Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: New variant of ANI (MS07-017) exploit SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
New variant of ANI (MS07-017) exploit

What a shocker - malware authors are playing cat 'n' mouse with antivirus signatures.

Roger Chiu of Malware-Test Lab submitted a .ani file observed in the wild that was not detected as malicious by any popular antivirus tools. As with many other ANI attacks, this was presented as a CURSOR object in a DIV element on a compromised web site:

<DIV style="CURSOR: url(hxxp://"></DIV>
<DIV style="CURSOR: url(hxxp://"></DIV>

This latest variant was submitted to the A/V community for inclusion and the site owners contacted.

Thanks, Roger.


25 Posts
Apr 17th 2007

Sign Up for Free or Log In to start participating in the conversation!