Page 1 of 2 12 LastLast
Results 1 to 10 of 13

Thread: JS MS06-014!exploit-Can't find more info

  1. #1
    eliuri Guest

    Default JS MS06-014!exploit-Can't find more info

    Hello:

    I got a virus alert from ZASS about: JS MS06-014!exploit.

    The location was in the Temporary Internet Files

    I was told that it was repaired and that I needed to reboot. However after rebooting, I was unable to get more info on this when I clicked the : "More Info" tab on the ZASS console's Log Viewer. A Google search didn't tell me anything either.

    Can anyone tell me what this exploit is and how I could avoid it in the future?

    Thanks in advance:

    -eliuri

    Operating System:Windows XP Pro
    Product Name:ZoneAlarm Internet Security Suite
    Software Version:6.1

  2. #2
    Join Date
    Jun 2006
    Location
    The 3rd Coast - South Central Texas
    Posts
    10,466

    Default Re: JS MS06-014!exploit-Can't find more info


    <blockquote><hr>eliuri wrote:
    Hello:

    I got a virus alert from ZASS about: JS MS06-014!exploit.

    The location was in the Temporary Internet Files

    I was told that it was repaired and that I needed to reboot. However after rebooting, I was unable to get more info on this when I clicked the : &quot;More Info&quot; tab on the ZASS console's Log Viewer. A Google search didn't tell me anything either.

    Can anyone tell me what this exploit is and how I could avoid it in the future?

    Thanks in advance:

    -eliuri

    Operating System:
    Windows XP Pro
    Product Name:
    ZoneAlarm Internet Security Suite
    Software Version:
    6.1

    <hr></blockquote>



    I sid a Somple GOOGLE Search and found lots of Information on that Worm..
    The Best Info was from www.kaspersky.com

    http://www.viruslist.com/en/weblog?weblogid=203678309

    The IM (Instant Messenger) worms armada

    October 24, 2006

    We've noticed an increase in the prevalence of Y!/MSN-aware worms. These rely on various social engineering tricks to lure the user into a malicious website. For instance, IM-Worm.Win32.Qucan.c sends messages like this:


    The link shows a URL nicely disguised as a JPEG file. The actual page, which contains an encrypted javascript to avoid direct inspection, uses a combination of Exploit.JS.ADODB.Stream.e and a more recent MDAC (MS06-014) exploit to install the worm in the system. Unfortunately, even though a patch for the MDAC exploit had been released in May 2006, we have quite a few Qucan.c/Sohanad.e cases reported.

    Of course, if you have Firefox or Opera set as the default browser, the exploit doesn't work.

    BTW, if you're still - for some obscure reason - using IE, it may be worth checking v7, which was just released. It works only on XP+SP2, though.

    --------------------------------------




    ---------------------------------------
    My Configuration:
    Operating System: Windows XP SP2 Home with IE7
    Product Name: ZoneAlarm Pro
    Software Version: 6.5.737.000
    TrueVector version:6.5.737.000
    Driver version:6.5.737.000
    ZA Anti-spyware engine version:5.0.83.0
    ZA Anti-spyware signature DAT file version:01.200611.565

    Kaspersky Anti_Virus 6.0.0.303
    Sunbelt CounterSpy Anti-Spyware 1.5.82
    Webroot Spy Sweeper Anti-Spyware 5.0.7.1608
    AVG Anti-Spyware 7.5.050
    GeorgeV
    ZoneAlarm® Extreme Security


    Click here for ZA Support
    Monday-Saturday__ 6am to 10pm Central time
    Closed Sundays and Holidays

  3. #3
    eliuri Guest

    Default Re: JS MS06-014!exploit-Can't find more info

    Thanks George.

    I'm not sure that link is describing the same exploit..

    If it is, I'm somewhat puzzled since I was using Firefox 2.0 at the time the alert appeared.
    I do occasionally use IE 7...I've upgrade from IE 6. But I used only Firefox last night when the virus alert appeared on access.

    Message Edited by eliuri on 11-25-200610:01 PM

    Operating System:Windows XP Pro
    Product Name:ZoneAlarm Internet Security Suite
    Software Version:6.1

  4. #4
    Join Date
    Dec 2005
    Posts
    9,056

    Default Re: JS MS06-014!exploit-Can't find more info

    Hi eliuri


    JS means JavaScripts.

    Javascripts are best described by>

    http://en.wikipedia.org/wiki/JavaScript

    Often that link to click or the GIF or the mouse-over or the video to be seen is using javascripts and various other web page interactions are using javascripts.

    Also see Scripting>

    http://en.wikipedia.org/wiki/Scripting_language

    JS Exploits can attack in the email as well as the web site. In the email, it is embedded and invisible and just opening that email will allow the exploit to attack. In the web site, it is just incorrect information- the wrong or no-return address for the item and also the wrong information or lack of information for some item ( never seen to the eye). The browser can have a buffer over flow as a result. Then the real malware can easily enter the PC and infect the PC.

    There are several ways to avoid the actual infection and remove any possible attack to actually happen:

    a) Using the limited privilege account will stop the exploit from actually infecting the PC. This does not stop it from trying but it can not install and continue the infection.

    b) Disable the Scripts in the browser. By far the easiest method, with the result that many features of a web site or web page do not appear or work. The IE has this ability. The FireFox and Opera both can easily have the javascripts disabled. Plus the FireFox has the NoScripts addon to control scripts as per the sites used. The Opera has this feture built in the right click of the page. In other words the script useage can be customized. Some users of FireFox dig a little deeper and use GreaseMonkey to alter and control the web scripts and the browser uses. The Opera has this "customize the scripts" ability also>

    http://www.howtocreate.co.uk/operaSt...avaScript.html

    The userjs.org and Greasemonkey links can be found in the above link. These are all freeware. Some users have the css (custom style sheet) customized- usually to block ads (adblock.css), but it can help against a few of the renegade scripts.

    c) Use the Privacy feature of the Zone Alarm to block the javascripts and VBS and ActiveX in a general "across the board" site block. Then customize the sites in the Privacy site list using the Mobile Code to use the features that the site has to offer.

    d) Some of the better home routers have cookie and scripts blocking features.

    e) There are content filters, acting like a proxy, that can control the content before it enters the browser, Two that come to mentionable are Proxomitron and Privoxy. Both are freeware.

    I may have missed some other methods, but these are the most common methods.

    Take care.

    Oldsod

    Message Edited by Oldsod on 11-25-2006 10:25 PM

    Operating System:Windows XP Home Edition
    Product Name:ZoneAlarm Pro
    Software Version:5.x
    Best regards.
    oldsod

  5. #5
    Join Date
    Dec 2005
    Posts
    9,056

    Default Re: JS MS06-014!exploit-Can't find more info

    There are many JS exploits that can affect the FireFox. It is based on the JavaScripts. Cleaning the caches of the FireFox and the Opera will usually renove the issue. But not if the browser actually crashed as a result from the exploit- this means the exploit often got a foothold. Usually the FireFox and Opera JS Exploits are nothing compared to the JS exploit of the IE6 or IE7. JS Exploits in the IE can go directly into the Windows OS and easily get a entryway to the OS. Whereas the FireFox and Opera JS exploits are often trapped in the browser's cache- simply cleaning the cache will completely remove the malware. I have the caches set to be cleaned for every time the browser closes.

    Oldsod
    Best regards.
    oldsod

  6. #6
    eliuri Guest

    Default Re: JS MS06-014!exploit-Can't find more info

    <blockquote><hr>Oldsod wrote:
    There are many JS exploits that can affect the FireFox. It is based on the JavaScripts. Cleaning the caches of the FireFox and the Opera will usually renove the issue. But not if the browser actually crashed as a result from the exploit- this means the exploit often got a foothold. Usually the FireFox and Opera JS Exploits are nothing compared to the JS exploit of the IE6 or IE7. JS Exploits in the IE can go directly into the Windows OS and easily get a entryway to the OS. Whereas the FireFox and Opera JS exploits are often trapped in the browser's cache- simply cleaning the cache will completely remove the malware. I have the caches set to be cleaned for every time the browser closes.

    Oldsod
    <hr></blockquote>


    *******************************
    Thanks Oldsod:

    Oddly enough I just got that same exploit alert from ZASS again--only moments ago--- while reading this forum via Firefox. I didn't click on anything at the time. I happen to have my Firefox settings so that the Cache is emptied when closing the browser. The Firefox didn't crash. All that I got was the alert produced below. Seems it's saying it was a TIF file in IE which I wasn't even using today. This is what puzzles me!!

    Your suggestion about disabling Javascript in Firefox is appealing, but when I first did that a while back, I found it frustrating, as it seems many pages do use that.

    Could it be that these are false positives, since I wasn't using IE, nor clicking on anything when the alerts occurred?

    ==============================

    Here's what the log says [in part]:

    GMT,57.61.61.63:13364,192.168.1.100:1030,UDP

    AV/treatment,2006/11/25,22:13:18 -5:00 GMT,JS.MS06-014!exploit,
    C:\Documents and Settings\User Name\Local Settings\Temporary Internet Files\Content.IE5\U03BU33S\new[1].htm,Repaired Requires Reboot,Auto

    ==============================

    Thanks again:

    -Eliuri

    Message Edited by eliuri on 11-25-200610:40 PM

    Operating System:Windows XP Pro
    Product Name:ZoneAlarm Internet Security Suite
    Software Version:6.1

  7. #7
    Join Date
    Dec 2005
    Posts
    9,056

    Default Re: JS MS06-014!exploit-Can't find more info

    I really doubt that the SITA-Societe Internationale de Telecommunications Aeronautiques has any malicious intentions. It is possible that some evil doer has done something to the website. Emailing the website and politely asking why this is happening could even give the end result that the site does have some innocent type of script error.
    Was a chat used? This may help explain the issue.

    In all likelyhood, it is just a false positive by the Zone Alarm. Just set it to be an exception and that should make things quieter.

    Try the NoScripts addon for the FireFox. It will block all or some of the javascripts by default and the setting can be changed to allow the JS for that site. On the next visit, it will remember your personal setting, and the site will be fully useable. Without your intervention on the later visits.

    Oldsod

    Message Edited by Oldsod on 11-25-2006 11:12 PM

    Operating System:Windows XP Home Edition
    Product Name:ZoneAlarm Pro
    Software Version:5.x
    Best regards.
    oldsod

  8. #8
    eliuri Guest

    Default Re: JS MS06-014!exploit-Can't find more info

    Hi again, Oldsod, and thanks for your patience:

    You wrote:

    ================

    &quot;I really doubt that the SITA-Societe Internationale de Telecommunications Aeronautiques has any malicious intentions. &quot;

    =================

    I wasn't at their site though. I just accessed it now to verify, but when I got there, it looked totally unfamiliar to me.

  9. #9
    Join Date
    Dec 2005
    Posts
    9,056

    Default Re: JS MS06-014!exploit-Can't find more info

    57.61.61.63= SITA-Societe Internationale de Telecommunications Aeronautiques

    maybe there was a bounce of their server by the js exploits?? They could be covering their tracks this way.

    Plus this site could have some normal connection to the site you were visiting- like a third party connection?


    It could be the js exploit threat was genuine after all.

    Oldsod

    BTW your strange IP and port is listed in here>

    http://www.asante.com/forums/topic.asp?TOPIC_ID=3176

    http://forum.dshield.org/read.php?3,23774,24582,quote=1

    So something is a foot!

    Message Edited by Oldsod on 11-26-2006 01:37 AM
    Best regards.
    oldsod

  10. #10
    eliuri Guest

    Default Re: JS MS06-014!exploit-Can't find more info

    Hi again , Oldsod:

    I think that those two events from my ZASS log might be unrelated as they are stamped with different time stamps:



    &quot;FWIN,2006/11/25,18:19:38 -5:00 GMT,57.61.61.63:13364,192.168.1.100:1030,UDP &quot;



    This might be firewall related.


    The second one involves that JS MS06-014!exploit


    &quot;AV/treatment,2006/11/25,22:13:18 -5:00 GMT,JS.MS06-014!exploit,C:\Documents and Settings\User Name\Local Settings\Temporary Internet Files\Content.IE5\U03BU33S\new[1].htm,Repaired Requires Reboot,Auto &quot;


    These occur at different times, and the JS MS06-014!exploit from 2 days ago [Nov 24] interestingly occurred at about the same time of the previous evening, but there is no reference to that

    57.61.61.63:13364 IP in that Nov 24 entry.

    I mistakenly cut n pasted the two events together, when they were listed separately in the log. My apologies for the confusion.

    -Eliuri

Page 1 of 2 12 LastLast

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •