Follow:

 

Exploit:HTML/Repl.B


Exploit:HTML/Repl.B is a malicious JavaScript program embedded inside HTML files which exploits a buffer overflow vulnerability in  RealPlay 10.5 and RealPlay 11 Beta.


What to do now

Manual removal is not recommended for this threat. To detect and remove this threat and other malicious software that may have been installed, run a full-system scan with an up-to-date antivirus product such as the Microsoft Safety Scanner (http://go.microsoft.com/fwlink/?LinkId=212742). For more information, see http://www.microsoft.com/protect/computer/viruses/vista.mspx.

Threat behavior

Exploit:HTML/Repl.B is a malicious JavaScript program embedded inside HTML files which exploits a buffer overflow vulnerability in  RealPlay 10.5 and RealPlay 11 Beta.
It may arrive on the system upon access to malicious web pages that contain this exploit. When these web pages are accessed using Internet Explorer, the malicious JavaScript then checks for the installation of RealPlay in the system. RealPlay’s version number and language option are also checked.
The script then attempts to create a buffer overflow. This is done by importing the following local file:
  • C:\Program Files\NetMeeting\TestSnd.wav (This file is included in the original installation of Windows.)
into a playlist using an extremely long name that causes the stack to overflow. When successfully exploited, an attacker may execute arbitrary code on the infected machine.
The vulnerable ActiveX Control in Real play is named IERPCtl and can be used to import files from the local machine to a specified playlist in RealPlay.
A security update for this vulnerability is available from the following RealPlay site:

Symptoms

This exploit can be used to execute arbitrary code on an affected machine, hence, there are no symptoms specific to this detection.

Prevention


Alert level: Severe
First detected by definition: 1.45.287.0
Latest detected by definition: 1.45.287.0 and higher
First detected on: Oct 07, 2008
This entry was first published on: Jan 02, 2008
This entry was updated on: Apr 17, 2011

This threat is also detected as:
  • Exploit.Win32.Agent.bb (Kaspersky)
  • Exploit-RealPlay (McAfee)
  • Downloader (Symantec)