SANS: Modified Malware for the IE Expoit


Its always interesting around the ISC and you'll never know what you'll be handed on any given day. Its even more interesting when there is an unpatched IE vulnerability and an exploit available for it. That is where we find ourselves now. There are several sites that have been compromised and now contain the exploit code. These sites all run the exploit code and get a file called ca.exe which in turn gets a file called calc.exe and installs it. It is calc.exe that we want to focus on briefly.

This malware installs a dll that is used as a Browser Helper Object (BHO) and also runscopies itself to directory you see below as nm32.exe and runs as a process. SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System

Linked by shanmuga Monday, 27th March 2006 12:32AM