Alert: W32/BadTrans.B-mm

From: Russ (Russ.Cooper@RC.ON.CA)
Date: 11/26/01 

Message-ID:  <E9A01F52DC939448BBDE44ED2E1C468F23CE54@muskie.rc.on.ca>
Date:         Sun, 25 Nov 2001 22:08:05 -0500
From: Russ <Russ.Cooper@RC.ON.CA>
Subject:      Alert: W32/BadTrans.B-mm
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

We saw this rising on Friday and today found out that MessageLabs is seeing
400 copies/hour over the weekend (which is extremely high volume of infected
messages given it was the weekend);

http://www.messagelabs.com/viruseye/report.asp?id=86

We've talked about the potential of this delivery mechanism on NTBugtraq
several times, but tomorrow those of you who manage email servers are likely
going to find numerous copies in your mail stores (or user's inboxes).

This thing exploits a vulnerability in some versions of Internet Explorer
(see below) that was first fixed back on March of this year. The way these
versions of IE handled certain MIME types allowed files to be delivered that
would automatically execute when the email was opened (when using Outlook)
or rendered in the Preview Pane (when using Outlook Express). It was
subsequently used by Nimda in two of its propagation mechanisms (it used
.eml and .nws files via HTML to delivery the MIME header, and also mass
mailed messages formed specifically to exploit this vulnerability).

TruSecure's analysis of this over the weekend leads us to believe that a
great many people must not have applied the patch, or other packages that
deliver the patch. This should be considered carefully by anyone who thinks
there's a reasonable amount of time within which people apply such patches,
we're talking more than 6 months and 4 packages that contained the fix for
each affected version, yet we still seem to be seeing this thing get
considerable legs.

Although this is a BadTrans variant, it has been repackaged (compressed) and
as such probably requires an AV update to be detected. Most AV Vendors
should have updates available by the time you read this, check with them.
Ultimately the message comes with a MIME Content Type of "audio/x-wav", and
a double extension (.doc.scr) ending in .scr or .pif. The attachment itself
is a Win32 executable.

If executed it will mass-mail itself, probably as replies to unread messages
in your inbox. NTBugtraq posters may have already received some in response
to their list messages (I have).

See your AV Vendor for more details.

That done, take a minute to review the possible IE patch mechanisms
described below. We predicted, when this vulnerability was first discovered,
that this was going to be heavily exploited. Nimda's email component didn't
seem to work very well, still unclear precisely why, but its web browser
propagation certainly seemed effective. Now this BadTrans variant, and we
will likely see more.

If you cannot get your browsers to one of the unaffected versions for some
reason other than time/manpower, drop me a note and let me know why. I'd
like to understand what's preventing this vulnerability from going away.

Notes:
Microsoft Outlook Email Security Update, and Outlook 2002, can be configured
to prevent email attachments from arriving in user's inbox.

IE Version Information:

Vulnerability being exploited is described under;

http://www.microsoft.com/technet/security/bulletin/MS01-020.asp
(read the following before applying the patch in MS01-020)

IE 4.x's status is unknown, probably *not* vulnerable

IE 5.01 prior to SP2 is vulnerable
IE 5.01 SP2 is *not* vulnerable

IE 5.5 prior to SP2 is vulnerable
IE 5.5 SP2 and above is *not* vulnerable

IE 6.0 is *not* vulnerable (see IE 6.0 caveat)

IE 6.0 Caveat:
Customers who are using Windows 95, 98, 98SE or ME, and choose to eliminate
this vulnerability by upgrading from an affected version to IE 6 should
ensure that they either perform a Full Install or Typical Install, as
discussed in the FAQ.

Anyone who is going to apply a patch to their system to address this
vulnerability now should follow these guidelines, if possible;

1. Upgrade to IE 6.0 (see IE 6.0 caveat above)
http://www.microsoft.com/windows/ie/downloads/ie6/default.asp

or

2. Apply latest IE Service Pack for their version (this eliminates the
vulnerability)

IE 5.01 SP2
http://www.microsoft.com/windows/ie/downloads/recommended/ie501sp2/default.a
sp
IE 5.5 SP2
http://www.microsoft.com/windows/ie/downloads/recommended/ie55sp2/default.as
p

then

Apply MS01-055
http://www.microsoft.com/technet/security/bulletin/MS01-055.asp

or

3. Apply MS01-027
http://www.microsoft.com/technet/security/bulletin/MS01-027.asp

(Note: MS01-027 supercedes MS01-020 and addresses the same vulnerabilities,
plus additional vulnerabilities discovered after MS01-020)

(Note: You cannot apply MS01-051 or MS01-055 unless you have upgraded to SP2
for IE 5.01 or IE 5.5, so it clearly makes sense to get SP2 install and not
apply MS01-027)

or

4. Apply MS01-020
http://www.microsoft.com/technet/security/bulletin/MS01-020.asp

(Note: You cannot apply MS01-051 or MS01-055 unless you have upgraded to SP2
for IE 5.01 or IE 5.5, so it clearly makes sense to get SP2 install and not
apply MS01-020)

Cheers,
Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor
"My thoughts are facts in my world, opinion to you. YMMV"

============================================================================
Delivery co-sponsored by Trend Micro, Inc.
============================================================================
BEST-OF-BREED ANTIVIRUS SOLUTION FOR MICROSOFT EXCHANGE 2000
Earn 5% rebate on licenses purchased for Trend Micro ScanMail for
Microsoft Exchange 2000 between October 1 and November 16. ScanMail
ensures 100% scanning of inbound and outbound traffic and provides
remote software management. For program details or to download your
30-day FREE evaluation copy:
http://www.antivirus.com/banners/tracking.asp?si=53&bi=245&ul=http://www.a
ntivirus.com/smex2000_rebate

Relevant Pages

  • Re: [Full-Disclosure] YEY AGAIN Automatic remote compromise of InternetExplorer Service Pack 2 XP SP
    ... YEY AGAIN Automatic remote compromise of ... InternetExplorer Service Pack 2 XP SP2 ... > Microsoft Internet Explorer XP SP2 Fully Automated Remote Compromise ... > vulnerability in itself, but rather it is uses multiple known holes in SP2 ...
    (Full-Disclosure)
  • Re: The whole Apple can Run Windows thing...
    ... case that SP2 has been out for "a long time now", ... you're referring to was the RPC vulnerability - it was fixed with a couple ... "analysts" who discover security holes who are the smart ones - and from ... no longer allowed direct access to system resources - instead (in the case ...
    (rec.photo.digital.slr-systems)
  • NULL.IDA IIS exploit - cmd.exe
    ... Tried installing the patch for the listed vulnerability, but it was knocked back because it was meant for SP2, but our web server has SP4 installed. ... The cmd.exe$200 - has me a bit worried, seems to indicate a successful exploit attempt. ...
    (microsoft.public.inetserver.iis.security)
  • RE: [Full-Disclosure] YEY AGAIN Automatic remote compromise ofInternetExplorer Service Pack 2 XP SP2
    ... YEY AGAIN Automatic remote compromise ... ofInternetExplorer Service Pack 2 XP SP2 ... > vulnerability in itself, but rather it is uses multiple known holes in SP2 ... > Vulnerability and Help ActiveX Control Related Topics Cross Site Scripting ...
    (Full-Disclosure)
  • Re: HOWTO: How to remove VX2 spyware (the latest and worst versions)
    ... >> Actually SP2 could have little to do with it. ... | SECURITY VULNERABILITY FIXES WERE ALLOWED. ... The adware/spyware you indicated are not installed via an OS vulnerability. ... Your friend has what's called contributory negligence. ...
    (microsoft.public.windowsxp.general)