Common Tasks

Recent Posts

Community

Email Notifications

Personal Links

Archives

Security Protection - Harry Waldron (CS)

Security Best Practices, Breaking News, & Updates

IE CreateTextRange vulnerability - New trojans emerge

A few overnight developments are summarized below:

JS_DLOADER.BXR
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=JS%5FDLOADER%2EBXR&VSect=T

This malicious JavaScript is a zero-day exploit that takes advantage of a vulnerability in the createTextRange Method call process in Internet Explorer. A text range enables a user to modify text within an object. This JavaScript causes an error in the mentioned text range, which is applied to a radio button control, allowing malicious Web sites to consume a large amount of an affected system's memory and this JavaScript to execute arbitrary codes on the machine.

It should be noted that zero-day exploits are termed as such because the unpatched vulnerability and its corresponding exploit code are released within the same day. This may pose as a dangerous situation in which a lot of computers may be affected due to the availability of exploit code, and the fact that the vendor has not been given enough time to patch it. Thus, Trend Micro recommends that users avoid visiting Web sites of questionable origin to help prevent possible infection of this malware.

Downloader-AVK - IE CreateTxtRange based trojan
http://vil.nai.com/vil/content/v_139048.htm

This trojan was discovered in connection with the Exploit-CreateTxtRng trojan .  A hacked webserver contains exploit script, which results in a file named ca.exe being downloaded from another hacked webserver.  ca.exe is Downloader-AVK  This trojan simply attempts to download an execute another trojan calc.exe from the same compromised webserver.  calc.exe is a new password stealing trojan, PWS-PartyPooper .

PWS-PartyPooper
http://vil.mcafeesecurity.com/vil/content/v_139049.htm

This trojan was discovered in connection with the Downloader-AVK trojan , which was installed via the Exploit-CreateTxtRng trojan.  This password stealing trojan scans your system for stored passwords and monitors the websites that you visit for the purpose of sending all this information to the trojan author/distributor.

The following is an advisory reflecting the latest information and guidance by Microsoft:

Microsoft Security Advisory (917077) -Vulnerability in the way HTML Objects Handle Unexpected Method Calls Could Allow Remote Code Execution
http://www.microsoft.com/technet/security/advisory/917077.mspx

Comments

Clint's Security Blog said:

    As many of you may know one of the new IE 0 day exploits is spreading and being used...
# March 25, 2006 1:16 PM

Rui Quintino said:

# March 25, 2006 6:28 PM

Rui Quintino said:

# March 25, 2006 6:29 PM

Clint's Security Blog said:

    As many of you may know one of the new IE 0 day exploits is spreading and being used...
# March 29, 2006 2:44 PM