Virus Profile: Exploit-ObjectData

Threat Search

Virus Profile information details
Risk Assessment:	Home Low \| Corporate Low
Date Discovered:	8/29/2003
Date Added:	9/30/2003
Origin:	Unknown
Length:	Varies
Type:	Trojan
Subtype:	Exploit
DAT Required:	4292
Removal Instructions

Overview
Virus Characteristics
Removal Instructions

Description

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Indication of Infection

Since this detection covers generic exploit code, the payload of that code can be widely varying.

Methods of Infection

This exploit makes use of a security vulnerability affecting Internet Explorer and certain email clients, such as Outlook and Outlook Express.

Aliases

Exploit-ObjectData.gen

View Virus Characteristics

Virus Characteristics

Update - 8/27/2004: A mass-mailing of this exploit occurred today. Messages appear as:

Subject: 1
or Subject: 2

Attachment: 1.gif
or Attachment: 2.gif

The attachments are simply 8 byte ascii files containing a number. They are not valid GIF files, nor are they infectious.

The message body of such messages is typically blank, but contains HTML exploit code to load a page from a remote site, which is currently inaccessible. The code on the remote site may contain additional malware that could be responsible for the sending of the messages.

Update - 5/28/2004: For the past month this exploit has been spammed on many occasions. It is being used for malware distribution and spam. Currently this exploit is at the top of the list ahead of Emails generated by W32/Netsky, W32/Bagle and W32/Sober viruses. Detection for the exploit is generic and thus it is impossible to determine what the payload of any particular message is from just the exploit name.

Update - 4/22/2004: A message using this exploit has known to have been spammed out to users. This message will be detected as Exploit-ObjectData with the 4353 DATS.

It bears the following characteristics:

Subject: YOU WON A FREE VACATION!!!!

Inside the message is a hidden link which runs a script. The script is detected as VBS/Inor by the latest DATS.

The script:

downloads MSTASK.EXE - detected as Multidropper- KG with current DATS.
drops X.EXE into the root of C: drive - Detected as Proxy-Hino.dldr with current DATS.

Update - 4/14/2004: A new variant of W32/Netsky has been discovered which makes use of this exploit to spread. Specific detection for this variant will be included in the 4352 DATs.

This detection covers HTML documents that attempt to exploit the Microsoft Security Bulletin MS03-032 or Microsoft Security Bulletin MS03-040 vulnerability. This severity of this vulnerability is considered to be critical. It allows an attacker to execute malicious code, simply by visiting an infectious website. Detections of this exploit do not necessarily mean that any malicious code was executed. It simply means that an HTML document was found to contain the exploit code. Conversely malicious code may have been run, which could result in any number of modifications to the system.

All vulnerable systems should apply the patch from Microsoft. Patched systems are immune from the effects of the exploit code. However, detection will still occur on files attempting to make use of this exploit.

Back To Overview View Removal Instructions

Detection is included in our BETA DAT files and will also be included in the next scheduled DAT release. In addition to the DAT version requirements for detection, the specified engine version (or greater) must also be used.

Additional Windows ME/XP removal considerations