Main Menu
Home
Bookmark
Contact Us

Categories
  Adware
  Adware Bundler
  AOL Exploit
  Backdoor
  Browser Hijacker
  Browser Plug-in
  Commercial Key Logger
  Commercial Remote Control
  Cookie
  Dialer
  E-Mail Flooder
  Hostile ActiveX Control
  ICQ Exploit
  Joke Program
  Key Logger
  Loader
  Low Risk Adware
  Misc
  Nuker
  P2P
  Password Hijacker
  Potential Privacy Risk
  Potentially Dangerous Tools
  RAT
  Search Hijacker
  Security Disabler
  Spyware
  Stealth Notifier
  Surveillance
  Toolbar
  Trojan
  Trojan Downloader
  Trojan FTP
  Trojan Telnet
  Viruses
  Worm
 


 
Exploit.IIS.Beavu Viruses Information

Name: Exploit.IIS.Beavu
Category: Viruses
Description: Details
Exploit.IIS.Beavuh

Beavuh is a malware exploit of the so-called MS IIS ".printer" vulnerability, which is described by Microsoft in the "Security Bulletin MS01-23",released May 1, 2001.
The MS01-23 Security Bulletin can be viewed at the following location:
www.microsoft.com/technet/security/bulletin/ms01-023.asp
This exploit program gives remote access to a simple Windows NT command shell on the target machine. Beavuh was recently reported (on March 2nd, 2002) to have been used in a large number of hacking attempts.
The exploit program has the following parameters:
a destination IP address
a destination port number
an IP address/port to which the exploiting code will connect back with the command shell.
The remote exploit code gets executed on the target machine if the IIS vulnerability was not previously patched. The code is encrypted so it will first proceed to decrypt itself, and then it will scan the system memory for the Windows NT library ("kernel32.dll"). From there it will acquire the 'offset' of the 'GetProcAddress' function and will further use it to obtain a couple of other API addresses, both from "kernel32.dll" and "wsock32.dll".
Next Beavuh connects to the address specified by the attacker, launches the executable "cmd.exe" and links the input and output of the command shell to the socket opened to the attacker's control machine.
Recommendations
Due to the prevalence of this exploit, we recommend system administrators patch any vulnerable IIS servers as soon as possible. Also, installing the KL ISAPI AV filter provides a generic means of blocking IIS buffer overflow exploits, including this one. For more details, please check:
www.kasperskey.com/support.html?chapter=47



Top Viruses Visited Pages:
Invader. - 239 visits
not-a-virus:RiskWare.Tool.RegPatch. - 73 visits
Worm.P2P.Harex. - 66 visits
not-a-virus:RemoteAdmin.Win32.RAdmin.2 - 60 visits
Small.58. - 56 visits
Coito.64 - 54 visits
I-Worm.Mapson. - 48 visits
Win32.Hidra - 43 visits
Win16.Klon.1177 - 42 visits
Marine.500 - 35 visits

Random Viruses Pages:
Airwalker.38
Mutation.135
Darth.20
Macro.Word97.Baw
Win98.Matya
Snaf
Oeur.307
I-Worm.MsWorl
Mabuhay.2660.
Lacimehc.72


 

© 2006-2008 spyware32.com - Privacy Policy