HTML_SHELLCOD.SM

This malware exploits a vulnerability in Internet Explorer to enable remote attackers to execute arbitrary commands on the affected system. The said vulnerability is addressed in the bulletin (MS10-090) Cumulative Security Update for Internet Explorer (2416400).

To get a one-glance comprehensive view of the behavior of this Trojan, refer to the Threat Diagram shown below.

This Trojan takes advantage of a vulnerability in Internet Explorer 6, 7, and 8 and allows remote attackers to execute arbitrary code.

After succesfully exploiting the said vulnerability, it connects to URLs to download other malicious files detected as TROJ_LAMECHI.D, JS_EXPLOIT.ADA, JS_EXPLOIT.SM1, TROJ_DLOADR.DAM, TROJ_GAMETHI.FMS, PE_PARITE.A and TSPY_ARDAMAX.HR.

This Trojan executes when a user accesses certain websites where it is hosted.

Arrival Details

This Trojan executes when a user accesses certain websites where it is hosted.

Download Routine

This Trojan takes advantage of the following software vulnerabilities to download possibly malicious files:

• Uninitialized Memory Corruption Vulnerability (CVE-2010-3962) in Internet Explorer

After successfully exploiting the said vulnerability, this malware connects to the following URLs to possibly download other malicious files:

• http://{BLOCKED}M.INFO/add.exe - detected by Trend Micro as TROJ_LAMECHI.D
• http://www.{BLOCKED}t.com/360safe.html - detected by Trend Micro as JS_EXPLOIT.ADA
• http://www.{BLOCKED}t.com/360.html - detected by Trend Micro as JS_EXPLOIT.SM1
• http://www.{BLOCKED}t.com/361.html - HTML_SHELLCOD.SM
• http://www.{BLOCKED}t.com/360safe.css - detected by Trend Micro as TROJ_DLOADR.DAM
• www.{BLOCKED}m.com/lsearch/help.exe - detected by Trend Micro as TROJ_GAMETHI.FMS
• http://{BLOCKED}n.live.com.mailadword.com/update.exe - detected by Trend Micro as PE_PARITE.A
• http://h1.{BLOCKED}y.com/oofa/xp.exe - detected by Trend Micro as TSPY_ARDAMAX.HR
• http://www.{BLOCKED}ool.info/n.exe - non malicious
• http://{BLOCKED}n.cnzz.com/pic.gif - non malicious
• http://www.{BLOCKED}lub.com/reg/linkbl.gif - inaccessible
• {BLOCKED}chid.net/bbs/icon/c.exe - inaccessible
• {BLOCKED}.{BLOCKED}.11.71/Styles/x.exe - inaccessible

Other Details

More information on this vulnerability can be found below:

• (MS10-090) Cumulative Security Update for Internet Explorer (2416400)
• Microsoft Security Advisory (2458511)Vulnerability in Internet Explorer Could Allow Remote Code Execution

It does the following:

• Other variants of this malware execute a command shell to possibly download other files from the hosting website:
  
  • cmd.exe /C FOR /R ""%User Profile%\"" %i IN (scvhost*.txt) DO %i"

(Note: %User Profile% is the current user's profile folder, which is usually C:\Windows\Profiles\{user name} on Windows 98 and ME, C:\WINNT\Profiles\{user name} on Windows NT, and C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003.)