BitDefender Antivirus
Contact Us | My BitDefender

Exploit.JS.RealPlr.C

( Exploit.HTML.Repl.B JS/RealPlay.E )
Spreading: medium
Damage: medium
Size: ~3000 bytes
Discovered: 2008 Jan 10

SYMPTOMS:

Exploitation will not show any signs. After the attacker will take control the code can have any effect.

TECHNICAL DESCRIPTION:

This is an exploit that affects Real Networks RealPlayer 10.5 and Real Networks RealPlayer 11 with build numbers: from 6.0.10.* to 6.0.14.*
To ensure a proper execution he checks if the target machine is using Internet Explorer 6 or 7 under Windows 2000/2003/XP and then creates an instance of the IERCtl.IERPCtl.1 ActiveX control and gets the version of RealPlayer to check for a vulnerable version.
If all the conditions are meet he will call the "Import()" function from vulnerable dll named: ierpplug.dll with crafted parameters to trigger the exploit and to execute the shellcode.

Removal instructions:

Please let BitDefender disinfect your files and update your RealPlayer.
Please check the following url: http://service.real.com/realplayer/security/191007_player/en/

ANALYZED BY:

Sorin Ciorceri, virus researcher
©   2009 BITDEFENDER SiteMap | Legal Terms | Site Feedback | Global Sites | Privacy Policy