1) As reported in Symantec's writeup of the worm, it appears that it exploits the following vulnerability, as posted to Bugtraq by http-equivat_private: BUGTRAQ:20030225 Self-Executing HTML: Internet Explorer 5.5 and 6.0 Part II URL:http://www.securityfocus.com/archive/1/313174 It's not immediately clear whether this issue was addressed by recent Microsoft bulletins. It may be an alternate attack vector for a larger issue that was fixed by Microsoft. Thor Larholm's site doesn't seem to mention this attack vector. Has anybody tested the worm against a patched IE? At least one Bugtraq post seems to conflict with an earlier post in this thread that said that Q319182 fixes the problem: http://www.securityfocus.com/archive/1/313355 2) Examination of the message.html file used by WORM_MIMAIL.A suggests a heavy re-use of the exploit code as posted on http-equiv's web site, including the "moo ha ha" alt tag and a function named "malware." There are some differences but they appear to be surface-level (with the exception of the malicious program itself of course). 3) At the end of my copy of the worm's message.html, there are 3 separate calls to the executable. I haven't monitored this worm in action, but this suggests that there may be cases where an infected machine starts 3 processes. Even though each SCRIPT tag redefines the same function and appears to have the same code, it gets executed three times in my copy of IE (based on a "hello world" modification I made to the HTML portion of the worm's source). - Steve --------------------------------------------------------------------------- ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Sat Aug 02 2003 - 10:32:00 PDT