Exploit.SelfExecHtml

Anyone know what this fuss is about from Kaspersky Labs about some new trojan?? I don't understand if the thing comes zipped what is the big deal?


Kaspersky Labs, an international data security software developer, reports the appearance of the Trojan program, 'StartPage' - the first malware to infect computers via the "Exploit.SelfExecHtml" vulnerability in the Internet Explorer security system. Making infection particularly dangerous is the fact that Microsoft has yet to release the required patch, essentially leaving users defenseless in the face of this and other, potentially more dangerous threats choosing to exploit the very same vulnerability.

StartPage is a classic Trojan - it is sent to victim addresses directly from the author and does not have an automatic send function. The first mass mailing to several hundred thousand addresses was registered in Russia on May 20. The text accompanying the Trojan program is written in Russian and clearly indicates the program's birthplace as either Russia or the former USSR.

The StartPage program is a Zip-archive that contains two files - one HTML file and one EXE file. Upon opening the HTML file the StartPage code is launched and proceeds to exploit the Internet Explorer security system vulnerability known as "Exploit.SelfExecHtml". It then proceeds to clandestinely launch the EXE file carrying the Trojan program.

"It is hard to call this program dangerous, its collateral effects include only the altering of an old Internet Explorer page. Still, StartPage has set a precedent with its usage of a vulnerability for which there is not yet a patch", commented Eugene Kaspersky, Head of Anti-virus Research at Kaspersky Labs.

According to Kaspersky Labs statistics, over 85% of virus incidences in 2002 were caused by malicious programs such as 'Klez' and 'Lentin' that exploit the IFRAME Internet Explorer vulnerability, which was discovered over two years ago, and thus users have had plenty of time to install the patch and protect themselves against any similar virus appearing in the future.

"With StartPage we are dealing with an open vulnerability. Users can protect themselves with anti-virus software, but not all of them have strong heuristic technology to protect against future viruses", continued Eugene Kaspersky. "A new vulnerability has been exposed that may incite the creation of a multitude of new malware that could lead to new epidemics of a global scale."

The following programs are vulnerable to the "Exploit.SelfExecHtml" breech:


Microsoft Internet Explorer 5.0 for Windows 2000
Microsoft Internet Explorer 5.0 for Windows 95
Microsoft Internet Explorer 5.0 for Windows 98
Microsoft Internet Explorer 5.0 for Windows NT 4.0
Kaspersky Labs appeals to Microsoft to make a strong effort to release the necessary patch, as soon other malicious programs will appear that exploit the very same technology. If a solution is not provided soon we can expect a long lasting, large-scale epidemic that could surpass even the Klez epidemic.

 

Why do you say that? It is not true at all. Since posting this I have found out more about it and just updated NOD32 this morning and it does not identify it while AVP does.

Have you even bothered to check?

 

If you have a sample of some malware that isn't detected by NOD32, please send it to samples@ eset.com (or to me: anders@ eurosecure.com)

I don't have a sample, so I can't test it, but I assume that what they are talking about, are what NOD32 detects as "Win32/StartPage.*", added on the 23rd.

Regards,
Anders
EUROSECURE