Exploit.HTML.IESlice.p

From Total Malware Info

This malicious program exploits a vulnerability in the Internet Explorer (MS06-057). It is written in Java Script (HTML-file). The file is 10 100 bytes. It is not packed.

Payload

The malware exploits a vulnerability in Internet Explorer, which allows hacker remote code execution. It leads to buffer overflow when the setSlice() method is called for WebViewFolderIcon ActiveX control (MS06-057).

Double obfuscation is used in order to prevent malicious code detection. After decoding script will open the following URLs to download another malware (at the moment of writing, these links were not working):

• http://***.info/index.php?a=3&c=3
• http://***.info/index.php?a=12&c=4

And saves it to the following file:

%TEMP%\kfhnbue.exe

The file will then be launched for execution.

Removal instructions

If your computer was not protected by Anti-Virus and has been infected by this malware, it is necessary to perform following actions to remove it:

1. Delete downloaded files:

   %TEMP%\kfhnbue.exe

2. Install update:
   • http://www.microsoft.com/technet/security/bulletin/ms06-057.mspx
3. Use Kaspersky Anti-Virus to delete the malware. Update your antivirus databases and perform a full scan of the computer (download a trial version).

See also

• Exploit.HTML.IESlice.h
• Obfuscation methods in malicious Java scripts