MHTML URL Processing Vulnerability on XP SP2

[Gary M]

PC Environment: XP SP2, XP Automatic Updates, XP Firewall,
AVG Anti-Virus, Firewall on Router, IE6.
Spyware: Unknown BHO - MSEvents.MSEvents.1 AVAP.dll.
Spyware Location:
Windows\assembly\GAC\System.Runtime.Serialization.Formatter
s.SOAP.
Behavior: Instantiates new browser window and loads SPAM
search site. Attempts to add SPAM sites to Hosts file.
Monitors attempts to remove it from Registry, and
reinstates or corrects registry entries. Loaded by
WinLogon.exe. Cannot be removed using MS AntiSpyWare Beta.
Infection via MHTML URL Processing Vulnerability from
http://bestserials.com/.

 

[JohnF.]

Patched in 2004 - Outlook Express patch:

http://secunia.com/advisories/11067/

 

[Guest]

-----Original Message-----
Patched in 2004 - Outlook Express patch:

http://secunia.com/advisories/11067/

Yeah, but I've already read the MS Security Bulletin on
this, and it doesn't list XP SP2 as vulnerable and alsoi
states that it should be remedied by Windows update. Also
IE About Internet Explorer lists this patch as installed:
Q837009.

That's the whole point of my original post, that fully
patched systems and XP SP2 are still vulnerable to MHT
Redir attacks?

 

[JohnF.]

I don't think the OE patch is automatically loaded, you have to select it
from WindowsUpdate - at least for Windows 200 you did. I still checking, I
just don't have a test machine with WXP SP2 loaded on it yet.

 

[Bill Sanderson]

I visited this site with a Windows 2000 SP4 VPC, and clicked around for a
bit. Nothing was dropped on me, and I received no alerts from antivirus
apps, and a subsequent scan with Microsoft Antispyware came up clean.

 

[JohnF.]

Thanks Bill.

I visited this site with a Windows 2000 SP4 VPC, and clicked around for a
bit. Nothing was dropped on me, and I received no alerts from antivirus
apps, and a subsequent scan with Microsoft Antispyware came up clean.

 

[Ron Chamberlin]

Hi Gary,
Not my cup of tea exactly, but I was on similar sites today. When I hit the
site NAV corporate nailed 2 critters trying to come in, then I had a stream
of incessant attempts to drop some junk on me, but it needed Sun Java
1.4.2_03 to do so.

Nah, I wasn't going to go back from _08 version, but it sure serves as a
reminder to remove the old versions of Java when you update, as they can be
targeted for a vuln and fire off on you.

Ron Chamberlin
MS-MVP

 

[Gary M]

While its obvious these sites should be avoided like the
plague, I was in the middle of upgrading my hard disk and
unexpectedly needed to use partition magic, but hadn't got
they serial. But the difference between these sites which
I generally avoid, and forums on EZ Board, which I visit
every day; are not that great. EZ Board carries ads from,
I presume an Ad Server, and sometimes they try to
encourage you to download tool bars, utilities and
diallers. Some of these encouragements are I believe
misleading. And even if the Ad servers wont stoop to
deliberately injecting malware without your permission,
the ad servers them selves can get infected with malware
code that might. In fact any site we visit could
potentially try and infect you, if they are legitimate
sites then because they are compromised. So the answer
isn't: not visit these sites; the vulnerability itself
needs to be addressed, and XP SP2 is clearly vulnerable.

I was infected even though my PC is XP SP2 and is fully
patched, fully up to date, IE setup not to install
anything without prompting me, up to date anti virus, up
to date anti spy ware and firewalled on XP and on my
router. Although MS ASW didn't prevent infection, and
couldn't remove it, it did appear to contain it. I removed
the dll manually: after deny it permissions to its
registry keys, and then amending them to prevent it
loading; after which I could delete.

 

[Gary M]

The MHTML URL Processing exploit is triggered by clicking
on a HTML Form Button.

Gary

 

[Gary M]

p.s. thanks for the confirmation; I also tested from works
PC yesterday, and it caught it with Symantec AV CE; at
home I use AVG, updated very day, but perhaps not at the
same strength?

 

[Gary M]

My works machine is definately patched with Q837009, its
listed in IE About, and it is still vulnerable.

Thanks for looking, Gary

 

[Bill Sanderson]

OK--so give me some clear replication instructions, and I'll try it again.

 

[JohnF.]

Which form? I'm on the site and nothing is infecting me and I have searched
for partition magic and clicked the form button for Search.

 

[Ron Chamberlin]

Hi Gary,
I didn't infer that you were going there for a dubious purpose. Never would
say that.
On my side, I purposely went to the other sites to see what the junk was.
Of course, it wasn't on a production machine, but a 'test bunny' box that I
can rebuild with Ghost in about 4 minutes.

Ron Chamberlin
MS-MVP

 

[Ron Chamberlin]

Bill,
I was getting that nabbed by SAV just by hitting those 'other' sites we
discussed.

Ron Chamberlin
MS-MVP

 

[Ron Chamberlin]

Gary,
A bit surprised that AVG didn't nail it for you. I use SAV in the office,
and don't really have a strong feeling for it, but it worked.

Ron Chamberlin
MS-MVP

 

[Bill Sanderson]

I'm not sure whether I had just AVG, or AVG plus Norton's beta Antispyware
(which includes the kitchen sink and a bar sink too--seems to be the whole
shooting match (and it STILL doesn't check cookies!)

 

[Guest]

I know you didn't, and appreciated your time on this. But
I thought it was a point worth making that this vector may
expand to more legitmate sites.

Gary M

 

[Gary M]

OK, i'm doing this at work now, so no longer XP SP2, but
still fully patched. Not much time at home I'm afraid.

OS: Windows 2000 Server; Microsoft Windows Ver 5.0 (Build
2195: SP 4)

IE: Ver 6.0.2800.1106; Updates: SP1; Q837009; Q832894;
Q831167; Q823353; Q867801; Q833989

MS ASW: 1.0.501; SW Def: 5709 (25/04/2005 07:58:47)

AV: Symantec AntiVirus Corporate Edition; Version:
8.1.0.825; Sac Engine: 4.2.0.7; Virus Def: 27/04/2005 rev.8

Go to http://bestserials.com, then search for Partition
Magic (which gives you: http://bestserials.com/index.php?
str=partition+magic&B1=Search), then click on Partition
Magic Pro v7.0, gets you redirected to:
http://www.hotseriesmix.com/?free.com; which gives you:

Scan type: Realtime Protection Scan
Event: Virus Found!
Virus name: MHTMLRedir.Exploit
File: C:\Documents and Settings\Gmoran\Local
Settings\Temporary Internet Files\Content.IE5\MPB8DCF2\1
[1].htm
Location: Quarantine
Computer: ISPGMORAN01
User: gary.moran
Action taken: Quarantine succeeded : Access denied
Date found: 28 April 2005 11:17:41

I've tried this a few times, and you don't alawys get that
horrible porn site; most of the time you get a form with a
button on, if you click the HTML form button same virus
warning.

Gary

 

[Gary M]

I've finally determined the trojan (on my machine as
AVAP.dll) that was deployed by the MHT redir exploit:
http://www.sophos.com/virusinfo/analyses/trojagentic.html
and http://ae.trendmicro-
europe.com/consumer/security_info/ve_detail.php?
id=88418&VName=TROJ_PAKES.Q&VSect=T

not listed by Symantec (AFAIK).

Gary

-----Original Message-----
OK, i'm doing this at work now, so no longer XP SP2, but
still fully patched. Not much time at home I'm afraid.

OS: Windows 2000 Server; Microsoft Windows Ver 5.0 (Build
2195: SP 4)

IE: Ver 6.0.2800.1106; Updates: SP1; Q837009; Q832894;
Q831167; Q823353; Q867801; Q833989

MS ASW: 1.0.501; SW Def: 5709 (25/04/2005 07:58:47)

AV: Symantec AntiVirus Corporate Edition; Version:
8.1.0.825; Sac Engine: 4.2.0.7; Virus Def: 27/04/2005 rev.8

Go to http://bestserials.com, then search for Partition
Magic (which gives you: http://bestserials.com/index.php?
str=partition+magic&B1=Search), then click on Partition
Magic Pro v7.0, gets you redirected to:
http://www.hotseriesmix.com/?free.com; which gives you:

Scan type: Realtime Protection Scan
Event: Virus Found!
Virus name: MHTMLRedir.Exploit
File: C:\Documents and Settings\Gmoran\Local
Settings\Temporary Internet Files\Content.IE5\MPB8DCF2\1
[1].htm
Location: Quarantine
Computer: ISPGMORAN01
User: gary.moran
Action taken: Quarantine succeeded : Access denied
Date found: 28 April 2005 11:17:41

I've tried this a few times, and you don't alawys get that
horrible porn site; most of the time you get a form with a
button on, if you click the HTML form button same virus
warning.

Gary

-----Original Message-----
OK--so give me some clear replication instructions, and I'll try it again.

--
FAQ for Microsoft Antispyware:
http://www.geocities.com/marfer_mvp/FAQ_MSantispy.htm

Windows\assembly\GAC\System.Runtime.Serialization.Formatte r


.

.