EXPLOIT-- what is this and what do I do

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
AVG found a virus they call EXPLOIT.

It's location is:

c\Documents and Settings\My Name\Local Settings\Temporary Internet
Files\ContentIE5\OHUJGHAR\

It's filename is:  2_z[1].html

I've moved it to the Virus Vault.

Does that take care of the problem??

Is there anything else I should do??

Mel



Re: EXPLOIT-- what is this and what do I do


| AVG found a virus they call EXPLOIT.
|
| It's location is:
|
| c\Documents and Settings\My Name\Local Settings\Temporary Internet
| Files\ContentIE5\OHUJGHAR\
|
| It's filename is:  2_z[1].html
|
| I've moved it to the Virus Vault.
|
| Does that take care of the problem??
|
| Is there anything else I should do??
|
| Mel
|

AVG found Exploit code in a HTML file.  It did NOT find a virus.

The questions are...

How long has the file existed there ?
What exploit ?
Was the Exploitation successful ?

If you restore the HTML file you can submit it to Virus Total and we can know
more.

http://www.virustotal.com/flash/index_en.html
The submission will then be tested against many different AV vendor's scanners.
That will give you an idea what it is and who recognizes it.  In addition,
unless told
otherwise, Virus Total will provide the sample to all participating vendors.

You can also submit a suspect, one at a time, via the following email URL...
mailto:scan@virustotal.com?subject=SCAN

When you get the report, please post back the exact results.


Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go
through your
FireWall to allow it to download the needed AV vendor related files.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal
Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the
PC.

You can choose to go to each menu item and just download the needed files or you
can
download the files and perform a scan in Normal Mode. Once you have downloaded
the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode
[F8 key
during boot] and re-run the menu again and choose which scanner you want to run
in Safe
Mode.  It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive
PDF help
file.  http://www.ik-cs.com/multi-av.htm

Additional Instructions:
http://pcdid.com/Multi_AV.htm


* * *   Please report back your results  * * *



--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm



Re: EXPLOIT-- what is this and what do I do

David:

I restored the file (to a different directory so I can access it quicker).

But I was unable to attach it to send it.

First AVG popped up.

I disabled AVG but OE wouldn't let me do it (it stripped the file
attachment).

I then tried it with my Yahoo email account and it wouldn't let me do it.

Any other ideas?? Also, why can't I attach the file?

This is frustrating.

I've put the file back into the AVG Virus Vault.

I am pretty sure this virus just arrived today (the AVG Resident Shield
picked it up).

I read your possible solution but it sure looks very complicated.

Do you think the banishment to the Virus Vault will take care of the
problem?

Mel
Quoted text here. Click to load it



Re: EXPLOIT-- what is this and what do I do


| David:
|
| I restored the file (to a different directory so I can access it quicker).
|
| But I was unable to attach it to send it.
|
| First AVG popped up.
|
| I disabled AVG but OE wouldn't let me do it (it stripped the file
| attachment).
|
| I then tried it with my Yahoo email account and it wouldn't let me do it.
|
| Any other ideas?? Also, why can't I attach the file?
|
| This is frustrating.
|
| I've put the file back into the AVG Virus Vault.
|
| I am pretty sure this virus just arrived today (the AVG Resident Shield
| picked it up).
|
| I read your possible solution but it sure looks very complicated.
|
| Do you think the banishment to the Virus Vault will take care of the
| problem?
|

Please STOP calling this a virus.  Viruses replicate.
This is a HTML file.  It is s script and does not replicate.

Exploit code is a scipt that takes advantage of a known vulnerability in the OS,
in a OS
module or a software application you use.  If the targeted vulnerability is
mitigated, the
exploit code is rendered harmless.  If the targeted vulnerability has not been
patched then
the exploitation of the vulnerability may succeed and more often than not, the
objective is
to install malware.

Without a submission of the HTML file to Virus Total, we will be unable to make a
determination of what the exploitation was, what the vulnerability was or if the
vulnerability may have been exploited.  The fact that is is a HTML file and is
Exploit code
is insufficient to come to any conclusions.  However, without further details,
we must
assume the worst and that the exploitation succeeded and you were possibly
infected with
malware.

The HTML file can be safely deleted from the virus vault.  However, it is needed
to get the
further details I eluded to.

Use of the Multi AV Scanning tool can be used to find any malware that may have
been
installed if the exploitation was successful.

You can also check you system to see if there are indeed vulnerable versions of
software
that may be exploited.

http://secunia.com/software_inspector



--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm



Re: EXPLOIT-- what is this and what do I do


Quoted text here. Click to load it

If you _really_  want to sent the file to someone, you should package
it up
in a password protected .ZIP or .RAR file.  Then you can attach the
protected archive to an e-mail that includes the required password to
open
the file.

The reason for password protecting it is to keep AV scanners (like
AVG)
from opening the archive and yanking the file out of it.

[snip]
Quoted text here. Click to load it

That's the purpose of the vault.  The file's name is changed and it
gets
encrypted.  Unless you tell AVG to restore the file, it's virtually
unaccessible and un-executable.

AVG is doing exactly what it's supposed to do.  Make absolutely sure
that
you have enabled automatic updates in its setup routines.  It _does_
do a
very good job.

Best regards,
Marc.


Re: EXPLOIT-- what is this and what do I do



|
| If you _really_  want to sent the file to someone, you should package
| it up
| in a password protected .ZIP or .RAR file.  Then you can attach the
| protected archive to an e-mail that includes the required password to
| open
| the file.
|
| The reason for password protecting it is to keep AV scanners (like
| AVG)
| from opening the archive and yanking the file out of it.
|
| [snip]
Quoted text here. Click to load it
|
| That's the purpose of the vault.  The file's name is changed and it
| gets
| encrypted.  Unless you tell AVG to restore the file, it's virtually
| unaccessible and un-executable.
|
| AVG is doing exactly what it's supposed to do.  Make absolutely sure
| that
| you have enabled automatic updates in its setup routines.  It _does_
| do a
| very good job.
|
| Best regards,
| Marc.

That would be couter-productive when sending a suspect to Virus Total and is
contraindicated.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm



Re: EXPLOIT-- what is this and what do I do

On Sun, 14 Jan 2007 19:08:31 UTC, "David H. Lipman"


Quoted text here. Click to load it
[snip]
Quoted text here. Click to load it

This would be so in the case of a direct upload; but what I was
referring to was being able to attach it to an e-mail.

--
******************************************
*  Best regards,
*  Marc.
*  Formerly of New Orleans, LA (USA)
*  Now resident in Meridian, MS (USA)
*  FIDONET=1:396/45  INTELEC=239:600/70
*  TELNET://bbs.sursum-corda.com
*  FTP://ftp.sursum-corda.com
******************************************
Remove anti-spam devices to reply by e-mail.
A: Because it reverses the logical flow of conversation.
Q: Why is top posting frowned upon?


Re: EXPLOIT-- what is this and what do I do


| On Sun, 14 Jan 2007 19:08:31 UTC, "David H. Lipman"
|
|
|>> The reason for password protecting it is to keep AV scanners (like
|>> AVG) from opening the archive and yanking the file out of it.
| [snip]
Quoted text here. Click to load it
|
| This would be so in the case of a direct upload; but what I was
| referring to was being able to attach it to an e-mail.
|

Either in sending in email or direct upload, don't submit archive files to Virus
Total.  Not
all the scanners are set to scan within them.

This is why I use an email address that has NO anti virus scanner associated
with it.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm



Re: EXPLOIT-- what is this and what do I do

David:

OK -- I was able to upload it to their site. All the vendors said no
viruses.

But the file said 0 bytes.

How could this be??

I'm confused

Mel
Quoted text here. Click to load it



Re: EXPLOIT-- what is this and what do I do


| David:
|
| OK -- I was able to upload it to their site. All the vendors said no
| viruses.
|
| But the file said 0 bytes.
|
| How could this be??
|
| I'm confused
|
| Mel



What is the size of the file in the "Virus Vault" ?


--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm



Re: EXPLOIT-- what is this and what do I do

1679 bytes

Mel
Quoted text here. Click to load it



Re: EXPLOIT-- what is this and what do I do


| 1679 bytes
|

1)    Dump the contents of your IE cache -
      Start --> settings --> control panel --> Internet options --> delete files

2)    Reboot the PC.

3)    Restore the file from the Virus Vault to a location such as;  C:\

4)    Examine the size of the file.  If it is NOT zero Byres, re-submit to Virus
Total.
http://www.virustotal.com/flash/index_en.html

When you get the report, please post back the exact results.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm



Re: EXPLOIT-- what is this and what do I do

David:

This is very strange. I did all that.

Windows Explorer also confirms 1.67 KB and it says that when I go into
command prompt and check the directory.

But when I upload it to virustotal, it says zero bytes.

And I can't seem to attach it as an email attachment.

Any other suggestions???

Oh and I did run the other program and I do have quite a few applications
that are not upgraded:

Specifically: Adobe Reader, quicktime, itunes, winamp, and I have a bunch of
older versions of Macromedia flash players.

Most of these I don't use (I do use Adobe and sometimes itunes)

I've been reluctant to upgrade to new versions when these programs work
unless there were security issues.

I guess I now have to (?). Are there some in particular that I should
upgrade?

Mel




Quoted text here. Click to load it



Re: EXPLOIT-- what is this and what do I do


| David:
|
| This is very strange. I did all that.
|
| Windows Explorer also confirms 1.67 KB and it says that when I go into
| command prompt and check the directory.
|
| But when I upload it to virustotal, it says zero bytes.
|
| And I can't seem to attach it as an email attachment.
|
| Any other suggestions???
|
| Oh and I did run the other program and I do have quite a few applications
| that are not upgraded:
|
| Specifically: Adobe Reader, quicktime, itunes, winamp, and I have a bunch of
| older versions of Macromedia flash players.
|
| Most of these I don't use (I do use Adobe and sometimes itunes)
|
| I've been reluctant to upgrade to new versions when these programs work
| unless there were security issues.
|
| I guess I now have to (?). Are there some in particular that I should
| upgrade?
|
| Mel
|

The only way the file would NOT to be allowed to be sent via email or get
uploaded to virus
Total as 0KB is if the file handle is held open.  That measn something is using
it.  Either
AVG is blocking access to the file or there is malware actively using it.  I
tried to avoid
the possibility of malware using it through my set of instructions.


As for the software.  Even if you don't use them, if they are there and they have
vulnerabilities then they can be exploited !

Plaese use the Multi AV Scanning Tool now and scan your PC.  Start with the
McAfee module.


--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm



Re: EXPLOIT-- what is this and what do I do

OK -- I'll try it.

But right now that file is in the Virus Vault and nowhere else. Can I leave
it there during the scans??

Mel
Quoted text here. Click to load it



Re: EXPLOIT-- what is this and what do I do


| OK -- I'll try it.
|
| But right now that file is in the Virus Vault and nowhere else. Can I leave
| it there during the scans??
|
| Mel

Yes !

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm



Re: EXPLOIT-- what is this and what do I do

David:

I am currently running Mcaf. in normal mode. I did move the suspect file
back to c:\ . I'll see what happens
Quoted text here. Click to load it



Re: EXPLOIT-- what is this and what do I do


| David:
|
| I am currently running Mcaf. in normal mode. I did move the suspect file
| back to c:\ . I'll see what happens

OK.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm



Re: EXPLOIT-- what is this and what do I do

David:

I appreciate your help in this. I am very nervous obviously and need some
hand holding here.
McAf. failed to find anything. What next? Try each one? I don't think I have
a virus per se, but what about this malware?
Would one of the others pick that up??
Do I now have to do each of the others?

Then do it iall again n Safe Mode??

This is sure unnerving!!


Here are the Mcaf. results:
Quoted text here. Click to load it
01/13/2007  19:10:24


Options:
/ADL /UNZIP /WINMEM /SUB /ANALYZE /PANALYZE /STREAMS /ALL /MIME /PROGRAM
/EXCLUDE C:\AV-CLS\EXCLIST.TXT /HTML "C:\AV-CLS\MCAFEE\SCANREPORT.HTML"

Scanning C: []
Scanning C:\*.*

Summary report on C:\*.*
File(s)
        Total files: ...........  209623
        Clean: .................  209526
        Possibly Infected: .....       0
Non-critical Error(s):                 2
Master Boot Record(s): .........       1
        Possibly Infected: .....       0
Boot Sector(s): ................       1
        Possibly Infected: .....       0


Time: 00:56.03

Quoted text here. Click to load it








Re: EXPLOIT-- what is this and what do I do

running Kasp now
Quoted text here. Click to load it



Site Timeline