Patch/Configuration Management, Vulnerability Management

Variety of malware attacks Windows ANI flaw before early Tuesday patch

A worm spotted by Symantec early this week and a proof-of-concept exploit for a fully patched Vista operating system are among the malware attacking the dangerous vulnerability in Microsoft Windows animated cursor handling (ANI).

The worm, called W32.Fubalca by the Cupertino, Calif. anti-virus giant, infects executables and HTML files and inserts links to malicious ANI files to download further copies of the worm.

After exploiting the flaw, the worm infects executable files on all drives where Windows is not installed, and spreads through removable drives and networks, according to a blog post on Sunday morning by Symantec researcher Amado Hidalgo.

The malware’s main objective, according to Symantec, is to obtain role-playing game information to sell on the black market.

Symantec credited the Chinese Internet Security Response Team with referring the malware.

Microsoft announced late Sunday that it will release an early patch for the flaw on Tuesday – a week earlier than its planned Patch Tuesday distribution for April.

Secunia has ranked the vulnerability as "extremely critical," meaning that it is vulnerable to remote code execution and exploits are available in the wild.

eEye Digital Security and the Zeroday Emergency Readiness Team both released third-party patches for the flaw.

Ken Dunham, director of the Rapid Response Team at VeriSign iDefense, said that more than 150 malware samples exploiting the flaw were in the wild. Websense reported more than 100 exploitation sites by Saturday morning.

Sites hosting the malware continued to build over the weekend, possibly signaling a spam campaign that would await workers as they returned to their offices today.

"Spamming to corporate accounts prior to the resumption of the work week appears to be the most likely large-scale vector at this time," Dunham said over the weekend.

He also warned that modifying exploits to affect Vista could be done easily.

Meanwhile, a hacker named Jamikazu on Sunday posted exploit code for an ANI flaw in Vista on Milw0rm, saying that the exploit had been tested on Vista Enterprise version 6.0, Vista Ultimate Version 6.0 and Windows XP with Service Pack 2.

The Metasploit Project blog also provided evidence that the flaw could be exploited on an up-to-date Vista system.

Click here to email Online Editor Frank Washkuch.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.