Interception of web content by AV software (was Re: VML Patch forWin9x?)

[David H. Lipman]

From: "PCR" <[email protected]>

< snip >

| ...It does seems it's a combo of the virus file & the IE crash to flush a buffer. I'm
| still torn on whether I need to switch .dll's. But, I've retrieved it, & I guess I will
| switch soon to prevent the crash. But why is it crashing?

What virus ? This is Exploit code, not a virus !!!

It crash's becuase there is a bug in the code that causes a Buffer Overflow condition. It
is ibn this state that malware can take control of the system.

I have made it easy. Here's my self installing unofficial patch...
http://www.ik-cs.com/programs/virtools/VML-HTML_FIX.exe

 

[PCR]

| From: "PCR" <[email protected]>
|
| < snip >
|
| | ...It does seems it's a combo of the virus file & the IE crash to
flush a buffer. I'm
| | still torn on whether I need to switch .dll's. But, I've retrieved
it, & I guess I will
| | switch soon to prevent the crash. But why is it crashing?
|
| What virus ? This is Exploit code, not a virus !!!

I believe I have already said to you in another thread, McAfee's wording
is...

Download file: G:\Temporary Internet
Trojan name: Exploit.VMLFill
McAfee Shield: Virus found in download file!

I get a choice to Continue, Delete, or Move. Choosing Move, I end up
with "testvml[1].htm.vir" in "G:\Infected". Hmm, now I see a .log there.
It contains just one line...
www.isotf.org => testvml[1].htm.vir

WELL, McAfee does give a choice of 3 what to call it, actually. I have
taken the .dll already as Bear said, with Winzip. Yet I haven't
installed it.

|
| It crash's becuase there is a bug in the code that causes a Buffer
Overflow condition. It
| is ibn this state that malware can take control of the system.

So... does IE need the exploit file of 98 Guy to deliver the exploit? Is
the exploit file extraneous to the delivery of the exploit?

|
| I have made it easy. Here's my self installing unofficial patch...
| http://www.ik-cs.com/programs/virtools/VML-HTML_FIX.exe
|
| --
| Dave
| http://www.claymania.com/removal-trojan-adware.html
| http://www.ik-cs.com/got-a-virus.htm
|

 

[PCR]

| From: "PCR" <[email protected]>
|
| < snip >
|
| | ...It does seems it's a combo of the virus file & the IE crash to
flush a buffer. I'm
| | still torn on whether I need to switch .dll's. But, I've retrieved
it, & I guess I will
| | switch soon to prevent the crash. But why is it crashing?
|
| What virus ? This is Exploit code, not a virus !!!

I believe I have already said to you in another thread, McAfee's wording
is...

Download file: G:\Temporary Internet
Trojan name: Exploit.VMLFill
McAfee Shield: Virus found in download file!

I get a choice to Continue, Delete, or Move. Choosing Move, I end up
with "testvml[1].htm.vir" in "G:\Infected". Hmm, now I see a .log there.
It contains just one line...
www.isotf.org => testvml[1].htm.vir

WELL, McAfee does give a choice of 3 what to call it, actually. I have
taken the .dll already as Bear said, with Winzip. Yet I haven't
installed it.

|
| It crash's becuase there is a bug in the code that causes a Buffer
Overflow condition. It
| is ibn this state that malware can take control of the system.

So... does IE need the exploit file of 98 Guy to deliver the exploit? Is
the exploit file extraneous to the delivery of the exploit?

|
| I have made it easy. Here's my self installing unofficial patch...
| http://www.ik-cs.com/programs/virtools/VML-HTML_FIX.exe
|
| --
| Dave
| http://www.claymania.com/removal-trojan-adware.html
| http://www.ik-cs.com/got-a-virus.htm
|

 

[David H. Lipman]

From: "PCR" <[email protected]>


|>
|> What virus ? This is Exploit code, not a virus !!!
|
| I believe I have already said to you in another thread, McAfee's wording
| is...
|
| Download file: G:\Temporary Internet
| Trojan name: Exploit.VMLFill
| McAfee Shield: Virus found in download file!


Gee... three conflicts all in one message !

Trojan <> virus <> exploit

McAfee (or any other AV software for that matter) creates a default message and then
concatenates what's found to the default message.

If you test the EICAR, see what it calls it !

I'll say it again, again... There is NO virus, this is an Exploit Code.

The fact is if you are using the TEST URL http://www.isotf.org/zert/testvml.htm there isn't
even a payload. It just creates a Buffer Overflow condition. McAfee is flagging the Buffer
Overflow condition or the test for it (I can't which).

Here is is in FireFox... (No virus statement here in Enterprise v7.1)
10/4/2006 8:01:24 PM Deleted (Clean failed) DLIPMAN-1\lipman
D:\temp\Mozilla\Cache\_CACHE_001_\_CACHE_001_ Exploit-VMLFill

Here is is in Internet Explorer... (Again no virus statement here in Enterprise v7.1)
10/4/2006 8:03:09 PM Deleted DLIPMAN-1\lipman D:\temp\IE6\Temporary Internet
Files\Content.IE5\UJN91K6V\testvml[1].htm Exploit-VMLFill

Here is is in Opera... (Still no virus statement here in Enterprise v7.1)
10/4/2006 8:05:29 PM Deleted DLIPMAN-1\lipman C:\Program
Files\Opera\profile\cache4\opr002P3.htm Exploit-VMLFill


So it is YOUR version generated this incorrect statement and this reatail version was
discontinued YEARS ago. PCR, I believe you are still using Retail VirusScan v5.x.

One more time...

There is NO virus, this is purely Exploit Code and this URL has NO payload !


|
| WELL, McAfee does give a choice of 3 what to call it, actually. I have
| taken the .dll already as Bear said, with Winzip. Yet I haven't
| installed it.
|

My unoffcial patch will install the non-vulnerable version, unregister the vulnerable
version, register the replacement DLL and fix the Registry.

 

[David H. Lipman]

From: "PCR" <[email protected]>


|>
|> What virus ? This is Exploit code, not a virus !!!
|
| I believe I have already said to you in another thread, McAfee's wording
| is...
|
| Download file: G:\Temporary Internet
| Trojan name: Exploit.VMLFill
| McAfee Shield: Virus found in download file!


Gee... three conflicts all in one message !

Trojan <> virus <> exploit

McAfee (or any other AV software for that matter) creates a default message and then
concatenates what's found to the default message.

If you test the EICAR, see what it calls it !

I'll say it again, again... There is NO virus, this is an Exploit Code.

The fact is if you are using the TEST URL http://www.isotf.org/zert/testvml.htm there isn't
even a payload. It just creates a Buffer Overflow condition. McAfee is flagging the Buffer
Overflow condition or the test for it (I can't which).

Here is is in FireFox... (No virus statement here in Enterprise v7.1)
10/4/2006 8:01:24 PM Deleted (Clean failed) DLIPMAN-1\lipman
D:\temp\Mozilla\Cache\_CACHE_001_\_CACHE_001_ Exploit-VMLFill

Here is is in Internet Explorer... (Again no virus statement here in Enterprise v7.1)
10/4/2006 8:03:09 PM Deleted DLIPMAN-1\lipman D:\temp\IE6\Temporary Internet
Files\Content.IE5\UJN91K6V\testvml[1].htm Exploit-VMLFill

Here is is in Opera... (Still no virus statement here in Enterprise v7.1)
10/4/2006 8:05:29 PM Deleted DLIPMAN-1\lipman C:\Program
Files\Opera\profile\cache4\opr002P3.htm Exploit-VMLFill


So it is YOUR version generated this incorrect statement and this reatail version was
discontinued YEARS ago. PCR, I believe you are still using Retail VirusScan v5.x.

One more time...

There is NO virus, this is purely Exploit Code and this URL has NO payload !


|
| WELL, McAfee does give a choice of 3 what to call it, actually. I have
| taken the .dll already as Bear said, with Winzip. Yet I haven't
| installed it.
|

My unoffcial patch will install the non-vulnerable version, unregister the vulnerable
version, register the replacement DLL and fix the Registry.

 

[98 Guy]

| What virus ? This is Exploit code, not a virus !!!

I believe I have already said to you in another thread,
McAfee's wording is...

Download file: G:\Temporary Internet
Trojan name: Exploit.VMLFill

McAfee found with it thinks is a virus.

What it found was (for lack of a better word) a shell of a virus. It
has the fingerprints and characteristics of exploit code. It has no
payload (that's what makes it safe to execute). McAfee doesn't know
that it doesn't have a payload. It has the characteristics of the VML
exploit, so that's what it calls it.

So... does IE need the exploit file of 98 Guy to deliver the
exploit?

The .htm file posted earlier contains specially crafted code that
triggers a fault in IE that causes IE to crash. That's all it does.
In it's nasty form, there would be additional code that would be
executed in conjunction with IE crashing.

Is the exploit file extraneous to the delivery of the
exploit?

The exploit code opens a door into the operating system. Think of it
as a key. If there is nothing accompanying the key (the payload) then
there is nothing to "get in". AV software detects the key - because
the payload can vary but the key must remain relatively similar or
static.

So we know what the key looks like. What is the lock? The lock in
this case is the vgx.dll file. You can either remove the file from
your system (and hence the key has nowhere to go) or update the file
(plug the keyhole).

 

[98 Guy]

| What virus ? This is Exploit code, not a virus !!!

I believe I have already said to you in another thread,
McAfee's wording is...

Download file: G:\Temporary Internet
Trojan name: Exploit.VMLFill

McAfee found with it thinks is a virus.

What it found was (for lack of a better word) a shell of a virus. It
has the fingerprints and characteristics of exploit code. It has no
payload (that's what makes it safe to execute). McAfee doesn't know
that it doesn't have a payload. It has the characteristics of the VML
exploit, so that's what it calls it.

So... does IE need the exploit file of 98 Guy to deliver the
exploit?

The .htm file posted earlier contains specially crafted code that
triggers a fault in IE that causes IE to crash. That's all it does.
In it's nasty form, there would be additional code that would be
executed in conjunction with IE crashing.

Is the exploit file extraneous to the delivery of the
exploit?

The exploit code opens a door into the operating system. Think of it
as a key. If there is nothing accompanying the key (the payload) then
there is nothing to "get in". AV software detects the key - because
the payload can vary but the key must remain relatively similar or
static.

So we know what the key looks like. What is the lock? The lock in
this case is the vgx.dll file. You can either remove the file from
your system (and hence the key has nowhere to go) or update the file
(plug the keyhole).

 

[Dan W.]

| From: "PCR" <[email protected]>
|
| < snip >
|
| | ...It does seems it's a combo of the virus file & the IE crash to
flush a buffer. I'm
| | still torn on whether I need to switch .dll's. But, I've retrieved
it, & I guess I will
| | switch soon to prevent the crash. But why is it crashing?
|
| What virus ? This is Exploit code, not a virus !!!

I believe I have already said to you in another thread, McAfee's wording
is...

Download file: G:\Temporary Internet
Trojan name: Exploit.VMLFill
McAfee Shield: Virus found in download file!

I get a choice to Continue, Delete, or Move. Choosing Move, I end up
with "testvml[1].htm.vir" in "G:\Infected". Hmm, now I see a .log there.
It contains just one line...
www.isotf.org => testvml[1].htm.vir

WELL, McAfee does give a choice of 3 what to call it, actually. I have
taken the .dll already as Bear said, with Winzip. Yet I haven't
installed it.

|
| It crash's becuase there is a bug in the code that causes a Buffer
Overflow condition. It
| is ibn this state that malware can take control of the system.

So... does IE need the exploit file of 98 Guy to deliver the exploit? Is
the exploit file extraneous to the delivery of the exploit?

|
| I have made it easy. Here's my self installing unofficial patch...
| http://www.ik-cs.com/programs/virtools/VML-HTML_FIX.exe
|
| --
| Dave
| http://www.claymania.com/removal-trojan-adware.html
| http://www.ik-cs.com/got-a-virus.htm
|

PCR, I have the exact same file that is in the vault in quarantine and
put there by AVG. It is apparently nothing to worry about and the virus
scanners were just doing there job.

 

[Dan W.]

| From: "PCR" <[email protected]>
|
| < snip >
|
| | ...It does seems it's a combo of the virus file & the IE crash to
flush a buffer. I'm
| | still torn on whether I need to switch .dll's. But, I've retrieved
it, & I guess I will
| | switch soon to prevent the crash. But why is it crashing?
|
| What virus ? This is Exploit code, not a virus !!!

I believe I have already said to you in another thread, McAfee's wording
is...

Download file: G:\Temporary Internet
Trojan name: Exploit.VMLFill
McAfee Shield: Virus found in download file!

I get a choice to Continue, Delete, or Move. Choosing Move, I end up
with "testvml[1].htm.vir" in "G:\Infected". Hmm, now I see a .log there.
It contains just one line...
www.isotf.org => testvml[1].htm.vir

WELL, McAfee does give a choice of 3 what to call it, actually. I have
taken the .dll already as Bear said, with Winzip. Yet I haven't
installed it.

|
| It crash's becuase there is a bug in the code that causes a Buffer
Overflow condition. It
| is ibn this state that malware can take control of the system.

So... does IE need the exploit file of 98 Guy to deliver the exploit? Is
the exploit file extraneous to the delivery of the exploit?

|
| I have made it easy. Here's my self installing unofficial patch...
| http://www.ik-cs.com/programs/virtools/VML-HTML_FIX.exe
|
| --
| Dave
| http://www.claymania.com/removal-trojan-adware.html
| http://www.ik-cs.com/got-a-virus.htm
|

PCR, I have the exact same file that is in the vault in quarantine and
put there by AVG. It is apparently nothing to worry about and the virus
scanners were just doing there job.

 

[Dan W.]

From: "PCR" <[email protected]>


|>
|> What virus ? This is Exploit code, not a virus !!!
|
| I believe I have already said to you in another thread, McAfee's wording
| is...
|
| Download file: G:\Temporary Internet
| Trojan name: Exploit.VMLFill
| McAfee Shield: Virus found in download file!


Gee... three conflicts all in one message !

Trojan <> virus <> exploit

McAfee (or any other AV software for that matter) creates a default message and then
concatenates what's found to the default message.

If you test the EICAR, see what it calls it !

I'll say it again, again... There is NO virus, this is an Exploit Code.

The fact is if you are using the TEST URL http://www.isotf.org/zert/testvml.htm there isn't
even a payload. It just creates a Buffer Overflow condition. McAfee is flagging the Buffer
Overflow condition or the test for it (I can't which).

Here is is in FireFox... (No virus statement here in Enterprise v7.1)
10/4/2006 8:01:24 PM Deleted (Clean failed) DLIPMAN-1\lipman
D:\temp\Mozilla\Cache\_CACHE_001_\_CACHE_001_ Exploit-VMLFill

Here is is in Internet Explorer... (Again no virus statement here in Enterprise v7.1)
10/4/2006 8:03:09 PM Deleted DLIPMAN-1\lipman D:\temp\IE6\Temporary Internet
Files\Content.IE5\UJN91K6V\testvml[1].htm Exploit-VMLFill

Here is is in Opera... (Still no virus statement here in Enterprise v7.1)
10/4/2006 8:05:29 PM Deleted DLIPMAN-1\lipman C:\Program
Files\Opera\profile\cache4\opr002P3.htm Exploit-VMLFill


So it is YOUR version generated this incorrect statement and this reatail version was
discontinued YEARS ago. PCR, I believe you are still using Retail VirusScan v5.x.

One more time...

There is NO virus, this is purely Exploit Code and this URL has NO payload !


|
| WELL, McAfee does give a choice of 3 what to call it, actually. I have
| taken the .dll already as Bear said, with Winzip. Yet I haven't
| installed it.
|

My unoffcial patch will install the non-vulnerable version, unregister the vulnerable
version, register the replacement DLL and fix the Registry.

PCR, listen to David. I was mistaken as well when I thought it was a
virus. It is an exploit code. David knows what he is talking about and
I give him lots of credit for that. He studies viruses and exploit
codes and stuff all the time.

 

[Dan W.]

From: "PCR" <[email protected]>


|>
|> What virus ? This is Exploit code, not a virus !!!
|
| I believe I have already said to you in another thread, McAfee's wording
| is...
|
| Download file: G:\Temporary Internet
| Trojan name: Exploit.VMLFill
| McAfee Shield: Virus found in download file!


Gee... three conflicts all in one message !

Trojan <> virus <> exploit

McAfee (or any other AV software for that matter) creates a default message and then
concatenates what's found to the default message.

If you test the EICAR, see what it calls it !

I'll say it again, again... There is NO virus, this is an Exploit Code.

The fact is if you are using the TEST URL http://www.isotf.org/zert/testvml.htm there isn't
even a payload. It just creates a Buffer Overflow condition. McAfee is flagging the Buffer
Overflow condition or the test for it (I can't which).

Here is is in FireFox... (No virus statement here in Enterprise v7.1)
10/4/2006 8:01:24 PM Deleted (Clean failed) DLIPMAN-1\lipman
D:\temp\Mozilla\Cache\_CACHE_001_\_CACHE_001_ Exploit-VMLFill

Here is is in Internet Explorer... (Again no virus statement here in Enterprise v7.1)
10/4/2006 8:03:09 PM Deleted DLIPMAN-1\lipman D:\temp\IE6\Temporary Internet
Files\Content.IE5\UJN91K6V\testvml[1].htm Exploit-VMLFill

Here is is in Opera... (Still no virus statement here in Enterprise v7.1)
10/4/2006 8:05:29 PM Deleted DLIPMAN-1\lipman C:\Program
Files\Opera\profile\cache4\opr002P3.htm Exploit-VMLFill


So it is YOUR version generated this incorrect statement and this reatail version was
discontinued YEARS ago. PCR, I believe you are still using Retail VirusScan v5.x.

One more time...

There is NO virus, this is purely Exploit Code and this URL has NO payload !


|
| WELL, McAfee does give a choice of 3 what to call it, actually. I have
| taken the .dll already as Bear said, with Winzip. Yet I haven't
| installed it.
|

My unoffcial patch will install the non-vulnerable version, unregister the vulnerable
version, register the replacement DLL and fix the Registry.

PCR, listen to David. I was mistaken as well when I thought it was a
virus. It is an exploit code. David knows what he is talking about and
I give him lots of credit for that. He studies viruses and exploit
codes and stuff all the time.

 

[PCR]

| David H. Lipman wrote:
| > From: "PCR" <[email protected]>
| >
| >
| > |>
| > |> What virus ? This is Exploit code, not a virus !!!
| > |
| > | I believe I have already said to you in another thread, McAfee's
wording
| > | is...
| > |
| > | Download file: G:\Temporary Internet
| > | Trojan name: Exploit.VMLFill
| > | McAfee Shield: Virus found in download file!
| >
| >
| > Gee... three conflicts all in one message !
| >
| > Trojan <> virus <> exploit
| >
| > McAfee (or any other AV software for that matter) creates a default
message and then
| > concatenates what's found to the default message.
| >
| > If you test the EICAR, see what it calls it !
| >
| > I'll say it again, again... There is NO virus, this is an Exploit
Code.
| >
| > The fact is if you are using the TEST URL
http://www.isotf.org/zert/testvml.htm there isn't
| > even a payload. It just creates a Buffer Overflow condition.
McAfee is flagging the Buffer
| > Overflow condition or the test for it (I can't which).
| >
| > Here is is in FireFox... (No virus statement here in Enterprise
v7.1)
| > 10/4/2006 8:01:24 PM Deleted (Clean failed) DLIPMAN-1\lipman
| > D:\temp\Mozilla\Cache\_CACHE_001_\_CACHE_001_ Exploit-VMLFill
| >
| > Here is is in Internet Explorer... (Again no virus statement here in
Enterprise v7.1)
| > 10/4/2006 8:03:09 PM Deleted DLIPMAN-1\lipman D:\temp\IE6\Temporary
Internet
| > Files\Content.IE5\UJN91K6V\testvml[1].htm Exploit-VMLFill
| >
| > Here is is in Opera... (Still no virus statement here in Enterprise
v7.1)
| > 10/4/2006 8:05:29 PM Deleted DLIPMAN-1\lipman C:\Program
| > Files\Opera\profile\cache4\opr002P3.htm Exploit-VMLFill
| >
| >
| > So it is YOUR version generated this incorrect statement and this
reatail version was
| > discontinued YEARS ago. PCR, I believe you are still using Retail
VirusScan v5.x.
| >
| > One more time...
| >
| > There is NO virus, this is purely Exploit Code and this URL has NO
payload !
| >
| >
| > |
| > | WELL, McAfee does give a choice of 3 what to call it, actually. I
have
| > | taken the .dll already as Bear said, with Winzip. Yet I haven't
| > | installed it.
| > |
| >
| > My unoffcial patch will install the non-vulnerable version,
unregister the vulnerable
| > version, register the replacement DLL and fix the Registry.
| >
| >
|
| PCR, listen to David. I was mistaken as well when I thought it was a
| virus. It is an exploit code. David knows what he is talking about
and
| I give him lots of credit for that. He studies viruses and exploit
| codes and stuff all the time.

McAfee gives me a choice of three! I'll have to try the Eicar tests...
http://www.eicar.org/anti_virus_test_file.htm
...., as he suggested. Oooo, it calls all 4 of those just a virus!
Therefore, it does seem McAfee can discriminate in it's error message--
& it's being generous what one may call this new thing!