McAfee > Theat Center > Virus Detail Page

Overview

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Characteristics

-- Update March 24, 2006 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:

News.com: Dangerous code on Net could be used to exploit IE hole

An EXTRA.DAT file may be downloaded via the McAfee AVERT Extra.dat Request Page  (the cmd-line scanner / email / gateway restrictions are not present in the extra.dat file.  However, scanning for unknown macro and script viruses must be enabled).

--

This detection covers code attempting to exploit a Microsoft Internet Explorer "createTextRange()" Code Execution vulnerability.  This exploit was first seen on March 22, 2006 in Denial of Service (DoS) form.  On March 23, 2006, code execution exploits began to appear.  The 4726 DAT files contain enhanced JS/Exploit-BO.gen detection to cover those code execution exploits.

See: JS/Exploit-BO.gen for more information.

The Exploit-CreateTxtRng detection targets the raw exploit code.  Due to the nature of the exploit, initial raw exploit detection will included in the 4727 DAT files for email scanners, gateway scanners, and the command line scanner.

For more information on this vulnerability, see:
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1359
http://www.microsoft.com/technet/security/advisory/917077.mspx
http://www.kb.cert.org/vuls/id/876678
http://blogs.technet.com/msrc/archive/2006/03/22/422849.aspx

Symptoms

This detection is sufficiently generic, such that it can cover an endless number of threats that contain the exploit code.  Therefore, it is not possible to describe specific symptoms or details about system charges that can occur from this threat.  However, simply seeing this detection does not mean that any exploit code was run at all as such exploit code could only run on a vulnerable system.

Additionally some exploits simply cause Internet Explorer to crash and nothing more.

Method of Infection

This threat could be delivered via an email message, or an infectious web page.

Removal

All Users:
Use current engine and DAT files for detection. Delete any file which contains this detection.

Variants

Variants

N/A

All Information

Overview -

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Characteristics

Characteristics -

-- Update March 24, 2006 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:

News.com: Dangerous code on Net could be used to exploit IE hole

An EXTRA.DAT file may be downloaded via the McAfee AVERT Extra.dat Request Page  (the cmd-line scanner / email / gateway restrictions are not present in the extra.dat file.  However, scanning for unknown macro and script viruses must be enabled).

--

This detection covers code attempting to exploit a Microsoft Internet Explorer "createTextRange()" Code Execution vulnerability.  This exploit was first seen on March 22, 2006 in Denial of Service (DoS) form.  On March 23, 2006, code execution exploits began to appear.  The 4726 DAT files contain enhanced JS/Exploit-BO.gen detection to cover those code execution exploits.

See: JS/Exploit-BO.gen for more information.

The Exploit-CreateTxtRng detection targets the raw exploit code.  Due to the nature of the exploit, initial raw exploit detection will included in the 4727 DAT files for email scanners, gateway scanners, and the command line scanner.

For more information on this vulnerability, see:
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1359
http://www.microsoft.com/technet/security/advisory/917077.mspx
http://www.kb.cert.org/vuls/id/876678
http://blogs.technet.com/msrc/archive/2006/03/22/422849.aspx

Symptoms

Symptoms -

This detection is sufficiently generic, such that it can cover an endless number of threats that contain the exploit code.  Therefore, it is not possible to describe specific symptoms or details about system charges that can occur from this threat.  However, simply seeing this detection does not mean that any exploit code was run at all as such exploit code could only run on a vulnerable system.

Additionally some exploits simply cause Internet Explorer to crash and nothing more.

Method of Infection

Method of Infection -

This threat could be delivered via an email message, or an infectious web page.

Removal -

Removal -

All Users:
Use current engine and DAT files for detection. Delete any file which contains this detection.

Variants

Variants -

N/A