Unified Threat Management
 
  Boundless Network Security
 
 
  USA Toll Free 877-777-0368
  India Toll Free 1-800-301-00013
  UK Toll Free 808-120-3958
Home Contact Sitemap
Request Evaluation Unit
Webinars
Brochure
Product Guides
Resource Center
Tech Sheet & Data Sheets
Testimonials
ROI Calculator
Newsletter Archive
Cyberoam Security Center
 
  TECH UPDATES Home > Resources > Tech Updates
     

Trojan Exploit.JS.ADODB.Stream.e

 
The Trojan - Exploit.JS.ADODB.Stream.e was first detected on 2nd October, 2006. Cyberoam Unified Threat Management solution’s virus signature database was up-to-date and ready to face it since Jul 27 2006. It deploys Kaspersky as a Gateway AV solution.
 
The Attack
The exploit targets users using Yahoo and MSN messengers. Users receive a message containing a link from a known contact. If the link is clicked it triggers a new browser window, however no page is displayed. The Trojan, in the background, attempts to download and install other malware to the system. It also copies the file taskmng.exe to the Windows folder and creates a Registry key to start the file automatically. It disables any direct access to rgedit and taskmanager, thus ensuring that it neither be stopped, nor removed.
 
It exploits a critical vulnerability in Internet Explorer that allows remote code execution in the ADODB Stream object in ActiveX control. Given the wide user base of Yahoo and MSN Messenger and their interoperability, the attack spread rapidly, affecting millions of users. Most desktop anti-virus solutions have been unable to contain the attack.
 
The messages sent by this exploit look like:
damn, she is so cute http://nsl-school.org?id=miss_world
oh my god , i've won a 20000 usd lottery http://nsl-school.org/?id=winning_list . Come to my house tonight for a party !!
Just check out my new personal website : http://mytermex.com c0ol !!!
check this link for me : http://nsl-school.org?id=forum . Why I cannot surf this site ???
 
Before we understand how Cyberoam UTM prevents the exploit, we need to address the profusion of names given to this exploit. As the exploit is still fresh and is actually a variant of a previously known IE vulnerability, Kaspersky Lab’s http://viruslist.com recognizes it as Exploit.JS.ADODB.Stream.e. A few other vendors recognize it as:
Troj/Psyme-CY
VBS/Psyme
HTML/TrojanDownloader.Agent.NAB
AutoIt.X,W32.Yautoit
W32/YahLover.worm
Trojan.Win32.Autoit.x
Troj/Tiotua-A.
 
Cyberoam Security
Cyberoam UTM prevents a user, who has enabled the gateway anti-virus on HTTP – Web surfing, from opening the URL by clicking it in the messenger. This feature was available since Cyberoam Version 7.4.2.4 and versions subsequent to that. A relevant anti-virus message is displayed so that your users know the purpose of blocking. The administrator can easily verify the details of the virus and exploit prevented by Cyberoam UTM by checking the AV reports. Cyberoam UTM’s comprehensive user-wise reporting enables the administrator to exactly find out the targeted user and warn him of the exploit.
 
The network administrators who have deployed Cyberoam UTM Version 9.4.0.0, beta release can go a step further. The messages containing the malicious link can be blocked in the messenger using custom IPS signature feature in the IPS module. Without affecting the normal IM operations this will offer a layered protection to your enterprise. You would also receive intrusion alerts with details like username, IP address and time of alert.
 
For more information, please contact support@cyberoam.com
 
Try & Buy
5 STAR UTM REVIEW
 
5 Star Review by SC Magazine
Twice in a Row!
- Test Report (PDF)
- Key Highlights
RESOURCE CENTER
 
Live Test Drive
 
Data Sheets
 
Tech Sheet
 
Case Studies
  Axiom Telecom, Saudi Arabia
 
  Times Now News Network
 
    Read more Case Studies
 
White Papers
  IDC Paper : UTM Appliances and Identity-based Security
 
  The Unified Approach to Network Security : End of the Multiple Solutions Era
    Read more White Papers
 
Q2 2008 Email Threats
  Universities and ISPs as New Targets of Cyber Warfare. Attacks exploiting trustworthy domains on the rise
 
 
       
  Firewall | VPN | Anti-Virus & Anti-Spyware | Anti-Spam | IPS | Content Filtering | Bandwidth Management | Multiple Link Management © Copyright 2008 Elitecore Technologies Limited. All Rights Reserved.  
ScriptingRegion