PLATFORM:

Windows 2000, Windows XP, Windows Server 2003

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:

  • Threat Type: Others

  • Destructiveness: No

  • Encrypted: No

  • In the wild: Yes

  TECHNICAL DETAILS

File Size: Varies
Memory Resident: Yes
Initial Samples Received Date: 16 Nov 2001
Payload: Modifies the default Internet Explorer home page, Downloads executable files, Sends email using Microsoft Outlook, Changes Outlook Express stationery and signature

NOTES:

This is Trend Micro's generic detection for JavaScript malware that take advantage of the com.ms.activeX.ActiveXComponent security vulnerability on unpatched Internet Explorer browsers.

This vulnerability allows Java applets to run any desired ActiveX control from a Web page, or from within an HTML-based email message that would enable it to read, write, and run files on hard disks. This vulnerability also allows applets to download a file from a specified Web site and execute this file locally.

This vulnerability is often embedded in HTML sites and is usually used to modify the default Internet Explorer home page and to add web links to the Favorites folder of Internet Explorer. Other malware samples modify the default stationery for Outlook Express, while some are found to have mailing capabilities.

More information on this vulnerability is available at the Microsoft Security Bulletin article, Patch Available for 'Microsoft VM ActiveX Component' Vulnerability.

  SOLUTION

Minimum Scan Engine: 9.300
VSAPI OPR PATTERN File: 1.168.00
VSAPI OPR PATTERN Date: 16 Nov 2001

NOTES:

NOTE:Different samples of this malware have different effects on your system. Apply the security patch and scan your system to clean it of this malware, then run the other procedures as necessary.

Applying Patches

This malware exploits known vulnerabilities in Internet Explorer and the Microsoft Virtual Machine. Download and install a VM build with a fix for this vulnerability supplied by Microsoft. Refrain from using this product until the appropriate patch has been installed.

Running Trend Micro Antivirus

Scan your system with Trend Micro antivirus and delete all files detected as JS_EXCEPTION.GEN. To do this, Trend Micro customers must download the latest pattern file and scan their system. Other Internet users can use HouseCall, Trend Micro's free online virus scanner.

Restoring Outlook Express Stationery

  1. Open Microsoft Outlook Express.
  2. Click Tools>Options in the menu of Microsoft Outlook Express.
  3. Click the Compose tab and select your stationery.
  4. Click the OK button to save changes.

Restoring the Outlook Express Default Signature

  1. Run Microsoft Outlook Express.
  2. Click Tools > Options in the menu of Microsoft Outlook Express.
  3. Click the Signatures tab and look for and remove the suspicious signature.
  4. Select or create your own default signature.
  5. Click the OK button to save changes.

Resetting Internet Explorer Homepage and Search Page

This procedure restores the Internet Explorer home page and search page to the default settings.

  1. Close all Internet Explorer windows.
  2. Open Control Panel. Click Start>Settings>Control Panel
  3. Double-click the Internet Options icon.
  4. In the Internet Properties window, click the Programs tab.
  5. Click the Reset Web Settings button.
  6. Select Also reset my home page. Click Yes.
  7. Click OK.


Did this description help? Tell us how we did.