.
This way all the components can be downloaded from each AV vendor's web
site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and
Reboot the PC.

You can choose to go to each menu item and just download the needed files
or you can
download the files and perform a scan in Normal Mode. Once you have
downloaded the files
needed for each scanner you want to use, you should reboot the PC into
Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want
to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal
Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more
comprehensive PDF help
file. http://www.ik-cs.com/multi-av.htm

Additional Instructions:
http://pcdid.com/Multi_AV.htm


* * * Please report back your results * * *

 

[MZB]

David:

OK -- I was able to upload it to their site. All the vendors said no
viruses.

But the file said 0 bytes.

How could this be??

I'm confused

Mel

From: "MZB" <[email protected]>

| AVG found a virus they call EXPLOIT.
|
| It's location is:
|
| c\Documents and Settings\My Name\Local Settings\Temporary Internet
| Files\ContentIE5\OHUJGHAR\
|
| It's filename is: 2_z[1].html
|
| I've moved it to the Virus Vault.
|
| Does that take care of the problem??
|
| Is there anything else I should do??
|
| Mel
|

AVG found Exploit code in a HTML file. It did NOT find a virus.

The questions are...

How long has the file existed there ?
What exploit ?
Was the Exploitation successful ?

If you restore the HTML file you can submit it to Virus Total and we can
know more.

http://www.virustotal.com/flash/index_en.html
The submission will then be tested against many different AV vendor's
scanners.
That will give you an idea what it is and who recognizes it. In addition,
unless told
otherwise, Virus Total will provide the sample to all participating
vendors.

You can also submit a suspect, one at a time, via the following email
URL...
mailto:[email protected]?subject=SCAN

When you get the report, please post back the exact results.


Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to
go through your
FireWall to allow it to download the needed AV vendor related files.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in
Normal Mode.
This way all the components can be downloaded from each AV vendor's web
site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and
Reboot the PC.

You can choose to go to each menu item and just download the needed files
or you can
download the files and perform a scan in Normal Mode. Once you have
downloaded the files
needed for each scanner you want to use, you should reboot the PC into
Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want
to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal
Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more
comprehensive PDF help
file. http://www.ik-cs.com/multi-av.htm

Additional Instructions:
http://pcdid.com/Multi_AV.htm


* * * Please report back your results * * *

 

[David H. Lipman]

From: "MZB" <[email protected]>

| David:
|
| I restored the file (to a different directory so I can access it quicker).
|
| But I was unable to attach it to send it.
|
| First AVG popped up.
|
| I disabled AVG but OE wouldn't let me do it (it stripped the file
| attachment).
|
| I then tried it with my Yahoo email account and it wouldn't let me do it.
|
| Any other ideas?? Also, why can't I attach the file?
|
| This is frustrating.
|
| I've put the file back into the AVG Virus Vault.
|
| I am pretty sure this virus just arrived today (the AVG Resident Shield
| picked it up).
|
| I read your possible solution but it sure looks very complicated.
|
| Do you think the banishment to the Virus Vault will take care of the
| problem?
|

Please STOP calling this a virus. Viruses replicate.
This is a HTML file. It is s script and does not replicate.

Exploit code is a scipt that takes advantage of a known vulnerability in the OS, in a OS
module or a software application you use. If the targeted vulnerability is mitigated, the
exploit code is rendered harmless. If the targeted vulnerability has not been patched then
the exploitation of the vulnerability may succeed and more often than not, the objective is
to install malware.

Without a submission of the HTML file to Virus Total, we will be unable to make a
determination of what the exploitation was, what the vulnerability was or if the
vulnerability may have been exploited. The fact that is is a HTML file and is Exploit code
is insufficient to come to any conclusions. However, without further details, we must
assume the worst and that the exploitation succeeded and you were possibly infected with
malware.

The HTML file can be safely deleted from the virus vault. However, it is needed to get the
further details I eluded to.

Use of the Multi AV Scanning tool can be used to find any malware that may have been
installed if the exploitation was successful.

You can also check you system to see if there are indeed vulnerable versions of software
that may be exploited.

http://secunia.com/software_inspector

 

[David H. Lipman]

From: "MZB" <[email protected]>

| David:
|
| OK -- I was able to upload it to their site. All the vendors said no
| viruses.
|
| But the file said 0 bytes.
|
| How could this be??
|
| I'm confused
|
| Mel



What is the size of the file in the "Virus Vault" ?

 

[MZB]

1679 bytes

Mel

 

[David H. Lipman]

From: "MZB" <[email protected]>

| 1679 bytes
|

1) Dump the contents of your IE cache -
Start --> settings --> control panel --> Internet options --> delete files

2) Reboot the PC.

3) Restore the file from the Virus Vault to a location such as; C:\

4) Examine the size of the file. If it is NOT zero Byres, re-submit to Virus Total.
http://www.virustotal.com/flash/index_en.html

When you get the report, please post back the exact results.

 

[MZB]

David:

This is very strange. I did all that.

Windows Explorer also confirms 1.67 KB and it says that when I go into
command prompt and check the directory.

But when I upload it to virustotal, it says zero bytes.

And I can't seem to attach it as an email attachment.

Any other suggestions???

Oh and I did run the other program and I do have quite a few applications
that are not upgraded:

Specifically: Adobe Reader, quicktime, itunes, winamp, and I have a bunch of
older versions of Macromedia flash players.

Most of these I don't use (I do use Adobe and sometimes itunes)

I've been reluctant to upgrade to new versions when these programs work
unless there were security issues.

I guess I now have to (?). Are there some in particular that I should
upgrade?

Mel

 

[David H. Lipman]

From: "MZB" <[email protected]>

| David:
|
| This is very strange. I did all that.
|
| Windows Explorer also confirms 1.67 KB and it says that when I go into
| command prompt and check the directory.
|
| But when I upload it to virustotal, it says zero bytes.
|
| And I can't seem to attach it as an email attachment.
|
| Any other suggestions???
|
| Oh and I did run the other program and I do have quite a few applications
| that are not upgraded:
|
| Specifically: Adobe Reader, quicktime, itunes, winamp, and I have a bunch of
| older versions of Macromedia flash players.
|
| Most of these I don't use (I do use Adobe and sometimes itunes)
|
| I've been reluctant to upgrade to new versions when these programs work
| unless there were security issues.
|
| I guess I now have to (?). Are there some in particular that I should
| upgrade?
|
| Mel
|

The only way the file would NOT to be allowed to be sent via email or get uploaded to virus
Total as 0KB is if the file handle is held open. That measn something is using it. Either
AVG is blocking access to the file or there is malware actively using it. I tried to avoid
the possibility of malware using it through my set of instructions.


As for the software. Even if you don't use them, if they are there and they have
vulnerabilities then they can be exploited !

Plaese use the Multi AV Scanning Tool now and scan your PC. Start with the McAfee module.

 

[MZB]

OK -- I'll try it.

But right now that file is in the Virus Vault and nowhere else. Can I leave
it there during the scans??

Mel

 

[MZB]

David:

I am currently running Mcaf. in normal mode. I did move the suspect file
back to c:\ . I'll see what happens

 

[David H. Lipman]

From: "MZB" <[email protected]>

| OK -- I'll try it.
|
| But right now that file is in the Virus Vault and nowhere else. Can I leave
| it there during the scans??
|
| Mel

Yes !

 

[David H. Lipman]

From: "MZB" <[email protected]>

| David:
|
| I am currently running Mcaf. in normal mode. I did move the suspect file
| back to c:\ . I'll see what happens

OK.

 

[MZB]

David:

I appreciate your help in this. I am very nervous obviously and need some
hand holding here.
McAf. failed to find anything. What next? Try each one? I don't think I have
a virus per se, but what about this malware?
Would one of the others pick that up??
Do I now have to do each of the others?

Then do it iall again n Safe Mode??

This is sure unnerving!!


Here are the Mcaf. results:01/13/2007 19:10:24


Options:
/ADL /UNZIP /WINMEM /SUB /ANALYZE /PANALYZE /STREAMS /ALL /MIME /PROGRAM
/EXCLUDE C:\AV-CLS\EXCLIST.TXT /HTML "C:\AV-CLS\MCAFEE\SCANREPORT.HTML"

Scanning C: []
Scanning C:\*.*

Summary report on C:\*.*
File(s)
Total files: ........... 209623
Clean: ................. 209526
Possibly Infected: ..... 0
Non-critical Error(s): 2
Master Boot Record(s): ......... 1
Possibly Infected: ..... 0
Boot Sector(s): ................ 1
Possibly Infected: ..... 0


Time: 00:56.03

 

[MZB]

running Kasp now

 

[David H. Lipman]

From: "MZB" <[email protected]>

| running Kasp now


If Kaspersky and McAfee scanners find nothing that is good.

After that you can consider that the unknown exploit code did not take advantage of some
vulnerability or the vulnerability that it targets was properly patched.

You should subsequently update your PC based upon the findings of the secunia Software
Inspector.

 

[MZB]

David:

I still have problems, kind of, but perhaps I have a handle on matters?

I ran Kasp: It said:
Current object: c:\

Sector Objects : 0 Known viruses : 1
Files : 288743 Virus bodies : 6
Folders : 6049 Disinfected : 0
Archives : 8123 Deleted : 0
Packed : 296 Warnings : 0
Suspicious : 2
Scan speed (Kb/sec) : 0 Corrupted : 0
Scan time : 01:49:48 I/O Errors : 0The two suspicious ones are:
c:\DOCUME~1\MELVIN~1\LOCALS~1\APPLIC~1\IDENTI~1\{DFF16~1\MICROS~1\OUTLOO~1\DELETE~1.DBX/[From
"postmaster" <[email protected]>][Date Thu, 28 Dec 2006
00:10:54 -0500]/html suspicion: Exploit.HTML.Iframe.FileDownload




I found the first file in my deleted files box (no attachment or anything).
The second one must be the same file (there appears to be a back-up, as the
extension indicates. in the RECYCLER folder???)

I'm not sure what action to take, if any. Should I delete the email from my
deleted folder. I assume it then goes to the recycler folder. Do I then
delete the DC1273.bak from the RECYCLER folder?



Or do I do nothing?





Now, the known virus is:



c:\DOCUME~1\MELVIN~1\LOCALS~1\APPLIC~1\IDENTI~1\{DFF16~1\MICROS~1\OUTLOO~1\DELETE~1.DBX/[From
Garland Y. Bobby <[email protected]>][Date Fri, 29 Dec 2006
17:45:07 -0500]/postcard.exe infected: Email-Worm.Win32.Luder.a.



This occurs 6 times, so I assume that's what is meant by the VIRUS BODIES
statistic above.



These are all postcard.exe attachments in emails I deleted. I am 99.99% sure
I never opened any of the attachments (I do NOT open attachments).



SO, where do I go from here? Do things look okay? Should I be deleting
anything?



Mel

 

[MZB]

David:

Update on the info below:

I see when that email arrived, on the bottom of the email it said:
Viruses found in the attached files.
The file fzooi.exe: Virus identified I-Worm/Swen.A. The attachment was moved
to the virus vault.
So, maybe the deletion of that file by AVG caused Kaspersky to also deem it
suspicious???

Mel

David:

I still have problems, kind of, but perhaps I have a handle on matters?

I ran Kasp: It said:
Current object: c:\

Sector Objects : 0 Known viruses : 1
Files : 288743 Virus bodies : 6
Folders : 6049 Disinfected : 0
Archives : 8123 Deleted : 0
Packed : 296 Warnings : 0
Suspicious : 2
Scan speed (Kb/sec) : 0 Corrupted : 0
Scan time : 01:49:48 I/O Errors : 0The two suspicious ones are:
c:\DOCUME~1\MELVIN~1\LOCALS~1\APPLIC~1\IDENTI~1\{DFF16~1\MICROS~1\OUTLOO~1\DELETE~1.DBX/[From
"postmaster" <[email protected]>][Date Thu, 28 Dec 2006
00:10:54 -0500]/html suspicion: Exploit.HTML.Iframe.FileDownload




I found the first file in my deleted files box (no attachment or
anything). The second one must be the same file (there appears to be a
back-up, as the extension indicates. in the RECYCLER folder???)

I'm not sure what action to take, if any. Should I delete the email from
my deleted folder. I assume it then goes to the recycler folder. Do I then
delete the DC1273.bak from the RECYCLER folder?



Or do I do nothing?





Now, the known virus is:



c:\DOCUME~1\MELVIN~1\LOCALS~1\APPLIC~1\IDENTI~1\{DFF16~1\MICROS~1\OUTLOO~1\DELETE~1.DBX/[From
Garland Y. Bobby <[email protected]>][Date Fri, 29 Dec 2006
17:45:07 -0500]/postcard.exe infected: Email-Worm.Win32.Luder.a.



This occurs 6 times, so I assume that's what is meant by the VIRUS BODIES
statistic above.



These are all postcard.exe attachments in emails I deleted. I am 99.99%
sure I never opened any of the attachments (I do NOT open attachments).



SO, where do I go from here? Do things look okay? Should I be deleting
anything?



Mel

From: "MZB" <[email protected]>

| running Kasp now


If Kaspersky and McAfee scanners find nothing that is good.

After that you can consider that the unknown exploit code did not take
advantage of some
vulnerability or the vulnerability that it targets was properly patched.

You should subsequently update your PC based upon the findings of the
secunia Software
Inspector.

 

[David H. Lipman]

From: "MZB" <[email protected]>

| David:
|
| I still have problems, kind of, but perhaps I have a handle on matters?
|
| I ran Kasp: It said:
|
| Current object: c:\
|
| Sector Objects : 0 Known viruses : 1
| Files : 288743 Virus bodies : 6
| Folders : 6049 Disinfected : 0
| Archives : 8123 Deleted : 0
| Packed : 296 Warnings : 0
| Suspicious : 2
| Scan speed (Kb/sec) : 0 Corrupted : 0
| Scan time : 01:49:48 I/O Errors : 0| The two suspicious ones are:
| c:\DOCUME~1\MELVIN~1\LOCALS~1\APPLIC~1\IDENTI~1\{DFF16~1\MICROS~1\OUTLOO~1\DELETE~1.DBX/[F
| rom "postmaster" <[email protected]>][Date Thu, 28 Dec 2006
| 00:10:54 -0500]/html suspicion: Exploit.HTML.Iframe.FileDownload
|
| c:\RECYCLER\S-1-5-~1\DC1273.BAK/[From "postmaster"
| <[email protected]>][Date Thu, 28 Dec 2006 00:10:54 -0500]/html
| suspicion: Exploit.HTML.Iframe.FileDownload
|
| >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>...
|
| I found the first file in my deleted files box (no attachment or anything).
| The second one must be the same file (there appears to be a back-up, as the
| extension indicates. in the RECYCLER folder???)
|
| I'm not sure what action to take, if any. Should I delete the email from my
| deleted folder. I assume it then goes to the recycler folder. Do I then
| delete the DC1273.bak from the RECYCLER folder?
|
| Or do I do nothing?
|
| Now, the known virus is:
|
| c:\DOCUME~1\MELVIN~1\LOCALS~1\APPLIC~1\IDENTI~1\{DFF16~1\MICROS~1\OUTLOO~1\DELETE~1.DBX/[F
| rom Garland Y. Bobby <[email protected]>][Date Fri, 29 Dec 2006
| 17:45:07 -0500]/postcard.exe infected: Email-Worm.Win32.Luder.a.
|
| This occurs 6 times, so I assume that's what is meant by the VIRUS BODIES
| statistic above.
|
| These are all postcard.exe attachments in emails I deleted. I am 99.99% sure
| I never opened any of the attachments (I do NOT open attachments).
|
| SO, where do I go from here? Do things look okay? Should I be deleting
| anything?
|
| Mel


You received email with an IFrame Exploit.

You need to go into your email software (Outlook Express) and delete that email message.