November 11th, 2005, 05:02 PM
New Windows Trojan causes confusion
Trend Micro on Wednesday reported the discovery of a Trojan horse that it said attacked Windows users through an image rendering flaw in Windows, a day after Microsoft provided a fix for the bug. But it isn't so sure anymore.
The Trojan is referred to as "emfsploit.a" by the Tokyo-based antivirus company. Initially the antivirus software maker reported that the malicious code would crash "explorer.exe" on unpatched Windows machines. Explorer runs key parts of the Windows graphical user interface, including the Start menu, taskbar, desktop and file manager.
But late Thursday Trend Micro said its initial analysis of the Trojan might be incorrect.
"We asked another team to start the disassembly process again," said Raimund Genes, chief technologist for Trend Micro in Europe. That means researchers will reinvestigate the Trojan code to see what it does.
Meanwhile, Trend Micro updated the entry in its antivirus encyclopedia on the Trojan. The entry no longer states that "emfsploit.a" exploits the Windows vulnerability, but instead it says that it "exhibits behavior similar to the Enhanced Metafile vulnerability of MS05-053."
"Our Trend Labs team is currently working with Microsoft to resolve whether TROJ_EMFSPLOIT.A does indeed fall under the category of code exploiting the MS05-053 vulnerability or whether it is only a related piece of code but not totally exploiting MS05-053," Genes said in an e-mail to CNET News.com.
Trend Micro has found that the Trojan does cause a crash on certain Windows XP systems, but the finding is not consistent with Microsoft's Tuesday bug report. Trend found a crash only on Windows XP computers without Service Pack 1. But according to Microsoft, the vulnerability also affects systems with SP1 and SP2, so these should crash as well if the Trojan indeed exploits the MS05-053 flaw.
Trend Micro describes the new Trojan as a "proof of concept." It received one sample of the code from a customer in Japan, but as of late Thursday the Trojan hasn't actually been detected anywhere else, Genes said. The company hence rates the overall risk "low."
The vulnerability the Trojan was thought to exploit lies in the way Windows handles certain graphics files. Microsoft provided a fix for three such flaws on Tuesday as part of its monthly patching cycle.
The Windows vulnerabilities relate to how the operating system renders the Windows Metafile (WMF) and Enhanced Metafile (EMF) image formats, Microsoft said Tuesday in its MS05-053 security bulletin. The software maker tagged the bulletin "critical," its most serious rating.
A Microsoft representative said the company is investigating the Trojan report, but added that it is not currently aware of attacks that use it.
Microsoft urges Windows users to apply the MS05-053 update as soon as possible. However, some users of Microsoft's free Software Update Services patching tool have reported trouble in obtaining the patch.
\"The only truly secure system is one that is powered off, cast in a block of concrete and sealed in a lead-lined room with armed guards - and even then I have my doubts\".....Spaf
Everytime I learn a new thing, I discover how ignorant I am.- ... Black Cluster