jupk.com trojan explanation

[jmule]

Here is an explanation of this new jupk.com trojan:

Summary:
============

The Internet community has recently been observing a new attack against Microsoft Windows systems running Internet Explorer 6 (MSIE6 and MSIE7) in the form of a JavaScript triggered worm. The current release of Microsoft Internet Explorer 6 and 7 contains an un-patched
ulnerability within its ObjectData handling method(s).

The currently detected worm carries out a range of actions upon successfully exploiting a victim, most notable of which is the alteration of the systems DNS settings. The result is that instead of attempting DNS resolution via previously configured servers, the victim host now uses an alternate set of DNS servers. This allows the attacker to control where users are browsing by redirecting their web browsing and other Internet activities to alternate addresses.

A possible scenario might be that the attacker alters the victim's DNS settings and the user attempts to browse Amazon.com. When their system does a DNS lookup instead of sending the user to the correct page the alternate DNS server may send the user to a page pretending to be
Amazon. As a result when the user enters their credit card details to purchase a book they may in-fact be giving them to the attacker instead. (This example is hypothetical in nature and not based on any observed reality.)

When the vulnerability within the ObjectData handling method(s) is exploited by the now active Trojan, MSIE6 executes a contained ActiveX object within a piece of JavaScript. MSIE6 is programmed to check whether this ActiveX code is 'safe' and during this process MSIE6 determines that the ActiveX code is, in fact, simple HTML/Jscript. As a
result it does not prompt the user to save the data to disk, but instead remembers it as HyperText Application (HTA) content and invokes the MSHTA.EXE process to execute the 'simple TML/Jscript' code. This code is x[1].hta which creates and executes AOLFIX.EXE. AOLFIX.EXE is
downloaded in to the victim systems \temp directory, executed and deleted. The final result is the user's system settings being altered and DNS settings changed.


Who is Affected:
============

All users who have Microsoft Internet Explorer version 6 are likely vulnerable to this attack. This issue has been proven to work on Microsoft Window ME, Windows NT, Windows 2000, and Windows XP. It is also considered likely to work on Microsoft Windows 9x and Windows Server 2003.


Symptoms if Exploited or Targeted:
==========

Users that have been affected by this Trojan will notice a series of changes to their system, and changes in system behaviour when attempting to access certain web sites or domain names. Behavioural changes will most likely manifest themselves as pages not resolving, or not appearing correct.

Directories Created:
--------------------

%systemdrive%:\bdtemp
%systemdrive%:\bdtemp\temp

Files Created:
--------------

AOLFIX.EXE
- Deleted immediately upon execution.
%systemdrive%:\%systemroot%\winlog
- Contains the letter 'A'
%systemdrive%:\%systemroot%\help\hosts
- Contains static DNS mappings to many IP addresses of popular search engines. See 'Details' section below for list of addresses mapped.

Registry Entries:
-----------------

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Inter
faces\windows]
"r0x"="your s0x"
"NameServer"="69.57.146.14"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Inter
faces\{45F95E82-B443-428B-9EB7-4C65CDCD9006}]
"NameServer"="69.57.146.14"

HKEY LOCAL MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
"DataBasePath"="%SystemRoot%\help"



Actions:
============

Disabling ActiveX functions withing the MSIE6 browser will not provide any level of protection against this vulnerability.

Mitigation:
-----------

- Disable Active Scripting within the MSIE6 (& Outlook) application(s). This will prevent execution of the pages delivering the exploit.

- Ensure firewalls (perimeter defences) are configured to block unauthorised outbound traffic as well as inbound traffic. This will prevent users from using unauthorised DNS servers. As such victim systems will reveal themselves very quickly as they fail to look up Internet domain names.

- Configure host firewalls (personal firewalls) that can control application level access to the network (such as ZoneAlarm) to deny access to the network for MSHTA.EXE.

- Disable HTA MIME types from within the Windows System Registry. To do this remove the entry "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MIME\Database\ContentType\application/hta".
This can be restored later, once a patch is available and applied.

- Configure IDS (intrusion detection systems) to monitor for suspicious traffic that may alert the administrator to the attack or victim systems. A sample rule set for Snort might be:

snort.conf:
var MAL_DNS [216.127.92.38/32,69.57.146.14/32,69.57.147.175/32]

dns.rules:
alert tcp any any <> $MAL_DNS 53 (msg:"Malicious DNS Traffic";
sid:900027; rev:1Wink
alert udp any any <> $MAL_DNS 53 (msg:"Malicious DNS Traffic";
sid:900027; rev:1Wink


Fix:
----

No patch is currently available for this issue. The patch MS03-032 does not address this issue.

[GTO]

Hi jmule. Welcome to the 2-Spyware.com forums!

First of all, it's bullsh**t. Excuse me, but it really is. The message you've posted is an exact copy of this message, which dates back to October 2, 2003.

The problem with jupk.com is that victims have redirects not only in Microsoft Internet Explorer, but also in Mozilla Firefox and Opera. The latter browsers are NOT vulnerable to Internet Explorer-specific vulnerabilities.

The list of malicious objects and mitigation scenarios provided in your post have nothing to do with the jupk.com infection. It seems that it is a new variant of some sophisticated trojan, possibly with rootkit functionality.

Your post is misinformation. Furthermore, you've posted in a wrong section. I will move your post to more appropriate forum section and lock it.

Once again, THIS HAS NOTHING TO DO WITH JUPK.COM!