Site icon Panda Security Mediacenter

MS06-044 in the wild (Update)

We have recorded a video, to see the exploit in action.

First, the user connects to a web page which uses the exploit to launch the download of the files: q1.dll y q2l.exe. Then, when q2.exe is executed, it moves the dll to another directory to prevent the deletion of the files, as they are downloaded into a temp directory.

This dll is injected into the Internet Explorer, in order to perform background tasks. Among other things it dumps proxy, email, configuration, and cached passwords… We have attached a sample of the dumped file, there you can see the proxy authentication data. This malware has ftp capabilities to upload the dumped files to an external server.

[ImageAttachment]

Thanks again to Ismael Briones.

Exit mobile version