Exploit:HTML/CVE-2008-2551.gen!A

Exploit:HTML/CVE-2008-2551.gen!A is the detection for HTML files that exploit a vulnerability in Icona SpA C6 Messenger version 1.0.0.1.

Installation

Exploit:HTML/CVE-2008-2551.gen!A may be found at the end of an otherwise legitimate HTML file, which may indicate that the page was modified by a remote attacker to include it. It may also be included with other exploits within a malware kit.

It exploits a vulnerability in Icona SpA C6 Messenger version 1.0.0.1 discussed in CVE-2008-2551.

Payload

Downloads arbitrary files

If Icona SpA C6 Messenger version 1.0.0.1 is not installed, Exploit:HTML/CVE-2008-2551.gen!A may redirect the browser to a vulnerable copy of the browser plugin component. If the user chooses to install the plugin, the exploit connects to certain servers to download arbitrary files.

In the wild, Exploit:HTML/CVE-2008-2551.gen!A has been known to connect to the following:

• cir<removed>uitbureau.com
• cm.<removed>ir.tv
• hc.<removed>cdgut.edu.cn
• med<removed>afire.com
• the<removed>rescon.com
• waa<removed>land.tv

The downloaded file may be detected as TrojanDropper:Win32/Agent.KA or VirTool:Win32/VBInject.gen!FK.

Analysis by Chris Stubbs