bloodhound.exploit.6



richie_hackett@hotmail.com
07-09-2005, 11:48 PM
I've seen loads of posts on the internet regarding this but I'm still
really paranoid if I have this or not.

I currently have Office 2003, XP Pro SP2(suuposed to inlcude ms04-013)
and Norton Anti Virus 2005 def 27/05/05

I was browsing the web last night when norton flashed up saying
bloodhound.exploit.6 detected in internet explorer cache file Could not
repair followed by the same message saying access denied.

I checked the norton logs and there was a trojan and a bunch of java
class files which it had automatically quarantined.

So is the system infected or not. All virus scans can back
negative(apart from the qurantined stuff which has been deleted now)

Any help gladly received
Thanks

David H. Lipman
07-09-2005, 11:48 PM
From: <richie_hackett@hotmail.com>

| I've seen loads of posts on the internet regarding this but I'm still
| really paranoid if I have this or not.
|
| I currently have Office 2003, XP Pro SP2(suuposed to inlcude ms04-013)
| and Norton Anti Virus 2005 def 27/05/05
|
| I was browsing the web last night when norton flashed up saying
| bloodhound.exploit.6 detected in internet explorer cache file Could not
| repair followed by the same message saying access denied.
|
| I checked the norton logs and there was a trojan and a bunch of java
| class files which it had automatically quarantined.
|
| So is the system infected or not. All virus scans can back
| negative(apart from the qurantined stuff which has been deleted now)
|
| Any help gladly received
| Thanks

That's a Symantec Heuristic find noting a possible exploitation of a OS or OS component
vulnerability. It is NOT indicative that you are infected. It is a warning that a process
or script used a an attempt at vulnerability exploitation.

Just to make sure you are not infected, please perform the following.

Dump the contents of the IE Temporary Internet Folder cache (TIF)
Start --> Settings --> Control Panel --> Internet Options --> Delete Files

Dump the contents of the Mozilla FireFox Cache { if you use FireFox }
Tools --> Options --> Privacy --> Cache --> Clear


Download CLEAN.EXE from the URL --
http://www.ik-cs.com/programs/virtools/clean.exe

It is a self-extracting ZIP file that contains the Kixtart Script Interpreter
{ http://kixtart.org Kixtart is CareWare } three batch files, two Kixtart scripts, two Link
(.lnk) files and a PDF instruction file.

GETFILES.BAT -- For downloading (FTP) the files needed to run the McAfee Command Line
Scanner. You may have to disable your FireWall or allow FTP.EXE to go through your FireWall
to allow the FTP utility to download the needed files

CLEAN.BAT -- For running within Windows after running c:\mcafee\GetFiles.BAT. If you choose
to scan again at a future date, run this batch file. It will automatically check the date
of the McAfee DAT files and if it is a couple of days old, it will download (FTP) the latest
signature files and install them before performing the scan.

DOSCLEAN.BAT -- For use on a Win9x/ME PC or on a Win2K/WinXP PC that is using FAT32 after
you have booted from an Emergency Boot Disk or DOS disk and have already executed;
c:\mcafee\GetFiles.BAT from within Windows. DOS disk boot images can be obtained from;
http://www.bootdisk.com/bootdisk.htm

I need you to perform the following...

Execute; CLEAN.EXE
Choose; Unzip
Choose; Close

Execute; c:\mcafee\GetFiles.BAT
{ or Double-click on 'GetFiles Link' in c:\mcafee }

Reboot the PC into Safe Mode [F8 key during boot]

Shutdown as many applications as possible !
It would also help for you to read - "How to perform a clean boot in Windows XP"
http://support.microsoft.com/kb/310353

Execute; c:\mcafee\CLEAN.BAT
{ or Double-click on 'Clean Link' in c:\mcafee }

A final report in HTML format called C:\mcafee\ScanReport.HTML will be generated. At the
end of the scan, it will be displayed in your browser (Opera, FireFox or Internet Explorer).
It is suggested that you move the report out of c:\mcafee before performing another scan.
It would be a good idea to scan in Safe Mode and in Normal Mode and save a copy of the HTML
report for each session.


* * * Please report back your results * * *


--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

Crouchie1998
07-09-2005, 11:48 PM
You've visited a website that is running dodgy scripts like illegal
crack/serial sites

Just clean your Temp Internet Cache out.

Norton never 'quarantined' the file it seems, but never let the exploit
penetrate.

It was descovered on February 13th, 2004, so, your def's are easily covering
it.

The 27th May, 2005 virus definitions are the latest LiveUpdate updates, but
the Intelligent Updater updates are 30th May.

Here's the page for the latest Intelligent Updater Updates:

http://www.sarc.com/avcenter/download/pages/US-N95.html

Always go to that page to get the latest def's for your antivirus software.
You have 1 of 2 files to download; either ther 32-bit version or the 64 bit
version.

32-bit def's:
------------

http://definitions.symantec.com/defs/20050530-008-i32.exe

64-bit def's:
------------

http://definitions.symantec.com/defs/20050530-008-i64.exe

My guess is that you are using the 32 bit virus def's.

Below is a link to the exploit that you received:

http://securityresponse.symantec.com/avcenter/venc/data/bloodhound.exploit.6.html

At the base of that page it says delete cookies, delete files & delete
offline content.

I hope this info helps

Crouchie1998
BA (HONS) MCP MCSE

richie_hackett@hotmail.com
07-09-2005, 11:48 PM
Ok done both. I have run mcaffee tool in safe mode with nothing found.

I have also updated my virus definitions which are now 31st I think.
Nothing detected so I guess I'm clear.
It would be interesting to see what was the final protection eg SP2 or
the virus software
Thanks for your help.

Crouchie1998 wrote:
> You've visited a website that is running dodgy scripts like illegal
> crack/serial sites
>
> Just clean your Temp Internet Cache out.
>
> Norton never 'quarantined' the file it seems, but never let the exploit
> penetrate.
>
> It was descovered on February 13th, 2004, so, your def's are easily covering
> it.
>
> The 27th May, 2005 virus definitions are the latest LiveUpdate updates, but
> the Intelligent Updater updates are 30th May.
>
> Here's the page for the latest Intelligent Updater Updates:
>
> http://www.sarc.com/avcenter/download/pages/US-N95.html
>
> Always go to that page to get the latest def's for your antivirus software.
> You have 1 of 2 files to download; either ther 32-bit version or the 64 bit
> version.
>
> 32-bit def's:
> ------------
>
> http://definitions.symantec.com/defs/20050530-008-i32.exe
>
> 64-bit def's:
> ------------
>
> http://definitions.symantec.com/defs/20050530-008-i64.exe
>
> My guess is that you are using the 32 bit virus def's.
>
> Below is a link to the exploit that you received:
>
> http://securityresponse.symantec.com/avcenter/venc/data/bloodhound.exploit.6.html
>
> At the base of that page it says delete cookies, delete files & delete
> offline content.
>
> I hope this info helps
>
> Crouchie1998
> BA (HONS) MCP MCSE

David H. Lipman
07-09-2005, 11:48 PM
From: <richie_hackett@hotmail.com>

| Ok done both. I have run mcaffee tool in safe mode with nothing found.
|
| I have also updated my virus definitions which are now 31st I think.
| Nothing detected so I guess I'm clear.
| It would be interesting to see what was the final protection eg SP2 or
| the virus software
| Thanks for your help.
|

If you read thye info on the at Symantec it indicates the following...

"Bloodhound.Exploit.6 is a heuristic detection for exploits of a Microsoft Internet Explorer
vulnerability. This vulnerability was discovered in February 2004. "

So I would take a guess that WinXP SP2 patched IE and it mitigated this exploitation
attempt.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm


bloodhound.exploit.6