Virus Characteristics
-- Update June 24, 2004--
It has recently been made known that some IIS servers have been remotely hacked. This exploit was utilized to redirect the client's browser to the location http://217.107.218.147 containing an infected webpage causing unsolicited files to be downloaded and executed.
Certain downloaded files are detected as BackDoor-AXJ.dll
, JS/Exploit-DialogArg.b
, and VBS/Psyme
with the current DAT files.
For further details concerning this threat, and details of available Microsoft patches see:
http://www.microsoft.com/security/incident/download_ject.mspx
-- Update June 10, 2004 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://news.com.com/Pop-up+toolbar+spreads+via+IE+flaws/2100-1002_3-5229707.html?tag=nefd.top
A new attack vector was discovered recently, which by passes the MS04-013 patch. Generic detection of this new exploit code will be included in the 4366 DAT release.
This detection covers code designed to exploit an Internet Explorer vulnerability.
The exploit results in a CHM (Microsoft Compiled Help) file being written to the local system allowing for additional exploit code to then execute the downloaded file.
The end result is the execution of arbitrary code at the permission level of the current user.
Microsoft has released a patch for this vulnerability.
See: http://www.microsoft.com/technet/security/bulletin/ms04-013.mspx