Trojan Exploit.JS.ADODB.Stream.e |
| |
| The Trojan - Exploit.JS.ADODB.Stream.e was first detected on 2nd October, 2006. Cyberoam Unified Threat Management solution’s virus signature database was up-to-date and ready to face it since Jul 27 2006. It deploys Kaspersky as a Gateway AV solution. |
| |
| The exploit targets users using Yahoo and MSN messengers. Users receive a message containing a link from a known contact. If the link is clicked it triggers a new browser window, however no page is displayed. The Trojan, in the background, attempts to download and install other malware to the system. It also copies the file taskmng.exe to the Windows folder and creates a Registry key to start the file automatically. It disables any direct access to rgedit and taskmanager, thus ensuring that it neither be stopped, nor removed. |
| |
| It exploits a critical vulnerability in Internet Explorer that allows remote code execution in the ADODB Stream object in ActiveX control. Given the wide user base of Yahoo and MSN Messenger and their interoperability, the attack spread rapidly, affecting millions of users. Most desktop anti-virus solutions have been unable to contain the attack. |
| |
| The messages sent by this exploit look like: |
 |
damn, she is so cute http://nsl-school.org?id=miss_world |
|
oh my god , i've won a 20000 usd lottery http://nsl-school.org/?id=winning_list . Come to my house tonight for a party !! |
|
Just check out my new personal website : http://mytermex.com c0ol !!! |
|
check this link for me : http://nsl-school.org?id=forum . Why I cannot surf this site ??? |
| |
| Before we understand how Cyberoam UTM prevents the exploit, we need to address the profusion of names given to this exploit. As the exploit is still fresh and is actually a variant of a previously known IE vulnerability, Kaspersky Lab’s http://viruslist.com recognizes it as Exploit.JS.ADODB.Stream.e. A few other vendors recognize it as: |
|
Troj/Psyme-CY |
|
VBS/Psyme |
|
HTML/TrojanDownloader.Agent.NAB |
|
AutoIt.X,W32.Yautoit |
|
W32/YahLover.worm |
|
Trojan.Win32.Autoit.x |
|
Troj/Tiotua-A. |
| |
| Cyberoam UTM prevents a user, who has enabled the gateway anti-virus on HTTP – Web surfing, from opening the URL by clicking it in the messenger. This feature was available since Cyberoam Version 7.4.2.4 and versions subsequent to that. A relevant anti-virus message is displayed so that your users know the purpose of blocking. The administrator can easily verify the details of the virus and exploit prevented by Cyberoam UTM by checking the AV reports. Cyberoam UTM’s comprehensive user-wise reporting enables the administrator to exactly find out the targeted user and warn him of the exploit. |
| |
| The network administrators who have deployed Cyberoam UTM Version 9.4.0.0, beta release can go a step further. The messages containing the malicious link can be blocked in the messenger using custom IPS signature feature in the IPS module. Without affecting the normal IM operations this will offer a layered protection to your enterprise. You would also receive intrusion alerts with details like username, IP address and time of alert. |
| |
| For more information, please contact support@cyberoam.com |
| |
