Trojan.Exploit.ANOP

( TrojanDownloader:Win32/Small.gen!B, HTML/Silly.Gen, Downloader.Psyme.dh )

SINTOMAS:

There are no obvious signs until the attacker manages to infiltrate the system ( the final downloaded malware varies ).

DESCRIÇÃO TÉCNICA:

This is another campaign which uses a chain of exploits ( similar to Trojan.Exploit.SSX ) and tries to download and execute other malware onto the affected computer, by using different exploit for various vulnerable applications.
Hence we can discover the usual technique of stealing whichever exploit available and putting it to work on the website owned by malware distributors. Here are some of them found on the website [removed].teseku.info :

1. iframes leading to exploits for Flash Player which try to download another malware (Trojan.Delf.POH).
2. exploit for SSReader consisting in a buffer overflow vulnerability in the "LoadPage" function of an ActiveX control with the following CLSID : 7F5E27CE-4A5C-11D3-9232-0000B48A05B2. With a special crafted parameter to the function, arbitrary code can be executed. This exploit downloads the same malware mentioned before.

Instruções para remoção:

Set the kill bit for the CLSID 7F5E27CE-4A5C-11D3-9232-0000B48A05B2.

You can find information about setting a kill bit here.

Please let BitDefender disinfect your files.

ANALISADO POR:

Daniel Chipiristeanu, virus researcher