Speaking of vulnerabilities, JS_MULEX.C is capable of exploiting a host of vulnerabilities in various applications and programs. It exploits the following vulnerabilties:
- Vector Markup Language vulnerability in Internet Explorer
- WebViewFolderIcon ActiveX integer overflow in Windows
- Windows Media Player Plug-in with Non-Microsoft Internet browsers vulnerability
- DXMedia SDK 6 ActiveX remote code execution vulnerability
- Yahoo! Messenger webcam ActiveX remote buffer overflow vulnerability
- Yahoo! Widgets getcomponentversion() remote overflow vulnerability
- Remote code execution vulnerability in Microsoft Management Console
- Remote code execution vulnerability in Microsoft Data Access Components (MDAC)
The aforementioned vulnerabilities are discussed in detail (some also contain patches for the said vulnerabilities) in the following URLs:
Once JS_MULEX.C is able to determine what vulnerabilities can be used in a system, it proceeds to exploit the vulnerability to download the file EXE.PHP onto the affected system. The said file is detected by Trend Micro as TSPY_AGENT.AAWC.
Aside from keeping your patterns updated, Trend Micro strongly recommends applying regular updates to programs and applications.
Thanks to Ryan Flores, Paul Ferguson, Rainer Link, and Roger Thompson of Exploit Prevention Labs for providing information.