Hi, Enclosed a notice for the MS05-16 Exploit.
For the record: I'm actually in favor of using STRICT interpretation of vulnerabilities - no matter how seldom one might actually occur. Whether a violation of standards is due to an actual virus - or just a poor mass-mailer application, I gladly use the reason of "vulnerability" of a potential virus to reject these messages early. As far as some features suggested here: - I do agree that it might be helpful for some people not to scan for viruses, if a vulnerability is found (to conserve CPU). - I do agree that there is little reason (other than statistics) to run the second scanner after the first scanner already found a virus. - I do agree that it is desirable for some people, if there was an option that would delete vulnerabilities rather than "isolate" them in the Virus folder. - I do NOT agree that Declude should NOT detect certain vulerabilities, just because they only occur very rarely. Best Regards Andy Schmidt Phone: +1 201 934-3414 x20 (Business) Fax: +1 201 934-9206 > -----Original Message----- > From: Nick FitzGerald [mailto:[EMAIL PROTECTED] > Sent: Sunday, May 29, 2005 9:31 AM > To: Bugtraq@securityfocus.com > Subject: Spam exploiting MS05-016 > Yesterday at least two of my spam-traps received the following message (I've elided the MIME boundary values just in case...): Subject: We make a business offer to you MIME-Version: 1.0 Content-type: multipart/mixed; boundary="[...]" [...] Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: 8bit Hello! It is not spam, so don't delete this message. We have a business offer to you. Read our offer. You can increase the business in 1,5 times. We hope you do not miss this information. Best regards, Keith [...] Content-type: application/octet-stream; name="agreement.zip" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="agreement.zip" <<encoded ZIP file data>> There are a few trivial differences between the messages to the different addresses I checked, so don't anyone try to turn the above into a totally literal filtering rule... Anyway, the "agreement.zip" attachment held only one file, apparently called "agreement.txt", but on closer inspection it turned out the file was called "agreement.txt " where the apparent trailing space was actually a 0xFF character. This "pseudo-TXT" file was, in fact, an OLE2 format file (originally a Word document file) with the OLE2 Root Entry CLSID set to that of the Microsoft HTML Application Host (MSHTA). This was all done as per the description in the iDEFENSE advisory announcing this vulnerability: http://www.idefense.com/application/poi/display?id=231&type=vulns This "pseudo-TXT" file is an example of what is produced by the PoC generator posted to Bugtraq. Oddly, that message is not archived in SecurityFocus' own mailing list archives, but its PoC code is listed with the vulnerability's BID entry: http://www.securityfocus.com/bid/13132/info/ That PoC may be identified from the comment at the top of its code: MS05-016 POC Made By ZwelL [EMAIL PROTECTED] 2005.4.13 Anyway, the "agreement.txt " file contained a script to write a text file with commands and responses for use with the Windows ftp client via its "-s" option and further commands to run ftp with those scripted commands and then to run the executable that ftp script would cause to be downloaded from a Russian web site. At the time of writing, that site is still up and the executable that is downloaded (a backdoor) is the same one that was there when the spam was first seen. If you haven't installed the MS05-016 Windows Shell patch yet: http://www.microsoft.com/technet/security/bulletin/ms05-016.mspx or at least taken reasonable precautions to defang possible exploitation of this vulnerability (particularly through MSHTA), it would be advisable to do so now. When initially discovered, only two of more than 20 tested virus scanning engines detected the exploit in "agreement.txt ". Since alerting the antivirus developer community of the field discovery of this exploit, a couple more "big name" scanners have added a degree of detection for this exploit, and I expect that number to grow as the new week dawns and new updates are pushed to customers. -- Nick FitzGerald Computer Virus Consulting Ltd. Ph/FAX: +64 3 3267092 --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com.