Exploit.CVE-2005-1790

[name]

Hello.
Since a while I have a problem with Internet Explorer that tends to
bother me. On certain webpages (www.cnet.com for instance), as soon as
I move my mousepointer over the frame where the webpage is displayed,
IE crashes. This problem has been occurring ever since I was stupid
enough to click on a weblink received from some unidentified
<censored>. AVG came up with a notification that a virus had infected
my PC and eversince I've had this problem with IE.
Here is some info about the virus as it has been identified by AVG:
http://www.ibbu.nl/~nsprakel/avg.jpg

Does anyone know how to solve this problem with IE and how to remove
the virus completely from my PC?
I've tried system restore, can't re-install IE and scanning for and
fixing problems with various anti-spyware software (spyware blaster,
ad-aware and spybot S&D) to no avail.

Thanks a lot for any help or suggestions in overcoming this issue, kind
regards, Niek

 

[YoKenny]

name typed:

Hello.
Since a while I have a problem with Internet Explorer that tends to
bother me. On certain webpages (www.cnet.com for instance), as soon as
I move my mousepointer over the frame where the webpage is displayed,
IE crashes. This problem has been occurring ever since I was stupid
enough to click on a weblink received from some unidentified
<censored>. AVG came up with a notification that a virus had infected
my PC and eversince I've had this problem with IE.
Here is some info about the virus as it has been identified by AVG:
http://www.ibbu.nl/~nsprakel/avg.jpg

Does anyone know how to solve this problem with IE and how to remove
the virus completely from my PC?
I've tried system restore, can't re-install IE and scanning for and
fixing problems with various anti-spyware software (spyware blaster,
ad-aware and spybot S&D) to no avail.

Thanks a lot for any help or suggestions in overcoming this issue,
kind regards, Niek

Your system is pooched!


Booting the WinXP CD then running FORMAT will work!

Please read:
Prevention protection implementation
http://boards.cexx.org/viewtopic.php?t=11523
Use a pencil and check off each item when completed.

 

[name]

name typed:

Your system is pooched!


Booting the WinXP CD then running FORMAT will work!

Buying a new computer will also work, but I was hoping for a less
rigorous solution.

Please read:
Prevention protection implementation
http://boards.cexx.org/viewtopic.php?t=11523
Use a pencil and check off each item when completed.

Anyway, thanks for the security tips.

 

[David H. Lipman]

|
| Anyway, thanks for the security tips.

First it was NOT a virus. It is exploit code nothing more, nothing less.

This Exploit code was mitigated by MS05-054 and patched by KB905915 so if you are up-to-date
with your patches -- no worries !

http://www.microsoft.com/technet/security/bulletin/ms05-054.mspx

If your PC has the latest IE cumulative update then your PC is NOT "pooched" nor compromised
and you were given bad advice !

Dump the contents of your IE cache and scan the PC again.
Start --> settings --> control panel --> Internet options --> delete files

 

[name]

|
| Anyway, thanks for the security tips.

First it was NOT a virus. It is exploit code nothing more, nothing less.

This Exploit code was mitigated by MS05-054 and patched by KB905915 so if you are up-to-date
with your patches -- no worries !

I'm pretty sure I installed KB905915 and generally I'm up to date since
I regularly update windows.

http://www.microsoft.com/technet/security/bulletin/ms05-054.mspx

If your PC has the latest IE cumulative update then your PC is NOT "pooched" nor compromised
and you were given bad advice !

Are these cumulative IE updates installed automatically if you
regularly visit windowsupdate.com ?

Dump the contents of your IE cache and scan the PC again.
Start --> settings --> control panel --> Internet options --> delete files

I've tried dumping the temporary internet files, but that doesn't help.
I also deleted the actual files that AVG identifies as containing the
exploit code. Now when I scan with AVG it doesn't report any problems.
Yet, the problem with IE crashing on certain webpages (as soon as I
move the mousepointer over the frame where the webpage is displayed)
persists.

 

[David H. Lipman]

From: "name" <[email protected]>


|
| I'm pretty sure I installed KB905915 and generally I'm up to date since
| I regularly update windows.
|!

Excellent !


|
| Are these cumulative IE updates installed automatically if you
| regularly visit windowsupdate.com ?
|

Yes.

|
| I've tried dumping the temporary internet files, but that doesn't help.
| I also deleted the actual files that AVG identifies as containing the
| exploit code. Now when I scan with AVG it doesn't report any problems.
| Yet, the problem with IE crashing on certain webpages (as soon as I
| move the mousepointer over the frame where the webpage is displayed)
| persists.


The important thing is the HTML Exploit code no longer is present. However you still have a
problem with IE. What that problem is I don't know. You may want to post your problem in a
MS IE News Group.

news://msnews.microsoft.com/microsoft.public.internetexplorer.general

I do suggest switching to FireFox or Opera as your everyday web browser and just use IE for
pulling updates from the Windows Update Web Site or those IE specific content bearing web
sites.

 

[Dustin Cook]

name typed:

Your system is pooched!

No it's not.

Ie has problems, but a reformat probably isn't necessary. Google for
IEFIX.EXE, run it and report the results. We'll see how it goes from
here.

Booting the WinXP CD then running FORMAT will work!

As well as hose his pictures, documents, etc.

 

[Dustin Cook]

I'm pretty sure I installed KB905915 and generally I'm up to date
since I regularly update windows.


Are these cumulative IE updates installed automatically if you
regularly visit windowsupdate.com ?


I've tried dumping the temporary internet files, but that doesn't
help. I also deleted the actual files that AVG identifies as
containing the exploit code. Now when I scan with AVG it doesn't
report any problems. Yet, the problem with IE crashing on certain
webpages (as soon as I move the mousepointer over the frame where the
webpage is displayed) persists.

Do you have browser helpers loaded? Yahoo toolbar, google toolbar, aim,
things of that nature?

Download ERUNT, and HIJACKTHIS (google for them).

Run erunt, backup your registry, then run hijackthis and email me the
logfile. We'll disable your BHO's one by one.

BHODemon is also able to do this, but doesn't always work depending on
the browser version and your version of windows.


When IE crashes, does windows offer to restart it?

 

[name]

Do you have browser helpers loaded? Yahoo toolbar, google toolbar, aim,
things of that nature?

Nope. I do have some extra icons in the toolbar, for icqlite, ebay and
backflip.

Download ERUNT, and HIJACKTHIS (google for them).

Run erunt, backup your registry, then run hijackthis and email me the
logfile. We'll disable your BHO's one by one.

I have a log generated by hijackthis shared here:
http://www.ibbu.nl/~nsprakel/hijackthis.log

Notice that all the winmx entries are ok since that circumvents the
latest attack by the RIAA to prevent sharing mp3s on winmx.

BHODemon is also able to do this, but doesn't always work depending on
the browser version and your version of windows.


When IE crashes, does windows offer to restart it?

Nope. It just offers to send an error report. Here is the window
generated by IE when it crashes:
http://www.ibbu.nl/~nsprakel/ie_crash.jpg

Thx for your help. Although it seems the main problem is already solved
(since IE is no longer crashing) I'm still interested in ensuring that
the code exploit that messed up my system hasn't left any other traces.

 

[name]

Nope. I do have some extra icons in the toolbar, for icqlite, ebay and
backflip.


I have a log generated by hijackthis shared here:
http://www.ibbu.nl/~nsprakel/hijackthis.log

Notice that all the winmx entries are ok since that circumvents the
latest attack by the RIAA to prevent sharing mp3s on winmx.


Nope. It just offers to send an error report. Here is the window
generated by IE when it crashes:
http://www.ibbu.nl/~nsprakel/ie_crash.jpg

Thx for your help. Although it seems the main problem is already solved
(since IE is no longer crashing) I'm still interested in ensuring that
the code exploit that messed up my system hasn't left any other traces.

Oh, I forgot to mention that I also started a thread about IE acting
weird on an internet explorer forum and someone there suggested
disableing add-ons...
Disableing the QUICKfind BHO Object resolved the problem I had with IE.
I'm not sure exactly how it relates to the code exploit.

 

[Dustin Cook]

Oh, I forgot to mention that I also started a thread about IE acting
weird on an internet explorer forum and someone there suggested
disableing add-ons...
Disableing the QUICKfind BHO Object resolved the problem I had with IE.
I'm not sure exactly how it relates to the code exploit.

Great! I'm glad it's not crashing on you anymore. It doesn't relate to
the exploit code your antivirus program found. It really doesn't take
much to piss IE off.

 

[name]

Great! I'm glad it's not crashing on you anymore. It doesn't relate to
the exploit code your antivirus program found. It really doesn't take
much to piss IE off.

Perhaps it was an internet update (from windowsupdate) that triggered
the problem since I had the Add-on for a long time and it hadn't caused
any problems until the code exploit incident.

 

[David H. Lipman]

From: "name" <[email protected]>


|
| Perhaps it was an internet update (from windowsupdate) that triggered
| the problem since I had the Add-on for a long time and it hadn't caused
| any problems until the code exploit incident.
|

A pure cioincidence and nothing more.

 

[name]

From: "name" <[email protected]>


|
| Perhaps it was an internet update (from windowsupdate) that triggered
| the problem since I had the Add-on for a long time and it hadn't caused
| any problems until the code exploit incident.
|

A pure cioincidence and nothing more.

I don't buy into that. Judging from the date of files on my computer I
must have had this Add-on installed for at least a year and something
must have set it off.
When I got the notice from AVG, I did updated windows fairly soon
afterwards and this might have caused the Add-on to act up.
Alternatively, since updating windows caused the windows genuine
advantage crap to be installed, it's also possible that my hack to
circumvent the genuine advantage BS caused the Add-on to start crashing
IE.

 

[David H. Lipman]

From: "name" <[email protected]>


| I don't buy into that. Judging from the date of files on my computer I
| must have had this Add-on installed for at least a year and something
| must have set it off.
| When I got the notice from AVG, I did updated windows fairly soon
| afterwards and this might have caused the Add-on to act up.
| Alternatively, since updating windows caused the windows genuine
| advantage crap to be installed, it's also possible that my hack to
| circumvent the genuine advantage BS caused the Add-on to start crashing
| IE.
|


Like I said, it was Exploit code. If your PC was fully patched then the Exploit code is a
moot point and thus there is no correlation.