Virus Profile: Exploit-MhtRedir.gen

Threat Search
Virus Profile information details
Risk Assessment: Home Low-Profiled | Corporate Low-Profiled
Date Discovered: 2/13/2004
Date Added: 2/17/2004
Origin: Unknown
Length: Varies
Type: Trojan
Subtype: Exploit
DAT Required: 4326
Removal Instructions


This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Indication of Infection

This exploit code could be used to execute a variety of different programs/malware.  Therefore it is not possible to give specific details about how to recognize an infection.

Methods of Infection

This threat exploits an Internet Explorer vulnerability.


Bloodhound.exploit.6.html (Symantec), Exploit-MhtRedir

Virus Characteristics

-- Update June 24, 2004--
It has recently been made known that some IIS servers have been remotely hacked. This exploit was utilized to redirect the client's browser to the  location  containing an infected webpage causing unsolicited files to be downloaded and executed.

Certain downloaded files are detected as BackDoor-AXJ.dll , JS/Exploit-DialogArg.b , and VBS/Psyme  with the current DAT files.

For further details concerning this threat, and details of available Microsoft patches see:

-- Update June 10, 2004 --

The risk assessment of this threat has been updated to Low-Profiled due to media attention at:

A new attack vector was discovered recently, which by passes the MS04-013 patch.  Generic detection of this new exploit code will be included in the 4366 DAT release.

This detection covers code designed to exploit an Internet Explorer vulnerability.

The exploit results in a CHM (Microsoft Compiled Help) file being written to the local system allowing for additional exploit code to then execute the downloaded file.

The end result is the execution of arbitrary code at the permission level of the current user.

Microsoft has released a patch for this vulnerability.


All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

But in some particular cases, the following steps need to be taken.

Please go to the Microsoft Recovery Console and restore a clean MBR.

On Windows XP:

  • Insert the Windows XP CD into the CD-ROM drive and restart the computer.
  • When the "Welcome to Setup" screen appears, press R to start the Recovery Console.
  • Select the Windows installation that is compromised and provide the administrator password.
  • Issue 'fixmbr' command to restore the Master Boot Record
  • Follow onscreen instructions.
  • Reset and remove the CD from CD-ROM drive.

On Windows Vista and 7:

  • Insert the Windows CD into the CD-ROM drive and restart the computer.
  • Click on "Repair Your Computer".
  • When the System Recovery Options dialog comes up, choose the Command Prompt.
  • Issue 'bootrec /fixmbr' command to restore the Master Boot Record.
  • Follow onscreen instructions.
  • Reset and remove the CD from CD-ROM drive.

PC Infected? Get Expert Help

Virus Removal Service

Connect to one of our Security Experts by phone. Have your PC fixed remotely - while you watch!