Wednesday, July 12, 2006

Microsoft Office Vulnerability

A vulnerability has been reported in Microsoft
Office, which could allow a remote attacker to run arbitrary code on the
target system.

According to http://www.frsirt.com/english/advisories/2006/2720 and
http://www.securitytracker.com/alerts/2006/Jul/1016453.html, a remote
user could create a specially crafted Word file which, when loaded by
the target user, could cause a memory access error in the LsCreateLine()
function in the mso.dll file, and allow arbitrary code to be run.

This could result in a denial of service situation, however, if the
attack is successfully carried out, the code will be run with the
privileges of the target user. Also, proof-of-concept code has been
published. Oxygen3 advises users to treat with caution possible
malicious files that could try to reproduce this attack, and not to open
Office files received from unreliable sources.

Current Virus Threats

The Oscarbot.IV, Peerbot.B and Netsad.B worms are the subject of this week's PandaLabs report.

Oscarbot.IV is a worm that opens several communication ports on infected computers, allowing attackers to access the system remotely. It also drops the Protestor.A Trojan on the system, which can capture screenshots and steal user data. Oscarbot.IV spreads via America On Line Instant Messenger, sending messages to all active user contacts. When run, it is installed on the system as a service called "Windows Genuine Advantage Validation Notification", trying to pass itself off as a Microsoft antipiracy service and ensuring it is run on every system startup.

Peerbot.B can open a backdoor to receive commands from an attacker via IRC. It can also steal data from SQL Server or Mysql databases on the computer, which it then sends out via email. When run, the worm creates several files on the system, such as Taskdrv.exe (a copy of the worm itself) and Libmysql.dll, a library belonging to the Mysql database. Peerbot.B can spread using email or P2P file-sharing programs. It creates numerous files in the shared folders in P2P programs under names that refer to cracks for well-known applications and games. When other users of the P2P program run a search, they could find the infected files of the initial victim among the results. To avoid detection, Peerbot.B terminates a long list of processes related mainly with security tools, firewalls or even other malware. It also modifies the hosts file to block access to web pages related with security products.

Netsad.B is a worm that spreads as an email attachment, using messages such as "sharing files is the essence of living". It also uses several P2P applications, including Kazaa or Emule, creating copies of itself in shared folders so that it can be downloaded by other users. Netsad.B can only operate if the computer has Microsoft .NET framework 2.0. When run, it creates a copy of itself called winservices.cab.bak.exe in the Windows system folder. It also creates copies of itself with a variety of names, including some related to antiviruses, in the other system drives. In order to remain hidden, the worm terminates a series of security-related processes, leaving the computer vulnerable to further attack.