Exploit.JS.CVE-2010-1885.h

Technical Details

This exploit program uses vulnerability in Microsoft Windows Help and Support Center to execute itself on the user's computer. It is an HTML document containing Java Script. It is 103 972 bytes in size.

Payload

Once launched, the malware attempts to launch a malicious Java-applet in the user's browser from the following link:

http://<domain_name_of_infected_server>/games/plugins.jar

At the time of writing, this link was inactive.


The following class file is specified for this applet as the main class file:

powerColor.p3.class

The parameter called "biint" is sent to the applet as argument. It has the following value:
rOOSqttzS1eEk-E3zt?ESrSIWA&nU-An

This parameter is an encrypted link, which the malicious applet uses to download the malware.


The malware uses Java Script scenarios to decrypt its obfuscated code. This exploit program then uses ActiveX objects with the following unique identifiers:

{BD96C556-65A3-11D0-983A-00C04FC29E30}
{BD96C556-65A3-11D0-983A-00C04FC29E36}
{AB9BCEDD-EC7E-47E1-9322-D4A210617116}
{0006F033-0000-0000-C000-000000000046}
{0006F03A-0000-0000-C000-000000000046}
{6E32070A-766D-4EE6-879C-DC1FA91D2FC3}
{6414512B-B978-451D-A0D8-FCFDF33E833C}
{7F5B7F63-F06F-4331-8A26-339E03C0AE3D}
{06723E09-F4C2-43C8-8358-09FCD1DB0766}
{639F725F-1B2D-4831-A9FD-874847682010}
{BA018599-1DB3-44F9-83B4-461454C84BF8}
{D0C07D56-7C69-43F1-B4A0-25F5A11FAB19}
{E8CCCDDF-CA28-496B-B050-6C07C962476B}

It also exploits a vulnerability in "MSXML2.XMLHTTP", "Microsoft.XMLHTTP" and "MSXML2.ServerXMLHTTP" (CVE-2006-0003) ActiveX components, and attempts to download a file located at the following link:
http://gzn***o.cc/d.php?f=19&e=0

It uses the "ADODB.Stream" ActiveX object to save this file under the following name:
%Temp%\mxmt.exe

This file is 537 600 bytes in size. It will be detected by Kaspersky Anti-Virus as Trojan-Spy.Win32.Zbot.bfxb.


The downloaded file is then launched. At the time of writing, this link was inactive.


The Trojan exploits a vulnerability in Java Deployment Toolkit (JDT) that arises due to the incorrect handling of URL. This allows the malicious user to send random parameters to Java Web Start (JWS). The malicious user generates a specially crafted link and sends it as the parameter of vulnerable "launch()" function. This way the malware disguised as a file is placed on the network resource:

\\91.217.162.19\pub\new.avi

downloads and launches the malicious file for execution from the following link:
http://gzn***o.cc/d.php?f=19&e=1

The Trojan uses ActiveX objects with unique identifiers to run its malicious script in MS Internet Explorer:
{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA}
{8AD9C840-044E-11D1-B3E9-00805F499D93}

To execute its script in Mozilla Firefox and other NPAPI browsers, the Trojan determines the following MIME types:
application/npruntime-scriptable-plugin;deploymenttoolkit
application/java-deployment-toolkit

The malware will then in a hidden frame execute a script to exploit a vulnerability in MS Windows Help and Support Center. The malware exploits a vulnerability that arises due to the incorrect handling of URL escape sequences in the function "MPC::HexToNum" in Microsoft Windows Help and Support Center applications (helpctr.exe) (MS10-042, CVE-2010-1885). After exploiting the vulnerability, the malicious user can execute commands that are delivered through a specially generated "hcp://" URL. The Microsoft products MS Internet Explorer 8 and Windows Media Player 9 are vulnerable. The malware then with a specially crafted request creates a VBS script:
%Temp%\l.vbs

It then launches this script for execution. The exploit program uses the command line to terminate the Microsoft Windows Help and Support Center's process:
helpctr.exe

Once the VBS script is launched, the malware uses the "MSXML2.XMLHTTP" ActiveX object to download a file located at the following link:
http://gzn***o.cc/games/hcp_vbs.php?f=19

and saves it in the current user's temporary files directory under the name:
%Temp%\l.vbs

At the time of writing, this link was inactive.


The malware then determines the plugins installed in the browser and Adobe Reader and Adobe Acrobat ActiveX objects. The Trojan uses the ActiveX object with unique identifier to run its malicious script in MS Internet Explorer:

{CA8A9780-280D-11CF-A24D-444553540000}

To execute its script in Mozilla Firefox and other NPAPI browsers, the Trojan determines the following MIME types:
application/vnd.adobe.pdfxml
application/vnd.adobe.x-mars

Then, depending on the PDF Reader version, it opens malicious PDF documents from one of the following links:
http://<domain_name_of_infected_server>/games/pdf.php?f=19
http://<domain_name_of_infected_server>/games/pdf2.php?f=16
Adobe Reader 8.0.0 and earlier versions as well as all Adobe Reader versions up to 9.3.1 are vulnerable.


This malware exploits a vulnerability that exists in Microsoft Internet Explorer due to the "use-after-free" error in the "Peer Objects" component in "lepers.dll" during incorrect processing of the PersistUserData::setAttribute() method (CVE-2010-0806). As a result, the exploit tries to download a file located at the following link:

http://gzn***o.cc/d.php?f=19&e=5
and save it in the browser's temporary files directory under the name:
%Temporary Internet Files%\d<tmp>.php

where tmp is the serial number of the temporary file. The downloaded file is then launched for execution. The Trojan then opens the following page in the browser:
http://pillrx***orechains.net/?cid=ntinst

Removal Instructions

If your computer does not have antivirus protection and has been infected by this malicious program, follow the instructions below to delete it:

  1. Delete the original exploit file (its location will depend on how the program originally penetrated the infected computer).
  2. Delete the following files:
    %Temp%\mxmt.exe
    %Temp%\l.vbs
    

  3. Install these updates:
    http://www.microsoft.com/technet/security/Bulletin/MS10-042.mspx
  4. Empty the Temporary Internet Files directory, which contains infected files (see How to delete infected files from Temporary Internet Files folder?):
    %Temporary Internet Files%

  5. Update Sun Java JRE and JDK to the latest versions.
  6. Install the most recent version of Adobe Reader and Adobe Acrobat.
  7. Disable the vulnerable ActiveX objects (see How to disable an ActiveX control in Internet Explorer).
  8. Perform a full scan of the computer using Kaspersky Anti-Virus with up-to-date antivirus databases (download a trial version).


[MD5: 9010667cc79db8557e04c90c337c2c0d]
[SHA1: 7d3801de560f4200383632eab1c5dd1327d1fa7a]