Re: MS01-058 exploit - W32/Cool.A-mm

From: Russ (Russ.Cooper@RC.ON.CA)
Date: 12/19/01 

Date:         Wed, 19 Dec 2001 01:50:24 -0500
From: Russ <Russ.Cooper@RC.ON.CA>
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

Well, let me try and explain this one away...;-]

I posted a message wherein I said that typically malicious attacks based on
an IE vulnerability take several months to appear. Steen Larsen, a very
credible source of useful virus/worm information from MessageLabs comes back
with a note that W32/Cool.A-mm is exploiting the very same vulnerability I'm
saying isn't an urgent issue (MS01-058).

Boy do I feel dumb.

I figure I better let you decide for yourselves real quick and put Steen's
message out to the list, quickly, without a great deal of
examination...Ooops...I manage to miss the fact that the URL he's provided
is still alive and well...me bad. See, you don't do that sort of thing, even
if you're sending it to all of those smart and security conscious folks
subscribed to NTBugtraq. You munge the URL in some way to make it obvious,
but not clickable...and of course I catch these snafus before they go to the
list...usually.

This mass-mailer has now been renamed, more appropriately JS/Coolsite@mm
(JS=Javascript, Coolsite=common name, @mm = Email mass-mailer).

Its also been identified as exploiting MS00-075, which affected IE 5.5 SP1
and earlier versions through a vulnerability in the Java VM. It doesn't
affect IE 6.0 at all (other than the fact the site creates tons of stupid IE
windows). Virus definitions from March of 2001 and on detect it (as some
other name).

The good folks at MessageLabs were trying to be helpful, as was I, but
methinks we both failed you miserably on this one.

It'll never happen again! (sheepish grin)

Cheers,
Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor