Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2004-07-13 InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Microsoft Security Patches, VBS/Inor Trojan Variant, Phrack 62 Release, BHODemon Mirror

Published: 2004-07-13
Last Updated: 2004-07-14 00:24:01 UTC
by Lenny Zeltser (Version: 1)
0 comment(s)
New critical/important/moderate patches from Microsoft

As expected, Microsoft issued its monthly security bulletin today. There are several patches designated as "critical" and "important." You can read the technical bulletin at the following URL:
There is also a non-technical version of the alerts at the following URL:

Swa Frantzen, a fellow ISC handler, wrote up the following summary of issues addressed by Microsoft's security bulletin:

References CAN-2004-0215
Users of Outlook Express should look into this one. For now it's a DoS only, so it can probably be last on your priorities. As always with this kind of software, the preview pane aggravates
the problem. Turning preview panes off is a good idea.

References CAN-2004-0213
Local users can escalate to system privilege levels. If you don't trust all your local users this is probably somewhat more than important to deal with soon. This can probably be exploited later in a compounded attack, so best to take care of it even if you trust your local users.

References CAN-2004-0210
A buffer overflow in the POSIX code causes local users to be able to completely control the system.
For now Windows XP and 2003 are exempt form this. If you don't trust all your local users this is probably somewhat more than important to deal with soon. This can probably be exploited later in a compounded attack, so best to take care of it even if you trust your local users.

References CAN-2004-0205
IIS 4.0 remote buffer overflow - full remote control. If you still use IIS 4.0 this is probably yet another reason to upgrade.

References CAN-2004-0212
REMOTE code execution in the task scheduler with the privileges of the logged in user. Windows 2003 is for now exempt from the problem. Interesting workaround: block access to files ending in ".job" in the perimeter

References CAN-2004-0201 and CAN-2003-1041
Remote code execution in the help system with the privileges of logged in user. Outlook is a transport vector for this vulnerability--easy worm potential!

References CAN-2004-0420
Remote code execution via Windows shell with the privileges of logged in user. Exploit uses the COM subsystem to trigger execution that's supposed to be blocked based on extensions. Although Microsoft considers this patch "important," public availability of the exploit raises our assessment the vulnerability's severity.

A new variant of the VBS/Inor trojan via spam messages

Several people wrote to us about the VBS/Inor spam-based attack that MessageLabs described in an alert it issued today. As far as I can see, no vulnerability is actually being exploited here. The browser will prompt the users whether they want to perform actions such as writing and executing files. This is a multi-stage attack; several scripts/programs used in the attack are known malware specimens, and are likely to be recognized by up-to-date anti-virus software.

1. The victim receives an HTML-based unsolicited e-mail message, which contains an IFRAME link that retrieves link.html from the malicious site.

2. The link.html page downloads the link.php page from the same site via the following HTML code snippet: '<object data="link.php">'. Contents of the link.php file are obfuscated using Windows Script Encoder. Most anti-virus tools recognize the manually-decoded version of link.php as VBS/Inor; however, they do not presently recognize the encoded version of link.php as malicious code.

3. The link.php file contains VBScript code that attempts to create a small executable on the victim's system in c:\x.exe using 'CreateObject("Scripting.FileSystemObject")'. The x.exe file is embedded into link.php as a string of binary digits. Most anti-virus tools recognize x.exe as malware, using names such as "" (Kaspersky) and "Proxy-Hino.dldr" (McAfee).

4. The link.php file uses x.exe to retrieve ss.exe from the malicious site, which x.exe launches. Kaspersky recognizes ss.exe as "Trojan.Win32.Genme.a". Several other anti-virus tools that I tried did not recognize ss.exe as malicious code. Among other actions, ss.exe connects to the originating server to "register" the infected system with the index.php script via URI such as 'index.php?Client='. I have not had a chance to analyze ss.exe, so if you happen to know the nature of this malicious executable, please let us know.

The release of Phrack 62

Phrack #62 was released today, publishing a number of articles that security professionals will find of interest. You can read Phrack at the following URL:

BHODemon mirrored at PCWorld

Andrew Brandt from PC World magazine let us know that's website is now mirroring BHODemon on their site, to help ease the load on BHODemon author's server. The mirror site is at:,fid,23611,00.asp
We mentioned BHODemon in our June 29th 2004 diary at the following URL:

Lenny Zeltser

ISC Handler on Duty
0 comment(s)
Diary Archives