Exploit.IE.Crashsos crashing iexplore.exe (1.880)

Hi!

After updating to 1.880 I wanted to check if NOD32 is detecting properly Exploit.IE.Crashsos exploit: http://sylvana.net/test/AP4.jpg

Unfortunately image appeared in Internet Explorer (heavily distorted) and NOD32 virus alert appeared. I choose to disconnect. After that image was replaced with "No such page" screen. Few seconds after that iexplore.exe crashed

My system: Windows XP Pro SP2, NOD32 2.12.2 - 1.880

Any idea?

 

Is everything back to normal after a reboot?

Have you tried that page again?

I get the following 2 screenshots:

Cheers

 

And when I click "Terminate" I get this screenshot...

 

Hi markpl:

If you do not have issues with other web pages showing up incorrectly (for now - at least until the newer components are released), it may be better to change IMON to Automatically deny download of infected file and to change Mozilla/4.0 iexplore.exe to Higher efficiency in the IMON Setup/HTTP tab - Compatibility setup.

 

Strange - I don't get this screen.

The system itself isn't crashing - only iexplore.exe. After that I restarted machine just to be sure everything is ok.

Now I give second try to that URL (only iexplore.exe running - no other active apps) and this time image wasn't loaded. Virus alert appeared. I choose to terminate connection and it crashed iexplore.exe

So this is reproducible on my machine. I have all windows updates installed. I'm also using SpyBot. No other resident applications.

 

Hah!

That is what I like in using NOD32 - excellent support community

It worked! After switching to higher efficiency iexplore.exe isn't crashing

Anyway someone from ESET should read this thread because many users use default settings.

 

As Rumpstah has said above, are you sure all your settings are at "Higher Efficiency"?

As you will see in Post number 8 in my Extra Settings for Nod32 thread at the top of this forum, there is the following statement regarding this:


It is recommended to change the compatibility level to "Higher Efficiency" unless you experience problems with certain applications.


NOTE: With “Higher Compatibility” mode it is possible that Trojans may slip through IMON.


There is a newer version of Nod32 coming soon which will have "Higher Efficiency" as default, having fixed a few issues with certain website...

Hope this helps...

Cheers

 

Check out the thread https://www.wilderssecurity.com/showthread.php?t=49004 for discussion on this and the much more important GDI+ JPEG vulnerability (AP4.jpg was released misleadingly as a possible variant of this new exploit).

AP4.jpg is very small, <61KB, and I suspect on a broadband connection IMON cannot get in quickly enough to stop buggy IE falling over. Certainly IMON cannot stop the file being downloaded here - by the time terminating the connection is selected, the file has been downloaded. Interestingly, while IMON detects the infiltration, scanning the downloaded file with NOD32 reveals nothing at all - anyone know why this is so?

 

Ah, I see from other posts my speculation is unfounded and I forgot the differences between higher compatibility and higher efficiency. But my question remains- how come scanning with NOD32 (everything switched on) does not detect any infiltration in the downloaded file AP4.jpg?

 

Scanning it here with NOD32 works ok.

D:\test\virus\AP4.jpg - Exploit.IE.Crashsos trojan

 

Well, that is even more puzzling to me.

date: 28.9.2004 time: 22:49:05
Scanned disks, directories and files: C:\Documents and Settings\[user name]\My Documents\AP4.jpg
number of scanned files: 1
number of viruses found: 0
time of completion: 22:49:05 total scanning time: 0 sec (00:00:00)

 

Using Firefox to view the page doesn't set off IMON at all.

 

Even with "Higher Efficiency" set?

Cheers

 

Hi Howard:

How is your Context Menu Profile set up to scan? All files should be selected since .jpg extensions are not in the default list. Each profile has to be setup independently. The On Demand Scan has different profiles.

I hope this helps.

 

Hi flyrfan111:

Depending on your version of Firefox, Mozilla/4.0 or Mozilla/5.0, firefox.exe could be set to Higher Efficiency in IMON setup to produce the screen "splat", in addition to Automatically deny download of infected file.

 

Have you set it to "scan all files"?

http://webpages.charter.net/gunn1943/ap4.JPG

 

Solved it! I didn't have Archives checked in objects to diagnose. When I checked Archives in objects to diagnose, NOD32 identified the infiltration in AP4.jpg

 

Hi,

here Mozilla FireFox 1.0PR + Higher efficienty setting, and everything works as shown in the above screenshot (I didn't have the second screenshot with the default higher compatibillity, so check it).

Thanks to Blackspear

regards,

gkweb.

 

Now that I cleared my caches for both IE and Firefox, with higher efficiency set on both I get the first warning you displayed, with higher compatibility set on IE and Firefox I get both warnings you displayed. Editted to add; IE doesn't crash with either setting.

 

Damn, something weird is happening here. I was too hasty in my post - the infiltration was in completely different file (an archive!). NOD32 here simply does not identify an infiltration in AP4.jpg Using virus signature 1.880

 

Ahhh good to see guys, the new Rumpstah-Blackspear Tag Team worked

Problem solved... NEXT!!!

Cheers

 

Do you have the NOD32 "On Demand Scanner" set it to "scan all files"?

 

I thought that also. It seems as if the exploit isn't the jpg itself but an archive downloaded in the background. But I am not a programmer so I could be wrong. That would explain why you have to have archives checked to pick up though. Unless the jpg itself is compressed that is.

 

The archive thing was me being dumb. I had a known virus in a zipped file in the same directory as AP4.jpg so all that happened when I switched on Archives in objects to diagnose is that NOD32 picked that virus up and I didn't look closely enough and wrongly thought it had detected the AP4.jpg infiltration. The fact is eScan detects the infiltration in AP4.jpg here, but NOD32 doesn't.

 

It has to be a settings problem for you then, I am picking it up, I can't post a screen shot with this slow dial up connection though but it is working both on access and if I disable IMON then download it and scan with NOD32. Not sure why yours won't pick it up.