First malware to exploit the critical IE vulnerability, reports Panda Software

PandaLabs has reported the appearance of the first samples of malware that install themselves on users’ computers by using the JavaScript windows remote code execution critical vulnerability in Internet Explorer. This exploit is carried out through web pages with adult content that attack computers enabling the malware to infect systems. Given that there is not yet a solution to this vulnerability, propagation of the threat could be serious in the coming hours and users are therefore advised to ensure their anti malware solution is up-to-date and able to recognize the use of this exploit.

The infection mechanism starts when users visit any of a series of web pages with adult content. The page redirects users to a second page which contains the exploit (detected by Panda as Exploit/BodyOnLoad) used to install the first malware, called keks.exe. This is installed on the computer and then downloads and runs a second file called all.exe. They are both detected as Downloader.DLE and are aimed at reducing browser security levels, and at enabling other malware to enter the computer. Sometimes the exploit is not successful; in this case an error is returned in Explorer and users are not infected.

If Downloader.DLE is successful, it will install several files on computers, including the annoying Adware/PicsPlace, a clicker that continuously opens pornographic pages, as well as several malicious cookies. Clickers open pages in users’ computers, providing financial returns for the creators of malware through the number of hits to websites. It is also programmed to periodically download a file with other URLs which it will then contact with the consequent risk of new variants of malware infecting the computer.

“This is no doubt just the beginning, because once the exploit has gone on to circulate among those controlling these malicious websites, it is just a question of time before almost all of them use it as a way of entering users’ computers”, explains Luis Corrons, director of PandaLabs. “The biggest problem is that systems even though they are completely up-to-date and have all service packs are still vulnerable: it is essential that users have a fully up-to-date anti-malware solution to avoid any risks”.

The Javascript windows remote code execution vulnerability in Internet Explorer was first detected on November 21, and affects Internet Explorer in Microsoft Windows 98, Windows 98 SE, Windows Millennium Edition, Windows 2000 Service Pack 4, Windows XP Service Pack 1, and Windows XP Service Pack 2. It has not yet been resolved.

About PandaLabs

Since 1990, its mission has been to analyze new threats as rapidly as possible to keep our clients save. Several teams, each specialized in a specific type of malware (viruses, worms, Trojans, spyware, phishing, spam, etc), work 24/7 to provide global coverage. To achieve this, they also have the support of TruPreventâ„? Technologies, which act as a global early-warning system made up of strategically distributed sensors to neutralize new threats and send them to PandaLabs for in-depth analysis. According to, PandaLabs is currently the fastest laboratory in the industry in providing complete updates to users (more info at

Don't miss