Possible virus discovery (in IE cache -> .hlp files)

[Virus Guy]

I performed a some-what rare total scan (using NAV 2002) on my Win-98
system today and NAV quarantined a couple of .hlp files that were
located in one of those wierd IE cache directories.

Their names were:

search1[1].hlp (15,674 bytes)
search[1].hlp (18,578 bytes)

(yes, the square brackets were in the file name).

Seems I picked those up on March 12, 2005.

NAV calls it "BloodHound.Exploit.22". I submitted it to Kaspersky and
it came back as suspicious.

I submitted the first one to Virus Total and here are the results:

This is a report processed by VirusTotal on 07/05/2005 at 06:40:55
(CET) after scanning the file "search_1_.hlp" file.

------------------------
Antivirus Version Update Result

AntiVir 6.31.0.7 07.04.2005 no virus found
AVG 718 07.04.2005 no virus found
Avira 6.31.0.7 07.04.2005 no virus found
BitDefender 7.0 07.05.2005 no virus found
ClamAV devel-20050501 07.05.2005 no virus found
DrWeb 4.32b 07.04.2005 no virus found
eTrust-Iris 7.1.194.0 07.04.2005 no virus found
eTrust-Vet 11.9.1.0 07.04.2005 no virus found
Fortinet 2.36.0.0 07.04.2005 HLP/CVE_2004_1361-exploit
Ikarus 2.32 07.04.2005 no virus found
Kaspersky 4.0.2.24 07.05.2005 Exploit.WinHLP.CVE-2004-1361
McAfee 4527 07.04.2005 Exploit-Winhlp
NOD32v2 1.1161 07.04.2005 no virus found
Norman 5.70.10 06.30.2005 no virus found
Panda 8.02.00 07.04.2005 no virus found
Sybari 7.5.1314 07.05.2005 no virus found
Symantec 8.0 07.04.2005 Bloodhound.Exploit.22
TheHacker 5.8.2.065 07.04.2005 no virus found
VBA32 3.10.4 07.04.2005 no virus found
------------------------

I submitted it also directly to McAfee and here's the result:

-------------------------
AVERT Labs - Beaverton
Current Scan Engine Version:4.4.00
Current DAT Version:4527
Thank you for your submission.

Name Findings Detection Type Extra
search[1].hlp current detection exploit-winhlp Trojan no

current detection [ search[1].hlp ]

The file received is infected and can be detected and removed with our
current DAT files and engine. It is recommended that you update your
DAT and engine files and scan your computer again. If you are not
seeing this with the product you are using, please speak with
technical support so that they can help you determine the cause of
this discrepancy.
If you use the McAfee VirusScan Online or VirusScan Retail retail
products, and do not have the Dat File Version specified, please send
an e-mail to (e-mail address removed) to request an extra.dat for your
product. You must include the Analysis ID number found in the subject
line of this message to receive the extra.dat file.
-------------------------

I'm not sure what I need to do to "remove" these files other than
delete them (I don't believe I've run them).

A search of my hard drive for any files created / modified on the same
date (and same approximate time) as the above .hlp files shows the
following:

1[2].htm
1[3].htm
1[4].htm
1[5].htm
(something)@indextools[2].txt
(something)@help[1].txt
(something)@windowsforumz[1].txt

Here is the contents of 1[5].htm (the others are similar):

--------------------
<html>
<head>
<meta http-equiv="refresh" content="3000; url=1.htm">
</head>
<body>
<script language="javascript">
//img = new Array();
//for (i=0;i<100;i++)
//{
// img = new Image();
// img.src="loadimage.ICO";
//}
</script>
<iframe name=f1></iframe>
<iframe name=f2></iframe>
<iframe name=f3></iframe>
<iframe name=f4></iframe>
<iframe name=f5></iframe>
</body>
</html>
--------------------

The .htm files are time-stamped 1 minute after the suspect .hlp
files. The cookie files are a few minutes before.

Here is the contents of the @help[1].txt file:

--------------------
bblastvisit (some 9 digit number) www.d-a-l.com/help/ (more numbers)
bblastactivity (more numbers) www.d-a-l.com/help/ (more numbers)
-------------------

I suspect that I picked up these files from the web site
http://www.d-a-l.com/.

There is evidence that something strange is going on there:

http://groups.google.ca/group/micro...www.d-a-l.com/"&rnum=5&hl=en#dff790dbc107a51e

Anyways, you guys might want to scan your IE cache files for these
questionable .HLP files...

If anyone want me to post (or e-mail) these files to you, let me
know. I think there is a .virus source-code news group I could post
these in. I had a quick look at them in a text editor and there's a
few readable items but it's mostly binary junk.

 

[Art]

I performed a some-what rare total scan (using NAV 2002) on my Win-98
system today and NAV quarantined a couple of .hlp files that were
located in one of those wierd IE cache directories.

<snip for brevity>

So flush the IE cache and all temp folders. You're basically asking,
"How do I know for sure whether or not there is active malware on my
machine"? On Win 9X/ME you can use DOS av scanners after booting
into DOS, so that any malware isn't active. KAVDOS32 is your best
bet. Or use KAV version 3.5 in Safe mode. A eval version is available
from http://www.avp.ch Make sure you update the scanner.

Then in Normal Windows, use AdAware and Spybot. You should "know your
machine". By that, I mean you should know what its startup axis looks
like when it is clean. Record it and even commit it to memory. I use
Kasperky's TrojanFinder. Know what files normally run at startup and
know what your various registry Run keys normally hold so you can
easily recognize anything unusual.

Use methods of finding unusual network activity. TrojanFinder is
helpful with that. Even netstat -an is useful, but there are, of
course, several good freewares available for such network monitoring
purposes. And free software firewalls can be an aid as well
in alerting you to unauthorised outgoing ... providing they haven't
been disabled or spoofed by active malware. The point is that you
should use general or generic methods in addition to using
a updated top notch av scanner.

Don't waste your time and money on NAV.

Art

http://home.epix.net/~artnpeg

 

[Virus Guy]

So flush the IE cache and all temp folders. You're basically
asking,

No. You're talking to someone who advocates removing suspect
hard-drives and slaving them to a trusted computer so they can be
fully scanned without fear that some active mal-ware is blocking or
interfering with the scan.

I'm talking about specifics of what the mal-ware in question might
have done to my registry (created new entries, modified existing ones,
dropped or created other executables with specific names, etc.

Don't waste your time and money on NAV.

Did you not read my post?

Did you not see which AV programs detected something in the suspect
file -> and which ones didn't <- ?

(don't worry, I haven't wasted any money on the NAV I'm running since
it's on it's 3'rd free annual def'n subscription).

And - by the way people. This is another example that a supposedly
ancient version of NAV (2002) is fully capable of detecting current
(and rare) viral or mal-files. Your theory of it having a detection
engine that is out-of-date is not proven in this situation.

 

[David H. Lipman]

From: "Virus Guy" <[email protected]>

|
| I performed a some-what rare total scan (using NAV 2002) on my Win-98
| system today and NAV quarantined a couple of .hlp files that were
| located in one of those wierd IE cache directories.
|
| Their names were:
|
| search1[1].hlp (15,674 bytes)
| search[1].hlp (18,578 bytes)
|
| (yes, the square brackets were in the file name). |

< snip>

The square bracketed file names are normal IE operation naming techniques.

Exlpoit codes are not viruses. If the OS and components are fully patched then then the
vulnerabilities associated with the exloitation code and mitigated.

Dump your IE cache.

Exploit-Winhlp -- http://vil.nai.com/vil/content/v_130649.htm

MS KB891711 -- http://www.microsoft.com/technet/security/bulletin/MS05-002.mspx

 

[Virus Guy]

Exlpoit codes are not viruses.

What ?!

From the page you referenced:

--------------
Successful exploitation may cause execution of arbitrary code on the
local machine when viewing Windows help (.hlp) file. ->Malicious
code<- can be delivered in .hlp file via web page or email message.
--------------

Do you have some inside information that .hlp exploit files are
somehow, for some reason, do not contain viral code? Ok, so maybe
it's a trojan, or worm. Does it matter? There dosn't seem to be
"alt.comp.trojans" so this goup might as well serve that purpose.

---------------
Modifications made to the system Registry and/or INI files for the
purposes of hooking system startup, will be successfully removed if
cleaning with the recommended engine and DAT combination
---------------

I'd like to know what registry entries or ini files are
modified/created for the specific threat I detected. I'd like to see
for myself if the mal-code was executed or just sat in the cache
un-touched.

If the OS and components are fully patched then then the
vulnerabilities associated with the exloitation code and
mitigated.

Same can be said for most threats.

I just wanted to point out an example of a threat that seems to be
relatively new and perhaps there aren't many examples in the wild.
Perhaps more can be found (and submitted) by people if they are aware
of the threat, the name, and the location of these .hlp files.

 

[Art]

No. You're talking to someone who advocates removing suspect
hard-drives and slaving them to a trusted computer so they can be
fully scanned without fear that some active mal-ware is blocking or
interfering with the scan.

That's unnecessary on Win 9X/ME, and it takes a unnessary risk.
You don't deal with Win 9x/ME in the same way you deal with the
NT based OS.

I'm talking about specifics of what the mal-ware in question might
have done to my registry (created new entries, modified existing ones,
dropped or created other executables with specific names, etc.

And I pointed out a way to find out. Use TrojanFinder. Or you can
use HijackThis. Experienced users should learn how to use these
tools to recognize suspicious entries and files.

Did you not read my post?

I sure did. You didn't really read mine!

Did you not see which AV programs detected something in the suspect
file -> and which ones didn't <- ?

NAV gave you a rather useless heuristic alert. KAV and and a couple
other gave you specific detection.

(don't worry, I haven't wasted any money on the NAV I'm running since
it's on it's 3'rd free annual def'n subscription).

I'm not worried, but you should be

And - by the way people. This is another example that a supposedly
ancient version of NAV (2002) is fully capable of detecting current
(and rare) viral or mal-files. Your theory of it having a detection
engine that is out-of-date is not proven in this situation.

It only alerted alerted heuristically. That's what "bloodhound" means.
And I offered no "theory" or speculation at all about your version of
NAV. I'm simply suggesting that you use a far superior product.

Art

http://home.epix.net/~artnpeg

 

[Roger Wilco]

And - by the way people. This is another example that a supposedly
ancient version of NAV (2002) is fully capable of detecting current
(and rare) viral or mal-files. Your theory of it having a detection
engine that is out-of-date is not proven in this situation.

The earlier discussion was not about an older engine being incapable of
detecting or identifying new malware, it was about an old engine being
incapable of using new definitions that make use of new technology to
detect any malware using the new tricks that necessitated the new
technology be implemented in the new engines. The malware detected by
this heuristic scanner is a relatively new exploit, but doesn't use any
new tricks to make detection difficult, and so a 'new' engine was not
needed to detect it. Not all new malware will necessitate new technology
for detection, but those that do will prove the point quite well.

 

[Roger Wilco]

What ?!

From the page you referenced:

--------------
Successful exploitation may cause execution of arbitrary code on the
local machine when viewing Windows help (.hlp) file. ->Malicious
code<- can be delivered in .hlp file via web page or email message.
--------------

See, even they don't say "virus". And even if they did, them calling
something a virus does not make it a virus. To be a virus by most modern
definitions this code would have to replicate itself.

Do you have some inside information that .hlp exploit files are
somehow, for some reason, do not contain viral code?

Generally they call them "exploit trojans" (Trojan.Exploit.<something or
other>.xx) because they don't contain replicative code. If they use the
newly gained processor time to make use of other program segments to
constitute wormlike behavior they will be considered a part of a worm's
luggage and may then be detected as a worm related file (yet still be an
exploit trojan).

Ok, so maybe
it's a trojan, or worm. Does it matter?

Apparently not to you (and you are not alone in this), but the rest of
us like to have different names for different things.

There dosn't seem to be
"alt.comp.trojans" so this goup might as well serve that purpose.

Yes, but to participate in meaningful discussions you may want to use
the right words in the right places. If you want to misuse terminology,
you would receive less corrections if you didn't use that moniker.
Someone calling himself "Virus Guy" should know what is and isn't a
virus or at least care that there is a difference between different
malware types.

 

[David H. Lipman]

From: "Virus Guy" <[email protected]>

| "David H. Lipman" wrote:
||
| What ?!
|
| From the page you referenced:
|
| --------------
| Successful exploitation may cause execution of arbitrary code on the
| local machine when viewing Windows help (.hlp) file. ->Malicious
| code<- can be delivered in .hlp file via web page or email message.
| --------------
|
| Do you have some inside information that .hlp exploit files are
| somehow, for some reason, do not contain viral code? Ok, so maybe
| it's a trojan, or worm. Does it matter? There dosn't seem to be
| "alt.comp.trojans" so this goup might as well serve that purpose.
|
| ---------------
| Modifications made to the system Registry and/or INI files for the
| purposes of hooking system startup, will be successfully removed if
| cleaning with the recommended engine and DAT combination
| ---------------
|
| I'd like to know what registry entries or ini files are
| modified/created for the specific threat I detected. I'd like to see
| for myself if the mal-code was executed or just sat in the cache
| un-touched.
||
| Same can be said for most threats.
|
| I just wanted to point out an example of a threat that seems to be
| relatively new and perhaps there aren't many examples in the wild.
| Perhaps more can be found (and submitted) by people if they are aware
| of the threat, the name, and the location of these .hlp files.

Exploitation code take advantage of vulnerabilities. Patch the vulnerability and the
exploitation can't happen.

That patch is here... http://www.microsoft.com/technet/security/bulletin/MS05-002.mspx