Trojan Uses Internet Explorer “Exploit.SelfExecHtml” Vulnerability

Kaspersky Labs, an international data security software developer, reports the appearance of the Trojan program, ‘StartPage’ – the first malware to infect computers via the “Exploit.SelfExecHtml” vulnerability in the Internet Explorer security system. Making infection particularly dangerous is the fact that Microsoft has yet to release the required patch, essentially leaving users defenseless in the face of this and other, potentially more dangerous threats choosing to exploit the very same vulnerability.

‘StartPage’ is a classic Trojan – it is sent to victim addresses directly from the author and does not have an automatic send function. The first mass mailing to several hundred thousand addresses was registered in Russia on May 20. The text accompanying the Trojan program is written in Russian and clearly indicates the program’s birthplace as either Russia or the former USSR.

The ‘StartPage’ program is a Zip-archive that contains an HTML file. Upon opening the HTML file an embedded Java-script is launched that exploits the “Exploit.SelfExecHtml” Internet Explorer security system vulnerability and clandestinely executes an embedded EXE file carrying the Trojan program.

“It is hard to call this program dangerous, its collateral effects include only the altering of an old Internet Explorer page. Still, ‘StartPage’ has set a precedent with its usage of a vulnerability for which there is not yet a patch”, commented Eugene Kaspersky, Head of Anti-Virus Research at Kaspersky Labs.

According to Kaspersky Labs statistics, over 85% of virus incidences in 2002 were caused by malicious programs such as ‘Klez’ and ‘Lentin’ that exploit the IFRAME Internet Explorer vulnerability, which was discovered over two years ago, and thus users have had plenty of time to install the patch and protect themselves against any similar virus appearing in the future.

“With StartPage we are dealing with an open vulnerability. Users can protect themselves with anti-virus software, but not all of them have strong heuristic technology to protect against future viruses”, continued Eugene Kaspersky. “A new vulnerability has been exposed that may incite the creation of a multitude of new malware that could lead to new epidemics of a global scale.”

The following programs are vulnerable to the “Exploit.SelfExecHtml” breech:
* Microsoft Internet Explorer 5.0 for Windows 2000
* Microsoft Internet Explorer 5.0 for Windows 95
* Microsoft Internet Explorer 5.0 for Windows 98
* Microsoft Internet Explorer 5.0 for Windows NT 4.0

Kaspersky Labs appeals to Microsoft to make a strong effort to release the necessary patch, as soon other malicious programs will appear that exploit the very same technology. If a solution is not provided soon we can expect a long lasting, large-scale epidemic that could surpass even the ‘Klez’ epidemic.