May 18th, 2004, 07:20 AM
Beware! BMP files may contain a new virus - (trojan named Agent - Throd )
we've discussed this at AO in the past.. viruses/trojans in images.. now it's a bit more of a reality. good news is that it only affects IE5 and 5.5 and the russian version of software but it's expected that we'll see variations on it..
linkage is here.
Kaspersky Labs, a leading information security software developer has detected a mass mailing of a new Trojan named Agent. Agent infects victim machines when users view graphics in BMP format.
Agent exploits a vulnerability in MS Internet Explorer versions 5.0 and 5.5
which allows malicious code to be launched on victim machines via modified BMP files. This vulnerability is a direct result of the Windows source code leak and was first detected on February 16, 2004.
Agent was mailed using spammer technology in an infected email that only contains a BMP file with a random name. The file is created especially for the Russian version of Windows 2000; the malicious code will not function on other language versions. This implies that Agent was probably created in Russia or the CIS.
Should a user open the BMP file Agent immediately connects to a remote server located in the Lybian domain zone, downloading and installing a second Trojan named Throd.
Throd is a classic spyware program. The Trojan first copies itself into the Windows system registry autorun keys and then awaits further commands. The 'master' can remotely execute various commands on the victim machine including copying data, collecting addresses from MS Outlook and turning the infected computer into a proxy server functioning as a platform for anonymous cyber crimes.
"Throd is obviously written for spammers,' comments Eugene Kaspersky, Head of Anti-Virus Research at Kaspersky Labs, 'the Trojan harvests email addresses and creates a network of zombie machines for massive spammer attacks. Once again, we see spammers and virus-writers are working hand in hand."
To date, Microsoft has not issued a patch for this vulnerability. In other words, the only protection users have is up-to-date anti-virus software. "Moreover, it is very likely that malware attacking other versions of Windows will soon appear', adds Eugene Kaspersky, 'I strongly recommend that users make sure that their antivirus software protects them from malware exploiting this particular Windows vulnerability."
Kaspersky® Anti-Virus does scan the contents of BMP files and automatically detects suspicious objects attempting to penetrate via either the Internet of email. The solution neutralizes Agent automatically and our antivirus databases have been updated to detect Throd.
Detailed descriptions of both Agent
are available in the Kaspersky Virus Encyclopedia.
May 18th, 2004, 07:25 AM
Ha! And just the other day I was thinking to myself...
This vulnerability is a direct result of the Windows source code leak and was first detected on February 16, 2004.
"Its been a long time since I heard about the source code leak... and not many vulnerabilities were found with it... may be redmond is doing their job?"...
Guess I was wrong...
grim_reaper1 showed us something similar a little bit ago here.
Can't wait to see all the goodies that turn up if the Cisco IOS 12.2/12.3 source really was "stolen"...
Speaking of spammers... did anyone read about the infiltration of "spam club"?
is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.
May 18th, 2004, 03:27 PM
Wow... I'm speechless of the brain behind this virus writer!
The file is created especially for the Russian version of Windows 2000; the malicious code will not function on other language versions
May 18th, 2004, 04:39 PM
I haven't seen a good explanation of how it works.
You obviously need IE5/5.5 which implies that you must have .bmp files associated with IE? I thought the default would have been MS Paint?
My real question is if I open picture files in some sort of picture editing software such as comes with digital cameras and DTP suites, would the virus run? I would have thought not?
I also wonder how/why it is so language specific?
May 18th, 2004, 04:55 PM
'cos they only speak russian, silly.....
I also wonder how/why it is so language specific?
There must be some difference in the code depending on the more "exotic" character sets. There have been several other advisories that state there is a hole in the X language version, or that certain things won't work in the Y language version. They usually seem to be the Chinese, Japanese, Russian etc. languages which have, to us anyway, "odd" character sets.
Don\'t SYN us.... We\'ll SYN you.....
\"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides
May 18th, 2004, 05:11 PM
This is similar to the jpeg virus that went around a couple years ago.. IMHO nothing really interesting at all. If I am understanding this correctly, it is an executable renamed as a bitmap. Ok, I take it back, it is mildly interesting...
jpeg virus info
The difference with the jpeg virus was that it was a bit of malware that detected when any jpeg was opened. Yet like 'Agent', jpeg was a multi-part file.
Dig the propoganda. ..what happened to not opening any email attachments from sources you don't recognize?? Doesn't IE6 work with 2000?
In other words, the only protection users have is up-to-date anti-virus software.
May 18th, 2004, 05:30 PM
Indeed it does. Of course once again, don't bother with IE at all and all's well...for now anyway.
Doesn't IE6 work with 2000?
This is a pretty scary (though unsurprising) concept. It seems at the rate things are going, it'll only be a matter of time before you can be attacked left and right for nothing more than viewing a webpage, without downloading or e-mailing anything.
The most important thing here, however, is for us not to become too secure in what think is and is not possible. I think, as the other thread posted here so well demonstrated, that some of us are convinced that new techniques such as viruses coming through mere viewed images are a thing of fantasy. We must stay alert as the online world is always changing, and new, never-before-fathomed threats are always in the works. We should never feel too confident or too secure.
May 18th, 2004, 09:32 PM
it'll only be a matter of time before you can be attacked left and right for nothing more than viewing a webpage, without downloading or e-mailing anything.
(ok, you don't get it from a website, but rather just being connected, but still.....)
May 18th, 2004, 10:00 PM
That brings up a question I've been curious about...
Let's say, hypothetically, you have a computer permanently connected. However, you don't view any websites, don't download anything, and don't have e-mail. Basically, it just sits there idle online. With no firewall, no AV, etc., what all could be done to it by an attacker? I suppose it would be located via a random port scan?
May 19th, 2004, 12:29 AM
Yup, random port scan by the worm. Check out blaster and Sasser, they would infect that machine you speak of, giving that it isn't updated. They exploit services that open ports, and gain privledges to run malicious code.
Sasser exploited LSASS in windows (hence "sasser"), because of poor coding.