Today's report looks at three security problems affecting several Microsoft products and which could allow anattacker to take control of vulnerable systems, two Trojans-Mitglieder.HE and Spymaster.A-, and a worm -Mytob.ML-.
The first security problem that we are looking at affects Office 2000SP3, Office XP SP3, Office 2003 SP1 and SP2, and Exchange Server. It stems from the way in which Outlook and Exchange Server encrypt email messages using the TNEF (Transport Neutral Encapsulation Format)protocol.
The second vulnerability in today's report affects Windows2003/XP/2000/Me/98, and stems from the way Windows processes malformed embedded Web fonts. This can be exploited by an attacker by hosting malicious web font on a specially created web page and enticing users to visit it, or sending an email message containing malicious Web font.
The third and last security problem we're looking at today lies in theGraphics Rendering Engine, in computers running Windows 2003/XP/2000,and could allow arbitrary code to be run on vulnerable systems. This could be exploited by an attacker hosting a WMF (Windows MetaFile) imageon a specially crafted website, and convincing users to visit it, ors ending an email message containing the WMF image.
Microsoft has released three security bulletins -MS06-003, MS06-002 andMS06-001-, announcing the availability of patches to resolve these three vulnerabilities, and users of affected systems are advised to install them.
The first Trojan in today's report is
Mitglieder.HE, which needs to be spread manually by an attacker, although it can also start an SMTP server and send a copy of itself by email.
Mitglieder.HE opens port 9031 on infected computers and acts as a proxy server. In addition, it awaits remote control commands, such as downloading and running files, starting an SMTP server, changing the access port or updating itself.
The next Trojan in today's report is
Spymaster.A. Like the Trojan described above, it does not spread automatically and requires the intervention of an attacker. It is normally spread via email in a message with an attachment called SERVER.EXE.
Spymaster.A logs keystrokes entered by the user in order to obtain passwords and other confidential information, and monitors web pages visited. At the same time, it can see the programs running and the files created, modified or deleted by the user. The information it compiles is saved to a file which is sent to an FTP server.
Spymaster.A also uses as pecial stealth system to pass itself off as MSN messenger, so that users are unaware of its presence.
We end today's report with
Mytob.ML, a worm that spreads via email in a message containing a link. Once it has infected a computer, it connects to an IRC server and awaits remote control commands. It also terminates processes belonging to other types of malware and to certain securityprograms, such as firewalls, and prevents access to certain web pages, mostly those of antivirus companies.
Make sure your antivirus software is up to date and your computer is protected by a personal firewall. See the Resources listings at lower left for links to free versions.