Exploit-MhtRedir.gen

今天1029想起一个人的主页，就跑去访问一下，结果MCAFEE就报告：
2005-10-29 21:55:54 脚本执行被阻挡   GreenBrowser.exe 由 GreenBrowser.exe 执行的脚本 Exploit-MhtRedir.gen (特洛伊)

他的说明： 因为我一般用firefox浏览，所以没发现，也不知道什么时候中招的。用ie打开我的blog，先是一个帮助文件闪了一下，然后诺顿报警，c盘根目录下NTDETECT.hta文件为Downloader.Trojan病毒，删除成功。

不过我觉得好像不是一样的？
搜索了一下：发现名堂还蛮多的

十大病毒排行 Exploit-MhtRedir.gen位列榜首
反病毒厂商McAfee公司“反病毒、缺陷紧急响应小组”（AVERT）根据病毒的危害程度列出了下述排行榜：

AVERT的副总裁文森特称，Exploit-MhtRedir.gen之所以位列十大病毒排行榜榜首，是因为它利用Windows和IE中的两个缺陷，在用户访问恶意网站时，悄悄地在电脑上运行从IIS服务器传输过来的恶意代码，将用户引导至黑客控制的网站，并下载能够记录用户击键情况和窃取个人资料的特洛伊木马程序。这是一种新型恶意代码，尽管其攻击的数量不多，但由于它被大量使用在针对企业和消费者的攻击中，且至今没有相应的补丁软件，致使大量的Web服务器还在遭受攻击的困饶，故将Download.Ject或Scob的Exploit-MhtRedir.gen列为威胁最大的恶意代码。能够对付它的唯一武器就是尚未正式发布的Windows XP SP2。

排在第二位的VBS/Psyme也是一种利用了IE中的缺陷的特洛伊木马程序，能够覆盖用户本地系统上的文件。

Netsky因传播效率高而进入排行榜。它主要通过电子邮件的附件传播——当附件文件被打开后，就会自行安装在Windows PC上，然后从硬盘上收集电子邮件地址，通过向这些地址发送携带有它本身拷贝的电子邮件的方式进行传播。

MyDoom是今年上半年出现最多的恶意代码，它以“delivery failed”及“"postmaster”、“Post Office”、“MAILER-DAEMON”等虚假现象来迷惑用户，造成携带有病毒的电子邮件看起来象是没有成功发送的假象。

晕倒，我没有SP2，连SP1都没有～～～～～ 不过我信任 MCAFEE

简单的说，这不是一个病毒，应该算木马一类的恶意代码，Exploit-MhtRedir.gen利用Windows和IE中的两个缺陷，在用户访问恶意网站时，悄悄地在电脑上运行从IIS服务器传输过来的恶意代码，将用户引导至黑客控制的网站，并下载能够记录用户击键情况和窃取个人资料的特洛伊木马程序
解决办法：
1、安装XP SP2补丁，经测试可以屏蔽
2、安装应用层的防火墙或者类似Microsoft 的AntiSpyWare，也可以检测并屏蔽

搜索过程中找到几个分析病毒的网页，好像全是源代码，结果MCAFEE也报告了
  GreenBrowser.ex G:\TEMP\Temporary Internet Files\Temporary Internet Files\Content.IE5\LSGB9T8X\c[5] Exploit-MhtRedir.gen (特洛伊)
2005-10-29 22:02:29 已删除   GreenBrowser.ex G:\TEMP\Temporary Internet Files\Temporary Internet Files\Content.IE5\E1XA761W\c[2] Exploit-MhtRedir.gen (特洛伊)
2005-10-29 22:02:31 脚本执行被阻挡    GreenBrowser.exe 由 GreenBrowser.exe 执行的脚本 Exploit-MhtRedir.gen (特洛伊)
2005-10-29 22:02:31 脚本执行被阻挡   GreenBrowser.exe 由 GreenBrowser.exe 执行的脚本 JS/Exploit-FileProxy (特洛伊)
2005-10-29 22:02:48 移动失败（清除失败）    GreenBrowser.ex G:\TEMP\Temporary Internet Files\Temporary Internet Files\Content.IE5\E1XA761W\12232649396[1].htm Exploit-MhtRedir.gen (特洛伊)

Trojan Name  Risk Assessment 
Exploit-MhtRedir.gen  Corporate User  :  Low-Profiled 
Home User  :  Low-Profiled 
 
Trojan Characteristics: 
-- Update June 24, 2004--
It has recently been made known that some IIS servers have been remotely hacked. This exploit was utilized to redirect the client's browser to the  location http://217.107.218.147  containing an infected webpage causing unsolicited files to be downloaded and executed.

Certain downloaded files are detected as BackDoor-AXJ.dll , JS/Exploit-DialogArg.b , and VBS/Psyme  with the current DAT files.

For further details concerning this threat, and details of available Microsoft patches see:
http://www.microsoft.com/security/incident/download_ject.mspx

-- Update June 10, 2004 --

The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://news.com.com/Pop-up+toolbar+spreads+via+IE+flaws/2100-1002_3-5229707.html?tag=nefd.top

A new attack vector was discovered recently, which by passes the MS04-013 patch.  Generic detection of this new exploit code will be included in the 4366 DAT release.

--------------------------------------------------------------------------------

This detection covers code designed to exploit an Internet Explorer vulnerability.

The exploit results in a CHM (Microsoft Compiled Help) file being written to the local system allowing for additional exploit code to then execute the downloaded file.

The end result is the execution of arbitrary code at the permission level of the current user.

Microsoft has released a patch for this vulnerability.
See: http://www.microsoft.com/technet/security/bulletin/ms04-013.mspx
 
http://vil.nai.com/vil/content/v_101033.htm

How can I protect my computer from Mhtredir.gen? 
 
In order to keep your computer protected, bear the following tips in mind:

Download the security patch for the vulnerability described by Microsoft in the security bulletin MS04-013.http://www.microsoft.com/technet/security/bulletin/MS04-013.mspx
Install a good antivirus in your computer. Click here to get the Panda antivirus solution that best suits your needs.
Keep your antivirus updated. If automatic updates are available, configure your antivirus to use them.
Keep your permanent antivirus protection enabled at all times.