In-Depth

Alerts: Vulnerabilities in IE, Windows Desktops

MiMail.A exploits IE flaw; Autorooter targets windows hole to run its own code

• By Mathew Schwartz
• 08/13/2003

A new worm, MiMail.A, is making the rounds, attempting to use a flaw in Microsoft Internet Explorer (versions 5.01, 5.5, and 6.0) to create and execute malicious code. If successful, the worm can copy—or open and copy—information from files on a user’s computer, then e-mail it.

MiMail.A exploits vulnerabilities patched by Microsoft in March 2003.

The worm arrives with an e-mail whose subject line reads “your account.” The e-mail, signed by “Administrator, tells the recipient to open the attachment to read information about how their e-mail address will be expiring. Attached is “message.zip,” which itself contains a file called “message.html.” The latter file creates and executes the malicious code.

Note that the e-mail’s subject line and “from” address may also be spoofed, appearing to originate from within an organization.

“Worm/MiMail.A is spreading globally at an alarming rate,” notes Steven Sundermeier, vice president of products and services at Central Command Inc. “At this time, 61 percent of the confirmed infection reports have originated in the United States."

Symantec also characterizes the virus as being highly distributed, though gives it a “low” potential for damage.

You can find the patch here: http://support.microsoft.com/default.aspx?scid=kb;en-us;330994

Autorooter Opens Back Door

Many users are already receiving the Autorooter worm as e-mail spam, reports Kaspersky Labs. Autorooter targets a recently discovered flaw in Windows NT, 2000, and XP, and Windows Server 2003, specifically in the Windows Distributed Component Object Model (DCOM) Remote Procedure Call (RPC) interface. (See “RPC/DCOM Vulnerability,” http://info.101com.com/default.asp?id=2408).

In a nutshell, RPC incorrectly handles malformed messages via TCP/IP. A successful exploit causes a buffer overflow, giving an attacker the ability to run code on an affected system, at which point the attacker could do everything from delete files, alter data, create new full-access accounts, or install new software.

The worm takes the latter approach, using its built-in FTP server module to load a Trojan file, IRCbot. Once that file is installed, the virus writer (presumably) can take any of the above-mentioned actions, remotely, on a user’s computer.

One saving grace: the current version of the worm lacks any self-replication capabilities; it isn’t e-mailing itself to others.

That’s at least for now, notes Kaspersky Labs. "We believe that this version of Autorooter is only the experimental one. A more viable version is likely to appear and cause serious damage to the Internet,” says Eugene Kaspersky, head of anti-virus research for Kaspersky Labs. In addition, he notes, "It is possible that the author of Autorooter wanted to create a network of infected computers to prepare a global virus epidemic or perform a global hacker attack.”

The patch is available here:http://www.microsoft.com/security/security_bulletins/ms03-026.asp