Exploit.IE.Crashsos crashing iexplore.exe (1.880)

Discussion in 'NOD32 version 2 Forum' started by markpl, Sep 28, 2004.

Thread Status:
Not open for further replies.
  1. markpl

    markpl Guest

    Hi!

    After updating to 1.880 I wanted to check if NOD32 is detecting properly Exploit.IE.Crashsos exploit: http://sylvana.net/test/AP4.jpg

    Unfortunately image appeared in Internet Explorer (heavily distorted) and NOD32 virus alert appeared. I choose to disconnect. After that image was replaced with "No such page" screen. Few seconds after that iexplore.exe crashed :(

    My system: Windows XP Pro SP2, NOD32 2.12.2 - 1.880

    Any idea?
     
  2. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Is everything back to normal after a reboot?

    Have you tried that page again?

    I get the following 2 screenshots:

    Cheers :D
     

    Attached Files:

  3. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    And when I click "Terminate" I get this screenshot...
     

    Attached Files:

  4. rumpstah

    rumpstah Registered Member

    Joined:
    Mar 19, 2003
    Posts:
    486
    Hi markpl:

    If you do not have issues with other web pages showing up incorrectly (for now - at least until the newer components are released), it may be better to change IMON to Automatically deny download of infected file and to change Mozilla/4.0 iexplore.exe to Higher efficiency in the IMON Setup/HTTP tab - Compatibility setup.



     
  5. markpl

    markpl Guest

    Strange - I don't get this screen.

    The system itself isn't crashing - only iexplore.exe. After that I restarted machine just to be sure everything is ok.

    Now I give second try to that URL (only iexplore.exe running - no other active apps) and this time image wasn't loaded. Virus alert appeared. I choose to terminate connection and it crashed iexplore.exe :(

    So this is reproducible on my machine. I have all windows updates installed. I'm also using SpyBot. No other resident applications.
     
  6. markpl

    markpl Guest

    Hah!

    That is what I like in using NOD32 - excellent support community :)

    It worked! After switching to higher efficiency iexplore.exe isn't crashing :)

    Anyway someone from ESET should read this thread because many users use default settings.
     
  7. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    As Rumpstah has said above, are you sure all your settings are at "Higher Efficiency"?

    As you will see in Post number 8 in my Extra Settings for Nod32 thread at the top of this forum, there is the following statement regarding this:


    It is recommended to change the compatibility level to "Higher Efficiency" unless you experience problems with certain applications.


    NOTE: With “Higher Compatibility” mode it is possible that Trojans may slip through IMON.


    There is a newer version of Nod32 coming soon which will have "Higher Efficiency" as default, having fixed a few issues with certain website...

    Hope this helps...

    Cheers :D
     
  8. Howard

    Howard Registered Member

    Joined:
    Sep 3, 2004
    Posts:
    313
    Location:
    Wales, UK
    Check out the thread https://www.wilderssecurity.com/showthread.php?t=49004 for discussion on this and the much more important GDI+ JPEG vulnerability (AP4.jpg was released misleadingly as a possible variant of this new exploit).

    AP4.jpg is very small, <61KB, and I suspect on a broadband connection IMON cannot get in quickly enough to stop buggy IE falling over. Certainly IMON cannot stop the file being downloaded here - by the time terminating the connection is selected, the file has been downloaded. Interestingly, while IMON detects the infiltration, scanning the downloaded file with NOD32 reveals nothing at all - anyone know why this is so?
     
  9. Howard

    Howard Registered Member

    Joined:
    Sep 3, 2004
    Posts:
    313
    Location:
    Wales, UK
    Ah, I see from other posts my speculation is unfounded and I forgot the differences between higher compatibility and higher efficiency. But my question remains- how come scanning with NOD32 (everything switched on) does not detect any infiltration in the downloaded file AP4.jpg?
     
  10. Stan999

    Stan999 Registered Member

    Joined:
    Sep 27, 2002
    Posts:
    566
    Location:
    Fort Worth, TX USA
    Scanning it here with NOD32 works ok.

    D:\test\virus\AP4.jpg - Exploit.IE.Crashsos trojan
     
  11. Howard

    Howard Registered Member

    Joined:
    Sep 3, 2004
    Posts:
    313
    Location:
    Wales, UK
    Well, that is even more puzzling to me.

    date: 28.9.2004 time: 22:49:05
    Scanned disks, directories and files: C:\Documents and Settings\[user name]\My Documents\AP4.jpg
    number of scanned files: 1
    number of viruses found: 0
    time of completion: 22:49:05 total scanning time: 0 sec (00:00:00)
     
  12. flyrfan111

    flyrfan111 Registered Member

    Joined:
    Jun 1, 2004
    Posts:
    1,224
    Using Firefox to view the page doesn't set off IMON at all.
     
  13. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Even with "Higher Efficiency" set?

    Cheers :D
     
  14. rumpstah

    rumpstah Registered Member

    Joined:
    Mar 19, 2003
    Posts:
    486
    Hi Howard:

    How is your Context Menu Profile set up to scan? All files should be selected since .jpg extensions are not in the default list. Each profile has to be setup independently. The On Demand Scan has different profiles.

    I hope this helps.


     
  15. rumpstah

    rumpstah Registered Member

    Joined:
    Mar 19, 2003
    Posts:
    486
    Hi flyrfan111:

    Depending on your version of Firefox, Mozilla/4.0 or Mozilla/5.0, firefox.exe could be set to Higher Efficiency in IMON setup to produce the screen "splat", in addition to Automatically deny download of infected file.

     
  16. Stan999

    Stan999 Registered Member

    Joined:
    Sep 27, 2002
    Posts:
    566
    Location:
    Fort Worth, TX USA
    Have you set it to "scan all files"?

    http://webpages.charter.net/gunn1943/ap4.JPG
     
  17. Howard

    Howard Registered Member

    Joined:
    Sep 3, 2004
    Posts:
    313
    Location:
    Wales, UK
    Solved it! I didn't have Archives checked in objects to diagnose. When I checked Archives in objects to diagnose, NOD32 identified the infiltration in AP4.jpg
     
  18. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    Hi,

    here Mozilla FireFox 1.0PR + Higher efficienty setting, and everything works as shown in the above screenshot (I didn't have the second screenshot with the default higher compatibillity, so check it).

    Thanks to Blackspear ;)

    regards,

    gkweb.
     
  19. flyrfan111

    flyrfan111 Registered Member

    Joined:
    Jun 1, 2004
    Posts:
    1,224
    Now that I cleared my caches for both IE and Firefox, with higher efficiency set on both I get the first warning you displayed, with higher compatibility set on IE and Firefox I get both warnings you displayed. Editted to add; IE doesn't crash with either setting.
     
  20. Howard

    Howard Registered Member

    Joined:
    Sep 3, 2004
    Posts:
    313
    Location:
    Wales, UK
    Damn, something weird is happening here. I was too hasty in my post - the infiltration was in completely different file (an archive!). NOD32 here simply does not identify an infiltration in AP4.jpg Using virus signature 1.880
     
  21. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Ahhh good to see guys, the new Rumpstah-Blackspear Tag Team worked ;)

    Problem solved... NEXT!!! :D

    Cheers :D
     
  22. Stan999

    Stan999 Registered Member

    Joined:
    Sep 27, 2002
    Posts:
    566
    Location:
    Fort Worth, TX USA
    Do you have the NOD32 "On Demand Scanner" set it to "scan all files"?
     
  23. flyrfan111

    flyrfan111 Registered Member

    Joined:
    Jun 1, 2004
    Posts:
    1,224
    I thought that also. It seems as if the exploit isn't the jpg itself but an archive downloaded in the background. But I am not a programmer so I could be wrong. That would explain why you have to have archives checked to pick up though. Unless the jpg itself is compressed that is.
     
  24. Howard

    Howard Registered Member

    Joined:
    Sep 3, 2004
    Posts:
    313
    Location:
    Wales, UK
    The archive thing was me being dumb. I had a known virus in a zipped file in the same directory as AP4.jpg so all that happened when I switched on Archives in objects to diagnose is that NOD32 picked that virus up and I didn't look closely enough and wrongly thought it had detected the AP4.jpg infiltration. The fact is eScan detects the infiltration in AP4.jpg here, but NOD32 doesn't.
     
  25. flyrfan111

    flyrfan111 Registered Member

    Joined:
    Jun 1, 2004
    Posts:
    1,224
    It has to be a settings problem for you then, I am picking it up, I can't post a screen shot with this slow dial up connection though but it is working both on access and if I disable IMON then download it and scan with NOD32. Not sure why yours won't pick it up.
     
Thread Status:
Not open for further replies.