Possibly yet another MS mail worm
Sam Stickland
sam_ml at spacething.org
Mon Mar 1 16:06:23 UTC 2004
Curtis Maurand wrote:
> On Mon, 1 Mar 2004, Todd Vierling wrote:
>
>> On Mon, 1 Mar 2004, Curtis Maurand wrote:
>>
>>> Sure they do....its called COM/DCOM/OLE/ActiveX or whatever they
>>> want to call it this week. Its on every windows system.
>>
>> No, my point was that the majority of newer trojan mail viruses
>> don't depend on ActiveX exploits -- they simply wait, dormant, for a
>> n00b to click on this mysterious-looking Zip Folder, and the
>> mysterious-looking EXE inside.
>>
>> It's as if the modern e-mail viruses are closer to human infections.
>> Only the clueful are immune. 8-)
>
> The latter is very true.
>
> My point is that the COM/DCOM/OLE/ActiveX is what allows for a script
> in an email message that gets executed to have access to the rest of
> the system, rather than executing within a protected sandbox. Of
> course scripts within email messages shouldn't execute at all. Once
> they do execute, they have access to the OLE objects on the machine.
> Its a security hole big enough to drive a tank through.
I don't think that defines the problem very well. The current Bagle.C virus
does the following:
"W32/Bagle-C opens up a backdoor on port 2745 and listens for connections.
If it receives the appropriate command it attempts to download and execute a
file. W32/Bagle-C also makes a web connection to a remote URL, thus
reporting the location and open port of infected computers.
Adds the value:
gouday.exe = <SYSTEM>\readme.exe
to the registry key:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
This means that W32/Bagle-C runs every time you logon to your computer"
It also uses it's own SMTP engine to replicate itself. So effectively it's
opening a connection to port 80 (from an unprivileged port), listening on
port 2745 (an unprivileged port), and opening connections to port 25 (from
an unprivileged port).
Maybe I'm missing something here, but where does access to OLE objects come
into play? Also this virus would appear to function just as well even if a
non-adminstrator user opened it.
Sam
More information about the NANOG
mailing list