Content

Exploit-ObscuredHtml

Type
Trojan
SubType
Exploit
Discovery Date
03/03/2005
Length
Varies
Minimum DAT
4425 (02/02/2005)
Updated DAT
6451 (08/27/2011)
Minimum Engine
5.1.00
Description Added
02/02/2005
Description Modified
05/11/2011 9:38 AM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

----- Updated on 11-May-2011 -------

File Information –

    • MD5   - 503a58124853fe6215b5407f8b6e8b2b
    • SHA1  - dfc6edc212c45e2c8eafc2470283d7c8493824a8

Aliases –

    • AVG - Exploit.CVE-2009-3129
    • Kaspersky - HEUR:Exploit.Script.Generic
    • Microsoft - Exploit:Win32/ShellCode.A
    • Sophos - Troj/JSShell-AE

 

"Exploit-ObscuredHtml" is a generic detection for JavaScript objects that construct shellcode. These scripts may be embedded within other document files such as specially-crafted .SWF files.

Upon execution, the exploit attempts to download the malicious file "server.exe" from the site "[removed]books.co.kr".

hxxp://www.[removed]books.co.kr/images/server.exe [server.exe is detected as Generic Dropper.p]

Also the exploits uses the file "POMRBQOF60wqqVRy.swf" and attempts to exploit vulnerability in Adobe Flash Player that could lead to the execution of arbitrary code.

The exploit uses the following shellcode :

"<"embed src="POMRBQOF60wqqVRy.swf" width="0" height="0">"<\embed>"

The file "POMRBQOF60wqqVRy.swf" is McAfee detected as Exploit-CVE2011-0611

"Exploit-CVE2011-0611" is a detection for specially crafted malicious code within a Shockwave Flash (SWF) file. The malicious code attempts to exploit vulnerability in Adobe Flash Player that could lead to the execution of arbitrary code.

-------

Microsoft Internet Explorer ignores certain non-ascii characters, allowing an attacker to obfuscate malicious code and still have it rendered by IE.

This detection covers HTML documents that have been crafted with the intention of evading antivirus detection.  Other documents that mix HTML with non-ascii characters could also trigger this detection.

Symptoms

N/A  This is a generic detection covering any number of differet attacks.

Method of Infection

This exploit exists as code in an HTML document, web page, or email message.

Removal

Submit a copy of the detected file to AVERT for further instructions.

Variants

Variants

    N/A

All Information

Overview -

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Characteristics

Characteristics -

----- Updated on 11-May-2011 -------

File Information –

    • MD5   - 503a58124853fe6215b5407f8b6e8b2b
    • SHA1  - dfc6edc212c45e2c8eafc2470283d7c8493824a8

Aliases –

    • AVG - Exploit.CVE-2009-3129
    • Kaspersky - HEUR:Exploit.Script.Generic
    • Microsoft - Exploit:Win32/ShellCode.A
    • Sophos - Troj/JSShell-AE

 

"Exploit-ObscuredHtml" is a generic detection for JavaScript objects that construct shellcode. These scripts may be embedded within other document files such as specially-crafted .SWF files.

Upon execution, the exploit attempts to download the malicious file "server.exe" from the site "[removed]books.co.kr".

hxxp://www.[removed]books.co.kr/images/server.exe [server.exe is detected as Generic Dropper.p]

Also the exploits uses the file "POMRBQOF60wqqVRy.swf" and attempts to exploit vulnerability in Adobe Flash Player that could lead to the execution of arbitrary code.

The exploit uses the following shellcode :

"<"embed src="POMRBQOF60wqqVRy.swf" width="0" height="0">"<\embed>"

The file "POMRBQOF60wqqVRy.swf" is McAfee detected as Exploit-CVE2011-0611

"Exploit-CVE2011-0611" is a detection for specially crafted malicious code within a Shockwave Flash (SWF) file. The malicious code attempts to exploit vulnerability in Adobe Flash Player that could lead to the execution of arbitrary code.

-------

Microsoft Internet Explorer ignores certain non-ascii characters, allowing an attacker to obfuscate malicious code and still have it rendered by IE.

This detection covers HTML documents that have been crafted with the intention of evading antivirus detection.  Other documents that mix HTML with non-ascii characters could also trigger this detection.

Symptoms

Symptoms -

N/A  This is a generic detection covering any number of differet attacks.

Method of Infection

Method of Infection -

This exploit exists as code in an HTML document, web page, or email message.

Removal -

Removal -

Submit a copy of the detected file to AVERT for further instructions.

Variants

Variants -

    N/A