Zero Day IE Exploit?

Sorry, I'm not sure. There are one thing or two things in this thread.
I know that NOD32 can detect “JS/Exploit.CVE-2006-1359 trojan“ from 1.1457 virus signature database version. (And ESET is a kind of company to provide NOD32 for free to everyone before the second week of April.)
But I also know that IE will crash if browse this url: http://lcamtuf.coredump.cx/iedie.html even with 1.1461 virus signature database version.
Do we discuss different things?

 

Why is EI crashing? And why can't I access the page using FF? Blargh..

 

still no response from eset

 

If NOD32 detects the malware that attempts to install itself, to me that's all that matters. NOD32 should not try to repair IE's hole, that should be left to Microsoft to "fix".

I can access the page using Firefox.

I don't use IE except for Windows Update, but from what I can gather, IE will crash when attempting to view the page until MS fixes the hole, but NOD32 detects the malware that attempts to utilitze the overflow to install itself which is what an antivirus should do.

 

Hello,
I just did online scan with kaspersky, and this was the warning:

C:\Documents and Settings\*********\Local Settings\Temporary Internet Files\Content.IE5\GLU3OPQN\TextRange[1].htm

Infected: Exploit.JS.CVE-2006-1359.a

=================================


A full scan with Nod32 2.51.20 - 1.1461 (20060330) , with the Extra settings for Nod32 v2.5 - revised 17-06-2005, reported clean.

==================================

Then I ran a online scan at virusscan.jotti.org, and this was the report:

File: TextRange[1].htm

Status: INFECTED/MALWARE

MD5 1fa70318f35f13d7a78e5c5671d4ad69

Packers detected: -

Scanner results
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found Exploit.HTML.CreateRange.Gen (probable variant)
ClamAV Found nothing
Dr.Web Found Exploit.CVE1359
F-Prot Antivirus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found Exploit.JS.CVE-2006-1359.a
NOD32 Found nothing
Norman Virus Control Found nothing
UNA Found nothing
VirusBuster Found nothing
VBA32 Found nothing



==================================

Virustotal.com:

Antivirus Version Update Result
AntiVir 6.34.0.14 03.30.2006 no virus found
Avast 4.6.695.0 03.29.2006 no virus found
AVG 386 03.30.2006 no virus found
Avira 6.34.0.54 03.30.2006 no virus found
BitDefender 7.2 03.30.2006 Exploit.HTML.CreateRange.Gen
CAT-QuickHeal 8.00 03.30.2006 no virus found
ClamAV devel-20060202 03.29.2006 no virus found
DrWeb 4.33 03.30.2006 Exploit.CVE1359
eTrust-InoculateIT 23.71.115 03.30.2006 no virus found
eTrust-Vet 12.4.2144 03.30.2006 JS/VU876678!exploit
Ewido 3.5 03.30.2006 no virus found
Fortinet 2.71.0.0 03.30.2006 no virus found
F-Prot 3.16c 03.28.2006 no virus found
Ikarus 0.2.59.0 03.30.2006 no virus found
Kaspersky 4.0.2.24 03.30.2006 Exploit.JS.CVE-2006-1359.a
McAfee 4729 03.29.2006 no virus found
NOD32v2 1.1462 03.30.2006 no virus found
Norman 5.70.10 03.30.2006 no virus found
Panda 9.0.0.4 03.30.2006 no virus found
Sophos 4.04.0 03.30.2006 Exp/TxtRng-A
Symantec 8.0 03.30.2006 Bloodhound.Exploit.61
TheHacker 5.9.7.122 03.30.2006 no virus found
UNA 1.83 03.23.2006 no virus found
VBA32 3.10.5 03.30.2006 no virus found

=================================================

Is this pc clean Y/N

How do i sent (safe) a sample to Nod32 ?

Thx

Edit:

 

It's pretty dead on my comp, no NOD popping up anywhere And now I can access it using FF.

 

I don't think there is any actual (real) malware embedded in the test page. Probably why NOD32 doesn't detect it?

 

Well it crashed my EI, so something weird is going on ..
Probably the onclick=bork.. Too many for EI to handle or something. No idea.

 

That is due to the hole, not malware. It will continue to crash IE until there is a fix for it, but no malware should be able to gain access to your system because NOD32 detects any that might try to install itself via the hole.

 

My KAV finds in this iedie.html -file virus Trojan.JS.MBork.a

 

NOD should stop the crap before the site crashes EI.. Now I know why the internet list never gets updated..

I'm gonna issue a warning to our users at SSE.

 

There is nothing really "harmful" about this, it just makes an already unstable patchwork quilt of a "browser" crash. It's whether or not malware can be installed via the vulnerability that counts.

 

Indeed. That makes it a "potentially dangerous app" and should be blocked if that option is enabled (and yeah, I have it enabled).

 

It wouldn't hurt my feelings if NOD32 added a signature for this, but it also doesn't bother me if they don't. I've never had a single security breach since I switched to Gecko based browsers years ago.

It's Microsoft's job to patch their holes as long as the browser and OS are supported. If NOD32 quarantined all potentially dangerous apps, I doubt we would even be able to boot our computers.

 

True .. But take a peek here: http://www.eset.sk/en/company/nod32-for-free-to-protect-exploiting-the-vulnerability-in-ie
"We protect you!" .. Err not me in this case, sadly.

 

NOD32 protects you against the installation of malware, whether or not IE crashes.

 

Yeah that's rich.. So bummer for the dude who's having a document written & all ready to go, which just happened to be deleted, just because NOD didnt stop the crash ..

Blah blah backup blargh blah..

 

Anyone that is using IE to do important work must be crazy anyway.

 

heh true Aw now I'm lost .

 

hmmm... ESET offers its NOD32 full for free till the fix is out, but where could somebody download it? I clicked the link there and I was redirected to the home page. Or that link was infected with JS.CVE-2006.... ?

 

I was wondering the excact same thing .. I'm clicking the link and then I understand nothing.
It went for the slovak language or something.

 

But NOD users are not protected, I can tell you that much.
IE wouldnt crash if we were, no way in hell my man.

 

Depends on your definition of protected.

 

I just put NAV 2006 back on my PC this morning after trying another AV. I went to this site again using IE, just to see what would happen. It opened showing the pretty girl, and NAV popped up with a warning, Blodhound.Exploit.60, and put it in quarentine.

 

So why KAV and some others report an trojan/ virus etc?