January 5, 2011

Zero-Day Vulnerability in IE

Internet Explorer has become a victim for another Zero day vulnerability. The zero-day vulnerability is inherently found in the IE 6,7and 8 versions.Cyber criminals have chosen reputed companies like Microsoft and Adobe by using their software for attacking the users. commonly targeted software are Internet Explorer (IE), Adobe Reader, and Adobe Acrobat. There has been a script exploit in IE that could allow a remote malicious user to infiltrate a system without the user's knowledge. 

Users may get this script by visiting some malicious websites that searches for the vulnerability in IE. Once the vulnerability is spotted, the infected system attempts to connect to a URL to download a malicious file that is detected as BKDR_BADEY.A. On background it will also connect to other URLs to download encrypted files. These files, when decrypted, contain commands that the backdoor program is capable of being executed.

Effects: 
The most common reason why this script is being dropped into the IE of user's systems is to allow a remote malicious user to take control of an infected system in order to run codes on the system that aim to make it do whatever the malicious user wishes it to on user's PC.

The two files that are responsible for attacking this vulnerability are :
  • HTML_BADEY.A
  • BKDR_BADEY.A (%User Temp%\log.gif )
It executes the downloaded file %User Profile%\Application Data\alg.exe which will execute the malware and malicious routines of the downloaded file is exhibited on the affected system. The downloaded file is then deleted by this HTML script after execution.


Deleting this threat:

Step:1- Disable system restore and do a full system scan on your computer.
Step:2- Remove the above mentioned files HTML_BADEY.A and BKDR_BADEY.A
Step:3- If they are not removed we need to restart  the PC in safe mode and remove those files
Step:4- Delete the registry key In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NWCWorkstation 
Step:5- delete the keys in temp folder specifically in %User temp%\filename.tmp 
Step:6- Restart the system in Normal Mode and Scan the system using a Good Anti-Virus Program like Trend Micro, Symantec or McAfee. 

0 comments:

Post a Comment

Related Posts Plugin for WordPress, Blogger...

Search This Blog

Followers

Categories

Twitter Delicious Facebook Digg Stumbleupon Favorites More