Exploit.SelfExecHtml

Discussion in 'NOD32 version 1 Forum' started by Eric F, May 25, 2003.

Thread Status:
Not open for further replies.
  1. Eric F

    Eric F Guest

    Anyone know what this fuss is about from Kaspersky Labs about some new trojan?? I don't understand if the thing comes zipped what is the big deal?


    Kaspersky Labs, an international data security software developer, reports the appearance of the Trojan program, 'StartPage' - the first malware to infect computers via the "Exploit.SelfExecHtml" vulnerability in the Internet Explorer security system. Making infection particularly dangerous is the fact that Microsoft has yet to release the required patch, essentially leaving users defenseless in the face of this and other, potentially more dangerous threats choosing to exploit the very same vulnerability.

    StartPage is a classic Trojan - it is sent to victim addresses directly from the author and does not have an automatic send function. The first mass mailing to several hundred thousand addresses was registered in Russia on May 20. The text accompanying the Trojan program is written in Russian and clearly indicates the program's birthplace as either Russia or the former USSR.

    The StartPage program is a Zip-archive that contains two files - one HTML file and one EXE file. Upon opening the HTML file the StartPage code is launched and proceeds to exploit the Internet Explorer security system vulnerability known as "Exploit.SelfExecHtml". It then proceeds to clandestinely launch the EXE file carrying the Trojan program.

    "It is hard to call this program dangerous, its collateral effects include only the altering of an old Internet Explorer page. Still, StartPage has set a precedent with its usage of a vulnerability for which there is not yet a patch", commented Eugene Kaspersky, Head of Anti-virus Research at Kaspersky Labs.

    According to Kaspersky Labs statistics, over 85% of virus incidences in 2002 were caused by malicious programs such as 'Klez' and 'Lentin' that exploit the IFRAME Internet Explorer vulnerability, which was discovered over two years ago, and thus users have had plenty of time to install the patch and protect themselves against any similar virus appearing in the future.

    "With StartPage we are dealing with an open vulnerability. Users can protect themselves with anti-virus software, but not all of them have strong heuristic technology to protect against future viruses", continued Eugene Kaspersky. "A new vulnerability has been exposed that may incite the creation of a multitude of new malware that could lead to new epidemics of a global scale."

    The following programs are vulnerable to the "Exploit.SelfExecHtml" breech:


    Microsoft Internet Explorer 5.0 for Windows 2000
    Microsoft Internet Explorer 5.0 for Windows 95
    Microsoft Internet Explorer 5.0 for Windows 98
    Microsoft Internet Explorer 5.0 for Windows NT 4.0
    Kaspersky Labs appeals to Microsoft to make a strong effort to release the necessary patch, as soon other malicious programs will appear that exploit the very same technology. If a solution is not provided soon we can expect a long lasting, large-scale epidemic that could surpass even the Klez epidemic.
     
  2. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Eric,

    As long as you keep your NOD32 database updated: no big deal at all. It's covered ;).

    regards.

    paul
     
  3. Eric F

    Eric F Guest

    Why do you say that? It is not true at all. Since posting this I have found out more about it and just updated NOD32 this morning and it does not identify it while AVP does.

    Have you even bothered to check?
     
  4. anders

    anders Eset Staff Account

    Joined:
    Oct 25, 2002
    Posts:
    410
    If you have a sample of some malware that isn't detected by NOD32, please send it to samples@ eset.com (or to me: anders@ eurosecure.com)

    I don't have a sample, so I can't test it, but I assume that what they are talking about, are what NOD32 detects as "Win32/StartPage.*", added on the 23rd.

    Regards,
    Anders
    EUROSECURE
     
  5. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Indeed, Anders - and yes: this one has been verified.

    regards.

    paul
     
Thread Status:
Not open for further replies.