@@ Microsoft Security Advisory: Vulnerability in IE - Patch scheduled for Dec. 13, 2005 @@
- From: "Arash" <A7000@xxxxxxxxxxx>
- Date: Sat, 3 Dec 2005 01:07:53 -0500
Microsoft
December 1, 2005
Malicious Software Encyclopedia: TrojanDownloader:Win32/Delf.DH
TrojanDownloader:Win32/Delf.DH is a Trojan downloader that targets Microsoft Windows.
TrojanDownloader:Win32/Delf.DH then downloads TrojanDownloader:Win32/Delf.AH from a
Web site to the infected computer.
This Trojan is being distributed through an exploit of a vulnerability in Internet
Explorer (IE). When the user visits certain Web sites, a malicious "script" on those
sites exploits the Internet Explorer (IE) vulnerability described in Microsoft
Security Advisory 911302
(http://www.microsoft.com/technet/security/advisory/911302.mspx).
The "script" then downloads "TrojanDownloader:Win32/Delf.DH" to the computer.
Technical Analysis
When a user visits certain Web sites, a file named "KVG.exe" or "keks.exe" is
automatically downloaded from the "Web site" to the user's Startup folder.
This file is detected as "TrojanDownloader:Win32/Delf.DH".
This Trojan downloader then downloads and runs another Trojan downloader every five
minutes and saves it in the Windows system folder as "all.exe". This file is detected
as "TrojanDownloader:Win32/Delf.AH".
How to Prevent Infection
Take the following steps to help prevent infection on your system:
* Enable a firewall on your computer.
* Get the latest computer updates.
* Use up-to-date antivirus software.
Enable a firewall on your computer
Use a third-party firewall product or turn on the Microsoft Windows XP Internet
Connection Firewall.
To turn on the Internet Connection Firewall in Windows XP
1. Click Start, and click Control Panel.
2. Click Network and Internet Connections, and click Network Connections. If you do
not see Network and Internet Connections, click Switch to Category View.
3. Highlight a connection that you want to help protect, and click Change settings
of this connection.
4. Click Advanced, and select Protect my computer and network by limiting or
preventing access to this computer from the Internet.
5. Click OK.
Get the latest computer updates
Updates help protect your computer from viruses, worms, and other threats as they are
discovered. You can use the Automatic Updates feature in Microsoft Windows XP to
automatically download future Microsoft security updates while your computer is on
and connected to the Internet.
To turn on Automatic Updates in Windows XP
1. Click "Start", and click "Control Panel".
2. Click "Performance and Maintenance". If you do not see "Performance and
Maintenance", click "Switch to Category View".
3. Click "System".
4. Click "Automatic Updates", and select "Keep my computer up to date".
5. Select a setting. Microsoft recommends selecting "Automatically download the
updates, and install them on the schedule that I specify" and setting a regular
update time.
6. If you choose to have Automatic Updates notify you in step 5, you will see a
notification balloon when new downloads are available to install. Click the
notification balloon to review and install updates.Use up-to-date antivirus software
Most antivirus software can detect and prevent infection by known malicious software.
You should always run antivirus software on your computer that is updated with the
latest signature files to automatically help protect you from infection. If you don't
have antivirus software installed, you can get it from one of several companies.
For more information, see
http://www.microsoft.com/athome/security/downloads/default.mspx
How to Tell If Your Computer Is Infected
There are no readily apparent indications that your computer is infected by
"TrojanDownloader:Win32/Delf.DH".
However, the presence of a file named "KVG.exe" or "keks.exe" in your Startup folder
may be a symptom of infection by this Trojan.
Transmission Methods
Trojan is downloaded automatically when a user visits certain Web sites. Downloaded
when a malicious "script" exploits the Internet Explorer (IE) vulnerability described
in Microsoft Security Advisory 911302.
Payload Information
<user's Startup folder>\KVG.exe or
<user's Startup folder>\keks.exe
Dropped Files
Path: <user's Startup folder>\kvg.exe or keks.exe
File size: 9728 bytes to 9728 bytes
SHA1 hash: E28AEFD6962D2283F85D8E962F2E9979BA826623
Packers: UPX
How to Recover from Infection
Automatic Recovery
To attempt to automatically remove this threat, run one of the following removal
tools: http://safety.live.com
Manual Recovery
To recover offline from infection by "TrojanDownloader:Win32/Delf.DH", follow these
steps:
1. Disconnect from the Internet.
2. Restart your computer in safe mode.
3. End the Trojan process.
4. Delete the Trojan file.
5. Remove the footprint of the malicious software all.exe that is downloaded to the
Windows system folder by "TrojanDownloader:Win32/Delf.DH".
6. Restart your computer.
7. Take steps to prevent re-infection.
Disconnect from the Internet
To help ensure that your computer is not actively infecting other computers,
disconnect it from the Internet before proceeding. Print this Web page or save a copy
on your computer; then unplug your network cable and disable your wireless
connection. You can reconnect to the Internet after completing these steps.
Restart your computer in safe mode
To start your the computer in safe mode
1. Remove all floppy disks and CDs from your computer, and then restart your
computer.
2. When prompted, press F8. If Windows starts without displaying the "Please select
the operating system to start" menu, restart your computer. Press F8 after the
firmware POST process completes, but before Windows displays graphical output.
3. From the "Windows Advanced Options" menu, select a safe mode option. End the
Trojan process
To end the Trojan process
1. Press CTRL+ALT+DEL once and click "Task Manager".
2. Click "Processes" and click "Image Name" to sort the running processes by name.
3. Select process kvg.exe or keks.exe if it is in the list, and click "End
Process".
Delete the Trojan file
To delete the Trojan file
1. Click "Start", and click "Run".
2. In the "Open" field, type the path to the user's Startup folder, for example:
"C:\Documents and Settings\<username>\Start Menu\Programs\Startup"
3. Click "OK".
4. Click "Name" to sort files by name.
5. If a file named kvg.exe or keks.exe is in the list, delete it.
6. On the Desktop, right-click the "Recycle Bin" and click "Empty Recycle Bin".
7. Click "Yes" to confirm.
If deleting the file fails, follow these steps to verify that the corresponding
process is not running:
1. Press CTRL+ALT+DEL once and click "Task Manager".
2. Click "Processes" and click "Image Name" to sort the running processes by name.
3. Confirm that neither kvg.exe nor keks.exe is in the list.
Remove the footprint of the malicious software "all.exe"
"TrojanDownloader:Win32/Delf.DH" downloads the file all.exe to your computer. This is
malicious software that is still on your computer after you recover from
"TrojanDownloader:Win32/Delf.DH". To complete a recovery from the actions of
"TrojanDownloader:Win32/Delf.DH", you must also remove the footprint created by
all.exe.
Restart your computer
To restart your computer
1. On the "Start" menu, click "Shut Down".
2. Select "Restart" from the drop-down list and click "OK".
Take steps to prevent re-infection
Do not reconnect your computer to the Internet until the computer is protected from
re-infection. See the "Preventing Infection" section for more information.
http://www.microsoft.com/security/encyclopedia/details.aspx?name=TrojanDownloader:Win32/Delf.DH
Microsoft Security Advisory (911302)
Vulnerability in the way Internet Explorer Handles Mismatched Document Object Model
Objects Could Allow Remote Code Execution.
Microsoft is investigating new public reports of a vulnerability in Microsoft
Internet Explorer on Microsoft Windows 98, on Windows 98 Second Edition, on Windows
Millennium Edition, on Windows 2000 Service Pack 4, on Windows XP Service Pack 1, and
on Windows XP Service Pack 2. Customers who are running Windows Server 2003 and
Windows Server 2003 Service Pack 1 in their default configurations, with the Enhanced
Security Configuration turned on, are not affected. We have also been made aware of
proof of concept code and malicious software targeting the reported vulnerability.
Customers can visit Windows Live Safety Center (http://safety.live.com) and are
encouraged to use the "Complete Scan "option to check for and remove this malicious
software and future variants. We will continue to investigate these public reports.
Upon completion of this investigation, Microsoft will take the appropriate action to
help protect our customers. This may include providing a security update through our
monthly release process or providing an out-of-cycle security update, depending on
customer needs.
This issue was originally publicly reported in May as being a stability issue that
caused the browser to close. Since then, new information has been posted that
indicates remote code execution could be possible. Microsoft is concerned that this
new report of a vulnerability in Internet Explorer was not disclosed responsibly,
potentially putting computer users at risk. We continue to encourage responsible
disclosure of vulnerabilities. We believe the commonly accepted practice of reporting
vulnerabilities directly to a vendor serves everyone's best interests. This practice
helps to ensure that customers receive comprehensive, high-quality updates for
security vulnerabilities without exposure to malicious attackers while the update is
being developed.
Microsoft encourages users to exercise caution when they open links in e-mail. For
more information about Safe Browsing, visit the Trustworthy Computing Web site
(http://www.microsoft.com/security/incident/settings.mspx).
We continue to encourage customers to follow our Protect Your PC guidance of enabling
a firewall, applying software updates and installing antivirus software. Customers
can learn more about these steps at the Protect Your PC Web site
(http://www.microsoft.com/protect).
Customers who believe they may have been affected by this issue can contact Product
Support Services. You can contact Product Support Services in the United States and
Canada at no charge using the PC Safety line (1 866-PCSAFETY). Customers outside of
the United States and Canada can locate the number for no-charge virus support by
visiting the Microsoft Help and Support Web site
(http://support.microsoft.com/security).
Mitigating Factors:
* In a Web-based attack scenario, an attacker would have to host a Web site
that contains a Web page that is used to exploit this vulnerability. An attacker
would have no way to force users to visit a malicious Web site. Instead, an attacker
would have to persuade them to visit the Web site, typically by getting them to click
a link that takes them to the attacker's Web site.
* An attacker who successfully exploited this vulnerability could gain the same
user rights as the local user. Users whose accounts are configured to have fewer user
rights on the system could be less impacted than users who operate with
administrative user rights.
* The Restricted sites zone helps reduce attacks that could try to exploit this
vulnerability by preventing Active Scripting from being used when reading HTML e-mail
messages. However, if a user clicks a link in an e-mail message, they could still be
vulnerable to this issue through the Web-based attack scenario.
By default, Outlook Express 6, Outlook 2002, and Outlook 2003 open HTML e-mail
messages in the Restricted sites zone. Additionally, Outlook 98, and Outlook 2000
open HTML e-mail messages in the Restricted sites zone if the Outlook E-mail Security
Update (http://go.microsoft.com/fwlink/?LinkId=33334) has been installed.
Outlook Express 5.5 Service Pack 2 opens HTML e-mail messages in the Restricted
sites zone if Microsoft Security Bulletin MS04-018 has been installed
(http://go.microsoft.com/fwlink/?LinkId=19527).
* By default, Internet Explorer on Windows Server 2003, on Windows Server 2003
Service Pack 1, on Windows Server 2003 with Service Pack 1 for Itanium-based Systems,
and on Windows Server 2003 x64 Edition runs in a restricted mode that is known as
Enhanced Security Configuration
(http://msdn.microsoft.com/library/default.asp?url=/workshop/security/szone/overview/esc_changes.asp).
This mode mitigates this vulnerability. See the FAQ section for this security
update for more information about Internet Explorer Enhanced Security Configuration.
http://www.microsoft.com/technet/security/advisory/911302.mspx
.
- Prev by Date: Re: "NEKAAH" in arabic= "KARDAN" in PHARSI
- Next by Date: @@ AIPAC statement on the U.S. administration's policy on Iran @@
- Previous by thread: No Drug addicts in eeeeeeeeeeezlamic utopia
- Next by thread: @@ AIPAC statement on the U.S. administration's policy on Iran @@
- Index(es):
Relevant Pages
|
