[Dshield] An unfixed highly critical vulnerabilitydiscovered inMicrosoft Internet Explorer

Chuck Lewis clewis at iquest.net
Tue Apr 13 20:30:20 GMT 2004


Peter,

We are using Sophos for AV...

Chuck

-----Original Message-----
From: list-bounces at lists.dshield.org [mailto:list-bounces at lists.dshield.org]
On Behalf Of Peter Stendahl-Juvonen
Sent: Sunday, April 11, 2004 8:23 AM
To: 'General DShield Discussion List'
Subject: RE: [Dshield] An unfixed highly critical vulnerabilitydiscovered
inMicrosoft Internet Explorer


list-bounces at lists.dshield.org <mailto:list-bounces at lists.dshield.org>
wrote on Friday, April 09, 2004 6:25 PM UTC+3 on behalf of Chuck Lewis 

| Guy,
| 
| Did that warning "pop up" or something ? I just went there and from
| what I can see, don't get that (?).
| 
| Thanks,
| 
| Chuck
| 
| -----Original Message-----
| From: list-bounces at lists.dshield.org
[mailto:list-bounces at lists.dshield.org]
| On Behalf Of Guy Barnum
| Sent: Friday, April 09, 2004 8:50 AM
| To: General DShield Discussion List
| Subject: RE: [Dshield] An unfixed highly critical vulnerability
| discoveredinMicrosoft Internet Explorer| 
| <snip>
| http://secunia.com/advisories/10523/
| 
| When visited Secunia's web page (at the above address), I received the
| following virus alert (issued by NAV2004):
| Source: C:\Documents and Settings\username\Local Settings\Temporary
| Internet Files\Content.IE5\0LU1UHY7\10523[1].htm
| Click for more information about this threat: Bloodhound.Exploit.6
| Guess this is just Secunia's way of demonstrating the vulnerability's
| existence on browsers concerned.
| </end snip>
| 
| I went to that page and surfed around on every obviously related link
| and didn't see any NAV warning pop ups.  I'm using IE version
| 6.0.2800.1106.xpsp2.030422-1633
| Anyone else try this page?
| 
| Guy
| 


Chuck, Guy et al.

Did some research on this issue and came to the following conclusions.
Assume the reason why you do not experience the alert is the following. 

You apparently run NAV2004 either using the default setting "Normal"
(or have changed the setting to "Low") instead of "Highest level of
protection" in NAV2004's settings for System | Auto-Protect |
Bloodhound | How to protect against new and unknown viruses | [v]
Enable Bloodhound heuristics (recommended) is set to option "Highest
level of protection".     

Please change the default setting "Normal" (or "Low" if you have that
enabled) to "Highest level of protection", and I bet you will see the
alerts as soon as you revisit the web page address in question.  

Every time I browse that URL, I receive the two (or more) warning
messages. Both prompts are issued by NAV2004 and are triggered by its
Auto-Protect feature. The prompts read as follows:  

Alarm # 1:
"Norton AntiVirus
Virus Alert
High Risk
Norton AntiVirus has detected a virus on your computer.
Object Name   C:\Documents and Settings\UserName\Local
Settings\Temporary Internet Files\Content.IE5\KXURSTI7\10523[1].htm
Virus Name   Bloodhound.Exploit.6 Action Taken   Unable to repair this
file. [OK]"

Alarm # 2:
"Norton AntiVirus
Virus Alert
High Risk
Norton AntiVirus has detected a virus on your computer.
Object Name   Source: C:\Documents and Settings\UserName\Local
Settings\Temporary Internet Files\Content.IE5\KXURSTI7\10523[1].htm
Virus Name   Bloodhound.Exploit.6 Action Taken   Access to the file was
denied. [OK]"

As you can see below, the source for this alert is the cached image of
the web page. 

MS IE 6.0 SP-1-
Source: C:\Documents and Settings\UserName\Local Settings\Temporary
Internet Files\Content.IE5\KXURSTI7\10523[1].htm 

Mozilla v 1.6-
C:\DOCUMENTS AND SETTINGS\UserName\APPLICATION
DATA\Mozilla\Profiles\UserName\gplbf429.slt\Cache\43FABD3Cd01 

Click for more information about this threat: Bloodhound.Exploit.6

http://securityresponse.symantec.com/avcenter/cgi-bin/virauto.cgi?vid=18
980

"Bloodhound.Exploit.6 is a heuristic detection for exploits of a
Microsoft Internet Explorer vulnerability, which was discovered in
February 2004.  

The vulnerability results from the incorrect handling of HTML files
embedded in CHM files. (CHM is the Microsoft-compiled HTML help
format.)  

This vulnerability is known to be used in the wild.

Type:  Trojan Horse
Infection Length:  variable

Systems Affected:  Windows 2000, Windows 95, Windows 98, Windows Me,
Windows NT, Windows Server 2003, Windows XP Systems Not Affected:  DOS,
Linux, Macintosh, Microsoft IIS, OS/2, UNIX, Windows 3.x" 

etc.

Symantec has another threat description as well-

"Backdoor.Nibu.D

Discovered on: April 06, 2004
Last Updated on: April 08, 2004 11:06:08 AM

http://securityresponse.symantec.com/avcenter/venc/data/backdoor.nibu.d.
html

Backdoor.Nibu is a multi-threaded Trojan horse that opens a backdoor,
runs a keylogger, and attempts to steal personal information. 

Also Known As: Bloodhound.Exploit.6, W32/Dumaru.w.gen [McAfee],
Exploit-MhtRedir [McAfee] 

Type: Trojan Horse"


The reason for issuing the alert is evidently an error in NAV2004's
heuristics algorithm, which causes the positive false alert. Therefore,
e.g. having Qwik-FixT enabled has no effect on the situation.  

Even after downloading, installing and enabling the free beta version
of Qwik-FixT from PivX LABS/PivX Solutions, LLC (at
http://www.pivx.com/qwik-fix/) the situation is still the same; NAV2004
erroneously launches the (above) two alarms in one second flat after
landing on Secunia's web page (at
http://secunia.com/advisories/10523/).     

NAV2004 issues the alarms when using MS IE 6.0 SP-1 (+ fully patched)
and Mozilla v 1.6 as well. 

IMHO, this heuristic detection is a positive False Alarm.

The alerts occur constantly (not intermittently) for the reported web
page, when NAV2004's settings for System | Auto-Protect | Bloodhound |
How to protect against new and unknown viruses | [v] Enable Bloodhound
heuristics (recommended) is set to option "Highest level of
protection".    

When setting heuristics to the default setting "Default level of
protection (recommended)", the alert is not issued when browsing the
reported URL.  

I use the same setting "Highest level of protection" for heuristics
also for Manual Scan Bloodhound settings. NAV2004 HD scan also
"detects" this file and erroneously reports a threat being detected in
the scan. When the "infected" file is no longer in use by the browser,
NAV2004 is able to quarantine (as well as delete) the file.    

Since I prefer using the option "Highest level of protection", I have
asked Symantec Corp Tech Support kindly to fix this positive False
Alert and erroneous detection.  


- Pete


         "It is not the answer that enlightens, but the question."
          Eugene Ionesco (1912-1994); Romanian-French dramatist.


_______________________________________________
list mailing list
list at lists.dshield.org
To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list




More information about the list mailing list