1 Aug 2003 23:11
Alert: W32/Mimail.mm spreading
Russ <Russ.Cooper <at> RC.ON.CA>
2003-08-01 21:11:05 GMT
2003-08-01 21:11:05 GMT
You just can't programmatically resolve the lack of user education. W32/Mimail.mm is an email-borne worm. It comes with a zip attachment. Within that attachment, is an HTML doc. Within the HTML doc is embedded an executable and some script. When people open the zip, it resides in the temporary internet files directory, protected by IE from numerous things. But when the user, in their gleeful ignorance, double clicks on the HTML contained in the zip, it is then placed in the user's temp folder. Temp, unlike Temporary Internet Files, is in the Local Computer Zone...ergo, you can do pretty much anything you want. The executable is running from there too, so what's to stop the script invoking the executable. I've seen reports that this thing is exploiting MS02-015, and still other reports saying its exploiting MS03-014. I know its not exploiting MS03-014 (cause its a plain old HTML file not a text file). MS02-015 fixed a problem where an object referenced would incorrectly be assumed to be in the Local Computer Zone. In this worm, when the user does the actions mentioned above, the file *is* in the Local Computer Zone. Neither Outlook nor IE are in control of the file while Winzip has it. FWIW, I don't believe this worm will work on systems that are using Compressed Folders instead of Winzip (or some other zip extractor). Has to do with the name Compressed Folders uses for files it is allowing you to view without actually extracting them. There would be no such protection if the person extracted the HTML file first, then double-clicked on it. AV Vendors are all updating their definitions franticly, check with your Vendor to see if they have an update which detects this thing. And tell your users not to open things willy-nilly please! Cheers, Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo Are You "Certifiable"? Summer's Hottest Certification Just Got HOTTER! With a growth rate exceeding 110%, the TICSA security practitioner certification is one of the hottest IT credentials available. And now, for a limited time, you can save 33% off of the TICSA certification exam! To learn more about the TICSA certification, and to register as a TICSA candidate online, just go to http://www.trusecure.com/offer/s0100/ oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
RSS Feed