Subscribe
This malicious program exploits a vulnerability which enables a remote malicious user to modify the appearance of pages displayed in Internet Explorer and to evade content filtering due to incorrect interpretation of 8-bit ASCII symbols.
The script uses a vulnerability (MS06-014) in MDAC (Microsoft Data Access Components) when using the ADODB.Stream object to download a file from the following link:
http://www.*****berhome.com/blog/see.exeThis file will be saved to the current user's Windows temporary directory (%Temp%) as "svchost.exe" and "svchost.vbs ". The downloaded files are then launched for execution.
At the moment of writing, the link was not working.
If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:
- Delete the original exploit file (the location will depend on how the program originally penetrated the victim machine).
- Delete the following files: %Temp%\svchost.exe %Temp%\svchost.vbs
- Install Internet Explorer updates.
- Update your antivirus databases and perform a full scan of the computer (download a trial version of Kaspersky Anti-Virus).
This exploit uses a vulnerability in Internet Explorer (CVE-2006-3227) to run on the victim machine. It is an HTML page. It is 1323 bytes in size. It is not packed in any way.
Payload
Hot Articles