Monday, May 15, 2006

Latest Wave Of Viruses & Trojans

The Nabload.CW Trojan and the latest vulnerabilities reported by Microsoft -MS06-18, MS06-19 and MS06-20-, are the basis of this week's report.

Nabload.CW is a Trojan that cannot spread by itself and therefore needs to be activated by a user. It tries to download and run another Trojan called Bancos.MO.

It simulates a Windows Media Player file called Video [1].exe, which when run, displays a window with a GIF animation imitating the Windows player. It then displays a message saying it is necessary to download a codec to play the file.

If the prompt is accepted, it downloads trj/Bancos.MO. If Video[1].exe is run again, a message appears warning of a corrupt file. The Trojan creates a file in the system folder called ffyt66555.KO, in order to know that the system is infected, and another belonging to Trj/Bancos.MO called Svchost.Exe in the Temporary Internet Files.

It also creates the following registry entry: Hkey_Local_Machine\Software\Microsoft\Downloadmanager.

Over the last week, several critical vulnerabilities have been reported in Microsoft products or those associated with its operating systems:MS06-018 is a non-critical vulnerability in MSDTC (Microsoft Distributed Transaction Coordinator) detected in Windows XP/2000 and Server 2003 that could allow DoS (denial of service) attacks against vulnerable computers.

If the attack is successful, the computer could block and cease to respond. The vulnerability can be exploited by sending a specially-crafted packet to the victim computer across a local network or the Internet.

Use of a firewall can prevent these attacks.MS06-019 is a critical vulnerability discovered by Microsoft in Exchange Server 2000/2003 that allows a user to take control of a computer with the same privileges as the logged in user.

If the user has administrator rights, the vulnerability could allow an attacker to take complete control of the computer. The flaw is due to an error in the interaction between iCal (Internet Calendar) and vCal (Virtual Calendar) and Exchange.

An attempt to exploit the vulnerability begins with a specially-packaged message sent to the Exchange server.

MS06-020 is a set of critical vulnerabilities discovered in versions of Macromedia Flash Player included in Microsoft Windows XP/Me/98, which could allow code to be run remotely on vulnerable systems.

The possibility of an attack is due to the existence of an unchecked buffer during the execution of flash files. A successful attack could allow access to the computer with the same rights as the current session.

If the account has administrator rights, an attacker could take complete control of a system. The vulnerability is exploited through a specially-crafted file with an SWF extension, which could be sent by mail or downloaded from a website.