• All Community
    • All Community
    • Forums
    • Ideas
    • Blogs
Advanced

Not what you are looking for? Ask the experts!

This forum thread needs a solution.
Kudos0

Exploit Attack 61005 Memory Heap Spray - how did it get on my machine?

Last night when I booted my Win10 Pro laptop as it was loading the desktop i got the splash screen for Microsoft word 2010 (which I have installed and fully patched) but I do NOT have it set to run at start-up. As I'm puzzling why this splash screen has popped up...  Norton comes up with:

"Norton has blocked an exploit attack - Signature ID 61005 - WinWord.Exe"

I asked for details and it said:  memory heap spray attack was blocked no further action required.

~~~~

I guess I'm not quite satisfied - apparently somehow code was injected into my machine to cause WinWord to launch on boot, and Norton stopped the execution, but how did the malicious code get there to begin with, and how can I help make sure it does not happen again?

I have run a full scan of the hard drive with Norton, as well as current versions of SAS, and MAB all three come back clean.

Replies

Kudos0

Re: Exploit Attack 61005 Memory Heap Spray - how did it get on my machine?

Hello NCHoser. Either the browser you are using is compromised due to incorrect settings and a drive-by injection occurred at the last site you visited. Or, Word or a document created by Word has been compromised. Opening a document in an email will also have the same affect. The application Word.exe was stopped to mitigate the attack vector. Please see this Symantec article for further explanation of what you are seeing and recommendations.

If you also have "fast startup" enabled on your system the offending code most likely was NOT released from memory at your last shutdown since fast start keeps certain portions of the OS resident in memory and you would not have gotten a clean full memory released shutdown. The HEAP SPRAY code then executed at next cold boot. My recommendation for Windows 10, all versions is disable this feature, and not allow the computer to hibernate.

Cheers

Retired military (Navy 1980-2002) AO1 (AW) Aviation Warfare Specialist "From DOS to Windows10 what a journey it has been" / MS Certified Professional / Windows 10 Professional x 64 version 1809 / build 17763.379 / NCSP 22.17.0.183 / Norton Core v.278 on Android 1.93
Kudos0

Re: Exploit Attack 61005 Memory Heap Spray - how did it get on my machine?

Thank you SA, I will try your suggestions this evening when I get off work!

My primary browser is FireFox, always keep it up to date, but of course that's no guarentee

Among other things, I guess it could not hurt to uninstall it and re-install

Kudos0

Re: Exploit Attack 61005 Memory Heap Spray - how did it get on my machine?

Indeed, check your browser settings as well. Clear its cache and disable fast boot so anything remaining resident in system memory gets flushed when you do a restart and/or a shutdown. Please let us know how things go.

Cheers

Retired military (Navy 1980-2002) AO1 (AW) Aviation Warfare Specialist "From DOS to Windows10 what a journey it has been" / MS Certified Professional / Windows 10 Professional x 64 version 1809 / build 17763.379 / NCSP 22.17.0.183 / Norton Core v.278 on Android 1.93
Kudos0

Re: Exploit Attack 61005 Memory Heap Spray - how did it get on my machine?

SA:

Thanks for your help!

I just got this laptop recently to replace my older one that was stolen  :-(

When I set it up I disabled hibernation and I guess that ALSO makes it impossible for the computer to do the fast-start? When I do display the power cfg settings I see:

powercfg -a

The following sleep states are available on this system:

    Standby (S3)

The following sleep states are not available on this system:

    Standby (S1)

        The system firmware does not support this standby state.

    Standby (S2)

        The system firmware does not support this standby state.

    Hibernate

        Hibernation has not been enabled.

    Standby (S0 Low Power Idle)

        The system firmware does not support this standby state.

    Hybrid Sleep

        Hibernation is not available.

    Fast Startup

        Hibernation is not available.

I cleared ALL data from firefox (cookies, cache, history, etc....)

When I relaunched Word it told me that one of my DOC files was causing an issue (not one from an e-mail one I created...) so I deleted it and restored from backup an earlier version which Norton said was fine.

(Although Norton also said the file that Word complained about was OK as well....)

So unless there are any other tricks I should consider deploying or other Scans I could run

I guess I'll watch and see?

Thanks,
Jim

Kudos1 Stats

Re: Exploit Attack 61005 Memory Heap Spray - how did it get on my machine?

Since a Word document was flagged that is more than likely where the avenue of injection took place. I would run Windows updates and have office updates checked as well. Watch for a day or so as you create new document and open older ones. Another issue could be if you are sharing documents in collaboration scenario.

Cheers

Retired military (Navy 1980-2002) AO1 (AW) Aviation Warfare Specialist "From DOS to Windows10 what a journey it has been" / MS Certified Professional / Windows 10 Professional x 64 version 1809 / build 17763.379 / NCSP 22.17.0.183 / Norton Core v.278 on Android 1.93
Kudos2 Stats

Re: Exploit Attack 61005 Memory Heap Spray - how did it get on my machine?

Funny that this should come up...  I was just recently looking under my MBAM program wherein it was specifically referencing this "Heap Spray":

Kudos0

Re: Exploit Attack 61005 Memory Heap Spray - how did it get on my machine?

Thanks SA!

I'm on top of OS patches and application patches.

I don't really do any collaborting on documents at this time so I'm rather baffled as to how this happened.

"Watchful waiting" I reckon....

Kudos1 Stats

Re: Exploit Attack 61005 Memory Heap Spray - how did it get on my machine?

Well ... that is interesting .........

I have the "free" version of MBAM and I don't see that tab, so it must be a premium thing.
I was having a problem with their trial real-time version pestering the hell out of me with a false positive,
so let it expire.  I may have to go revisit that decision.
From what i have read it is OK to run MBAM along side of Norton Security?

Kudos2 Stats

Re: Exploit Attack 61005 Memory Heap Spray - how did it get on my machine?

Yes, Norton and MBAM play nicely with one another. I personally don't have MBAM set to load when Windows starts so as to allow Defender services and Norton not to interfere with one another at boot time.

Cheers

Retired military (Navy 1980-2002) AO1 (AW) Aviation Warfare Specialist "From DOS to Windows10 what a journey it has been" / MS Certified Professional / Windows 10 Professional x 64 version 1809 / build 17763.379 / NCSP 22.17.0.183 / Norton Core v.278 on Android 1.93

This thread is closed from further comment. Please visit the forum to start a new thread.