mhtml redir.exploit - if you have NAV you may see this someday soon

Discussion in 'malware problems & news' started by HandsOff, Dec 17, 2004.

Thread Status:
Not open for further replies.
  1. HandsOff

    HandsOff Registered Member

    Joined:
    Sep 16, 2003
    Posts:
    1,946
    Location:
    Bay Area, California
    I encountered this exploring a question about Symantec...actually in my search i mispelled it as Symantic. Anyway, i read a little about this virus. It appears that it is not all that serious, probably caused by a JAVA applet. If NAV alerts you when you go to the same site then probably there is a cookie on your computer which is doing something than NAV does not like. I guess it is a no panic situation because it was detected, however, i am concerned because my firewall detected a java applet, and activeX controls, and was instructed to block them. however, the script, or whatever it is got to be installed? Why?.

    I have exact information on the site that I clicked on that caused this if anyone is interested. (possibly of some interest to someone wanting to fine tune their firewall - in my case NPF)

    - HandsOff
     

    Attached Files:

  2. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,727
    Location:
    Texas
  3. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    I've had this one, KAV catches it as well. It is an exploit that in certain circumstances can force your machine to download files without you having to give the usual permission. In other words it can set you up for a 'drive-by download' and plonk a fat great trojan on your system! It is therefore potentially more serious than you suggest.

    It is certainly not caused by cookies because you can get it in your temp internet files, even when your IE defences are configured to maximum safety (and hence you are blocking all cookies).

    Fortunately microsoft have patched against it, so you will not suffer consequences if you are up to date. In any case AVs keep it out, unless someone is foolish!
     
  4. HandsOff

    HandsOff Registered Member

    Joined:
    Sep 16, 2003
    Posts:
    1,946
    Location:
    Bay Area, California
    Hi Ronjor,
    My system as patched with everything except SP2, and i dont like the limitations that SP2 imposes on me. According to the update page there are no security updates that I need.

    Hi TopperID,
    Thanks for the input. I suspected it might be more important than just an annoyance. I read some posts from people who said it was do to cookies, but NAV said "a counter" was being downloaded. I wonder if it is possible that the download was simply blocked by NAV before it would have been blocked by XP. I would expect Explorer or XP to have to first shot at blocking the download. for All I know, they silently blocked it, then NAV blocked it and posted the warning. The only reason it is an issue is that I'd like to think that such things are blocked by XP.

    I will check again with Updates just the same, however, their new improved version does seem quite slow and conflict ridden. I don't suppose you could use it in a diagnostic start up mode? Probly not.

    -HandsOff
     
  5. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    I don't see that 'Explorer' (do you mean I.E.? Windows Explorer is usually referred to as Explorer!) or XP will block (and if they do they won't tell you about it!) rather they will simply be immune (that is non-reactive) to the threat. It is the job of your AV to actively block things.

    You really must get SP2, it is much safer. Some people say you should get rid of I.E. altogether - though I use it, but I have it tightly configured and I would not dream of using it without SP2!
     
  6. HandsOff

    HandsOff Registered Member

    Joined:
    Sep 16, 2003
    Posts:
    1,946
    Location:
    Bay Area, California
    You are correct, I did mean Internet Explorer. I tend to have a major problem with computer terminology, i call them both explorer alot and depend on the context to differentiate. I also call folders directories, which drives some people nuts.

    I may be forced to go to sp2 because updating sp1 is very difficult for me. the updates will refuse to acknowledge that I have prerequisite updates installed.

    sp1 just seems to work so much better and faster!


    - HandsOff
     
  7. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,727
    Location:
    Texas
    I've had sp2 since it was released. Once you get everything set so it doesn't bug you about updates, it's fine. I noticed no slowdown at all.
    Bill can be pesky at times! :D
     
  8. HandsOff

    HandsOff Registered Member

    Joined:
    Sep 16, 2003
    Posts:
    1,946
    Location:
    Bay Area, California
    Ron,

    If you were not known to me as being a very helpful and knowlegeable XP oracle I would swear you were kicking sand in my face!

    On Dec. 14, I caved in and tried installing sp2 for the second time. Since then I have reformatted my hard drive at least four times, have tried automatic updates, have downloaded and archived over 150 individual updates, roll-ups, or upgrade packs. I have traversed from end to end the XP Updates page, the Update Catalog, the internet explorer page, the Office XP site. Have upgraded drivers for everything, firmware for my DVD+/-R.

    After all this I think it's safe to say...I don't have a clue how xp works! Now I am on the Internet...but without my firewall, (NPF).

    I have a pretty old XPH circa 2002 it has OEM in the serial, although I paid extra to get the "full XP" in addition to the restore disk. In my mind that is no reason it should not update! If M$ put it out M$ should support it. One problem seems to be the F&(@!&# File System Checker. It seems to feel certain criticle system files are being replaced, and then demands to replace them. If you do not, you get the BSD. If you do "insert your Windows XP Home CD now..." it does not replace the file in question...It reinstalls the entire O/S! At this juncture you might think the answer would be simple...stick with sp1, right? Well, for some reason some of my applications don't seem to install right anymore. For some reason even after a format (regular not quick...does it make a difference) the F$&@#!$ O/S is still able to think 'another o/s has been installed on this partion do you want to continue?', xxx.dll has been changed "possible because a wrong cd has been used with a different version of windows"....Arrrrrrrgh.

    My god Microsoft make up your damn minds! either make a system dll unchangeable, or allow it to be updated, changed, manipulated, corrupted. You can't have it both ways!

    I hate M$, i hate sp2, and most of all, I HATE COMPUTERS!!!

    -HandsOff
     
  9. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,727
    Location:
    Texas
    Handsoff

    I hope you realize I would never intentionally try to mislead anyone.

    I understand a lot of people had problems with sp2. A lot didn't.
    Since there are so many computer configs out there, it was bound to happen.

    When I had my computer built, I wanted nothing other than XP on it. Anything else would be added by me. It has worked out well.

    Is XPH a computer brand?
     
  10. HandsOff

    HandsOff Registered Member

    Joined:
    Sep 16, 2003
    Posts:
    1,946
    Location:
    Bay Area, California
    Ron,

    I was just kidding you, and making fun of myself...because i am quite sure i must be doing something wrong here, but it takes Soooooooooooooooo long to get it back the way it was before. I meant it more as a compliment really. For instance, when the computer said that criticle files had changed and put my CD in the drive to fix it....little did i know it was making reinstal the entire O/S. I know there are ways to replace system files...but i don't remember them. I know that it is possible to completely kill the File Checker, and I am starting to wonder...if i am going to have to reinstall when ever it detects a change that it allowed in the first place, maybe i should kill the FCS! Strong words, I know...But anyway, really, i in no way meant to imply anything negative about you. In fact I wish you were here right now!!!

    xph = XP Home edition in short hand.

    - HandsOff
     
  11. sparker

    sparker Registered Member

    Joined:
    Jan 28, 2005
    Posts:
    1
    Greetings members
    I've tried everything to rid myself of this exploit. I have XP with service pack 2, NAV, Adaware se, Spysweeper, Spybot, and Spyware nuker. I've installed all of Microsoft's patches to no avail. Anything you can do to help will greatly appreciated. Thanks everyone
     
  12. HandsOff

    HandsOff Registered Member

    Joined:
    Sep 16, 2003
    Posts:
    1,946
    Location:
    Bay Area, California
    Ronjor - Ohhhhhhhhhhhh, i did not catch your meaning at first. you said when you had your computer built, and my mind locked onto hardware. You are saying you politely decline "free" and "trial" programs. You are reenforcing something that I have finally come to realize. My brother bought an E-machine. its a celeron 850mhz so that gives you an idea how old. When the thing finally crashed he had me use the restore disk to bring it back to life. I did, and I downloaded Spybots Search and destroy, and the free zone alarm firewall, AVG free antivirus, A^2 free trojan hunter, Javacools spywareBlaster and a few others, just to give him a fighting chance. I swear you would not believe how many things those programs rooted out. And even what was left were many programs I have an aversion for. I guess I don't know what to think of e-machines. awareness about spyware was so minimal...and many programs i suppose were optional...Dammit they suck!

    a am running far afield of the topic. the mhtml rediir.exploit...

    Sparker, I usually log down what I do to fix a problem, but i do not find anything this time. I was reinstalling all the sp1 updates. after I was satified that they and IE updates and even MS-office, was patched then I made sure that my services (run > services.msc) were all the way a like (close to the ones recommended by black viper's website) then I check all my IE6 settings are set (close to tom coyotes recommendations - safernetworking.org, maybe?) I don't even maintain the links because after i have them how i like, I take a snapshot jpg image of the screen and just open the windows on my computer and put them side to side to see whats changed. That's the "HandsOff Settings Technique".

    But...I never saw the problem again. If you think you are fully updated for IE6 and XP and Office, then maybe its just some settings...I find that they have a habit of mysteriously changing every so often. wish i had a more specific answer.

    -HandsOff
     
  13. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    Sparker, please do the following:-

    To start with you should disable system restore as per here:- http://www.bleepingcomputer.com/forums/tutorial56.html

    Then clear out all your temp files, and the easy way to do that is by downloading CCleaner from here:- http://www.ccleaner.com/

    Then you need to open Windows Explorer and:-
    1. Select "Tools" from the menu on top.
    2. Select "Folder Options".
    3. Select the "View" tab.
    4. Scroll down and Select "Show hidden files and folders".
    5. Unselect "Hide extentions for known file types".
    6. Unselect "Hide protected operating system files".
    7. If you get a "warning" prompt, say yes you want to do it anyway.
    8. Click Apply and Ok.

    Finally you should go into Safe Mode; see here:- http://www.bleepingcomputer.com/forums/tutorial61.html

    and do a full system scan with NAV.

    When you've done all that tell us whether you still have this bug, in particular tell us the exact file name and path as given by NAV in it's report section.
     
  14. Kye-U

    Kye-U Security Expert

    Joined:
    Jun 11, 2004
    Posts:
    481
    http://merijn.org/downloads.html

    This tool can disable the MHTML protocol ^_^ ( Well, only keep it if you use Outlook Express, and if you are, switch to another E-Mail client =S )
     
  15. HandsOff

    HandsOff Registered Member

    Joined:
    Sep 16, 2003
    Posts:
    1,946
    Location:
    Bay Area, California
    Good tip to run NAV in the safe mode. I'm glad someone remembered that!

    - HandsOff
     
Loading...
Thread Status:
Not open for further replies.