Variety of malware attacks Windows ANI flaw before early Tuesday patch
A worm spotted by Symantec early this week and a proof-of-concept exploit for a fully patched Vista operating system are among the malware attacking the dangerous vulnerability in Microsoft Windows animated cursor handling (ANI).
After exploiting the flaw, the worm infects executable files on all drives where Windows is not installed, and spreads through removable drives and networks, according to a blog post on Sunday morning by Symantec researcher Amado Hidalgo.
The malware’s main objective, according to Symantec, is to obtain role-playing game information to sell on the black market.
Symantec credited the Chinese Internet Security Response Team with referring the malware.
Ken Dunham, director of the Rapid Response Team at VeriSign iDefense, said that more than 150 malware samples exploiting the flaw were in the wild. Websense reported more than 100 exploitation sites by Saturday morning.
Sites hosting the malware continued to build over the weekend, possibly signaling a spam campaign that would await workers as they returned to their offices today.
"Spamming to corporate accounts prior to the resumption of the work week appears to be the most likely large-scale vector at this time," Dunham said over the weekend.
He also warned that modifying exploits to affect Vista could be done easily.
Meanwhile, a hacker named Jamikazu on Sunday posted exploit code for an ANI flaw in Vista on Milw0rm, saying that the exploit had been tested on Vista Enterprise version 6.0, Vista Ultimate Version 6.0 and Windows XP with Service Pack 2.
The Metasploit Project blog also provided evidence that the flaw could be exploited on an up-to-date Vista system.
Click here to email Online Editor Frank Washkuch.