HTML_EXPLT.QYUA

Posted: January 27, 2012

Threat Metric

The Threat Meter is a malware assessment that SpywareRemove.com's research team is able to give every identifiable malware threat. Our Threat Meter includes several criteria based off of specific malware threats to value their severity, reach and volume. The Threat Meter is able to give you a numerical breakdown of each threat's initial Threat Level, Detection Count, Volume Count, Trend Path and Percentage Impact. The overall ranking of each threat in the Threat Meter is a basic breakdown of how all threats are ranked within our own extensive malware database. The scoring for each specific malware threat can be easily compared to other emerging threats to draw a contrast in its particular severity. The Threat Meter is a useful tool in the endeavor of seeking a solution to remove a threat or pursue additional analytical research for all types of computer users.

The following fields listed on the Threat Meter containing a specific value, are explained in detail below:

Threat Level: The threat level scale goes from 1 to 10 where 10 is the highest level of severity and 1 is the lowest level of severity. Each specific level is relative to the threat's consistent assessed behaviors collected from SpyHunter's risk assessment model.

Detection Count: The collective number of confirmed and suspected cases of a particular malware threat. The detection count is calculated from infected PCs retrieved from diagnostic and scan log reports generated by SpyHunter.

Volume Count: Similar to the detection count, the Volume Count is specifically based on the number of confirmed and suspected threats infecting systems on a daily basis. High volume counts usually represent a popular threat but may or may not have infected a large number of systems. High detection count threats could lay dormant and have a low volume count. Criteria for Volume Count is relative to a daily detection count.

Trend Path: The Trend Path, utilizing an up arrow, down arrow or equal symbol, represents the level of recent movement of a particular threat. Up arrows represent an increase, down arrows represent a decline and the equal symbol represent no change to a threat's recent movement.

% Impact (Last 7 Days): This demonstrates a 7-day period change in the frequency of a malware threat infecting PCs. The percentage impact correlates directly to the current Trend Path to determine a rise or decline in the percentage.

Threat Level:	2/10
Infected PCs:	63

First Seen:	January 27, 2012
OS(es) Affected:	Windows

HTML_EXPLT.QYUA is a malicious web page that uses a combination of midi format and JavaScript exploits to install PC threats without your permission. Currently, HTML_EXPLT.QYUA attacks have been limited to installing TROJ_DLOAD.QYUA, a Trojan with rootkit functions and the ability to disable certain types of security software. Since HTML_EXPLT.QYUA can be triggered merely by visiting a site that plays music in a midi format (assuming that Java is also enabled), SpywareRemove.com malware researchers recommend that you use a combination of tough browser settings and strong anti-malware products to detect HTML_EXPLT.QYUA attacks before they can install TROJ_DLOAD.QYUA onto your PC.

HTML_EXPLT.QYUA – Two Prongs of a Single Download Attack

The most widely-reported instance of HTML_EXPLT.QYUA is hosted at hxxp://images.[CENSORED]p.com/mp.html but may also be present at other websites, and is accompanied by JS_EXPLT.QYUA, TROJ_MDIEXP.QYUA and (eventually) TROJ_DLOAD.QYUA in its attacks. HTML_EXPLT.QYUA itself is only significant in that HTML_EXPLT.QYUA hosts a JavaScript exploit, JS_EXPLT.QYUA, and a midi exploit (TROJ_MDIEXP.QYUA) that are used to download and install TROJ_DLOAD.QYUA. From your web browser, the only indication of HTML_EXPLT.QYUA's presence that you may see is a playing midi file.

If you have JavaScript available but disabled for HTML_EXPLT.QYUA and similar types of suspicious sites, you may be requested to enable JavaScript to play the relevant content. SpywareRemove.com malware researchers recommend that you keep Java disabled or even uninstalled as a solid barrier against this form of HTML_EXPLT.QYUA attack. Since baseline Windows Media applications are capable of supporting midi files, disabling the midi half of the attack can be considered much less practical than disabling JavaScript.

What to Do When HTML_EXPLT.QYUA Gets Its Way

Because a successful HTML_EXPLT.QYUA attack means the installation of TROJ_DLOAD.QYUA, you should be prepared for crippling assaults against security programs like AlYac and NHN Anti-Virus Scanner Service, as well as the potential presence of a backdoor on your PC. Backdoors allow criminals to control your PC from a remote server and can also be exploited to install other PC threats or steal private information. However, if proper security precautions are taken to stop HTML_EXPLT.QYUA from enacting its download scheme, HTML_EXPLT.QYUA should prove to be impotent against your PC.

If you do need to get rid of a HTML_EXPLT.QYUA payload like TROJ_DLOAD.QYUA, SpywareRemove.com malware experts discourage manual removal in favor of thorough system scans that are capable of detecting even high-level PC threats, such as rootkits. Keeping updates on hand for your OS and web browser can also protect against HTML_EXPLT.QYUA, since the exploit that HTML_EXPLT.QYUA uses, CVE-2012-0003, has been patched by Microsoft as of January 10th of 2012. Non-Windows computers can also be considered safe from HTML_EXPLT.QYUA, which requires specific versions of Windows XP, Vista, Server 2003 or Server 2008 to attack the computer in question.

HTML_EXPLT.QYUA

Threat Metric

HTML_EXPLT.QYUA – Two Prongs of a Single Download Attack

What to Do When HTML_EXPLT.QYUA Gets Its Way

Leave a Reply