SANS – Internet Storm Center – Musings on the Internet Explorer 0-day vulnerability
Handler’s Diary November 30th 2005
Musings on the Internet Explorer 0-day vulnerability (NEW)
Last Updated: 2005-11-30 17:16:11 UTC by Scott Fendley (Version: 1)
Why do I think this way? Well…. Glad you asked.
Yesterday, Microsoft updated the advisory located at KB911302 with a couple of tidbits. First, they made mention of both Proof of Conecept and malicious software which appear to be targeting the reported vulnerability. Second, they also mention the Windows Live Safety Center where end users can scan and remove any malicious software and variants that may be running around now.
Throwing in that Microsoft has on occasion released out-of-cycle patches (June 2004 is a case in point in my mind), then I think it is a safe bet that Microsoft will take appropriate steps to fix the problem as quickly as possible. In the meantime there are 2 things I can continue to suggest.
1) Be vigilant. Know that a patch will be forthcoming hopefully within the next 2 weeks and be ready to deploy quickly.
2) If your organization can operate with one of the workarounds Microsoft has mentioned in KB911302, then I recommend mitigating your risk as much as possible. We all have at least one person who is a litle too…uhm…liberal with browsing the Internet on company time. Think about it, that very person is probably shopping for Christmas* presents right now on less-than-secure sites. SO….I would suggest doing those workarounds to that computer first. 
* For those that celebrate other holidays in December than Christmas, this statement is not meant to be offensive in any shape or form, or otherwise slight your holiday of choice.
Microsoft Security Advisory Notification – Security Advisory (911302) – Updated 11/29/05
**********************************
Title: Microsoft Security Advisory Notification
Issued: November 29, 2005
**********************************
Security Advisory Updated Today
==============================================
* Security Advisory (911302)
- Title: Vulnerability in the way Internet Explorer Handles Mismatched Document Object Model Objects Could Allow Remote Code Execution.
- Reason For Update: Added information regarding proof of concept code, malicious software, and reference to Windows Live Safety Center.
- Web site: http://go.microsoft.com/fwlink/?LinkId=56599
CME-473: Beagle/Bagle worm variant (11/22/2004)
CME-473: Beagle\Bagle worm variant
Date added to list: 11/22/2004
Aliases:
- Computer Associates: Win32.Bagle.AQ
- Kaspersky Lab: Email-Worm.Win32.Bagle.at
- McAfee: W32/Bagle.bb@MM
- Norman: W32/Bagle.AQ@mm
- Sophos: W32/Bagle-AU
- Symantec: W32.Beagle.AV@mm
- Trend Micro: WORM_BAGLE.AT
- F-Secure: Bagle.AT
- Panda: Bagle.BC
- Secunia: Bagle.AQ
Removal Tools:
Virus Characteristics(from sources above):
- Creates these files :
- %System%\wingo.exe
- %System%\wingo.exeopen
- %System%\wingo.exeopenopen
- May also create these files:
- %System%\wingo.exeopenopenopen
- %System%\wingo.exeopenopenopenopen
- Creates the following Registry key
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
Run “wingo” = C:\WINNT\SYSTEM32\WINGO.EXE - Adds the value
- “Timekey” = “[Random variables]” to HKEY_CURRENT_USER\Software\Microsoft\Params
- Termitates processes of security programs
- Tries to download and run that %System%\re_file.exe file from various websites coded into the virus.
- Searches the hard disk for folders containing the string “shar” and copies various files that are infected with the virus as to spread through peer-to-peer networks
- Tries to stop operating system services:
- SharedAccess” – Internet Connection Sharing
- “wscsvc” – MS security center
- Opens backdoors on TCP port 81
- Deletes values from the Run section of the Registry, pertaining to certain security programs, to prevent them from running at startup
- Searches for e-mail addresses contained in various files located on infected computer.
- Use its own built in SMTP server to send e-mails with spoofed addresses that it found on the infected computer, but skipping some with that contain certain strings. These e-mails have a .com, .cpl, .exe, or, . scr file extension and are infected by the virus.
- Also deletes registry entires related to the Netsky virus, and creates mutexes to keep that virus from running and to keep multiple copies of itself from running.
Trend Micro Behavior Diagram
Please report in errors or broken links in the comments section.
SANS – Internet Storm Center – DoS Exploit for MS05-053 released
This has “virus outbreak” written all over it.
SANS – Internet Storm Center – Cooperative Cyber Threat Monitor And Alert System
Handler’s Diary November 29th 2005
DoS Exploit for MS05-053 released (NEW)
Last Updated: 2005-11-29 13:46:54 UTC by Pedro Bueno (Version: 1)
This exploit claims to cause a DoS condition when viewing a special file on IE.
from the code:
“The crafted metafile from this code when viewed in internet explorer raises the CPU utilization to 100%. The code was tested on Windows 2000 server SP4. The issue does not occur with the hotfix for GDI (MS05-053) installed”
Did I say PATCH yet?
Go on…
———————————————
Pedro Bueno ( pbueno //&&// isc. sans. org)
What this blog is all about.
Welcome to The Antivirus Guy Blog.
I have started the blog for a couple of reasons, but primarily it is to provide a place for “one stop shopping” for antivirus information.
I would also like to provide some of the infromation that is missing from the Common Malware Enumeration (CME) site, like the links to the actual virus descriptions in each of the CME identifiers and maybe some more detail on exactly what each virus does. A post on the Internet Storm Center, shows just what I am talking about.
I will also try to provide timely information on worldwide virus outbreaks. Who is seeing what virus where, and any information I can find on how to stop it until dat files from antivirus vendors can be released.
Hopefully you will find this blog in your fight against malware in the future. Feel free to post comments at any time.
Thanks,
The Antivirus Guy
-
Recent
- SANS Internet Storm Center – "Malicious" Websites
- SANS – Internet Storm Center – CME-24 (Blackworm) Analysis: The destruction does not appear to spread across Windows network shares
- F-Secure : News from the Lab – Nyxem on a world map
- SANS – Internet Storm Center – Prepraring for Feb 3rd(CME-24\Blackworm)
- Microsoft Security Advisory Notification – Update for Security Advisory (904420) – Win32/Mywife.E@mm
- F-Secure : News from the Lab – First reports of Nyxem damage
- Microsoft Security Advisory (904420): Win32/Mywife.E@mm (aka Blackworm)
- SANS – Internet Storm Center – BlackWorm Summary – Updated Info
- SANS – Internet Storm Center – BlackWorm Summary – Updated Info
- SANS – Internet Storm Center – More on Nyxem
- SANS – Internet Storm Center – What’s the threat? And who is noticing it? Nyxem_e versus CME 508
- SANS – Internet Storm Center – New mass mailer spreading (Blackmal/Grew/Nyxem) – With updated info
-
Links
- WordPress.com
- WordPress.org
- Symantec Security Response
- Secunia – Virus Information
- McAfee – Newly Discovered Threats
- SANS Internet Storm Center
- Trend Micro-Virus Information
- F-Secure: News from the Lab
- F-Secure: 50 latest virus descriptions
- VirusTotal.com
- Common Malware Enumeration (CME)
- worm blog
- Computer Associates Virus Information Center
- Kaspersky Analyst’s Diary
- Kaspersky’s Viruslist.com
- Panda Software Latest Threats
- Norman: Virus and Security
- Sophos Virus Info
- F-Prot Virus Information
- Sybari Threat Info Center
- Anti-Malware Engineering Team
-
Archives
- November 2007 (1)
- February 2006 (8)
- January 2006 (33)
- December 2005 (30)
- November 2005 (5)
-
Categories
-
RSS
Entries RSS
Comments RSS
