100 confirmed sites now using the IE vulnerability, as reported on security lists by Dan Hubbard (alert) at WebSense and Joe Stewart at Lurhq.
These can be very nasty. SunBelt analysed one site – www(dot)textrum(dot)se (since shutdown):
The exploit calls a file, updater.exe. It file is W32/Spybot (W32/Backdoor, Adware.NaviPromo.M)
Norman sandbox report:
Found Sandbox: W32/Backdoor; [ General information ]
* Anti debug/emulation code present.
* Creating several executable files on hard-drive.
* File length: 46644 bytes.[ Changes to filesystem ]
* Creates file C:\WINDOWS\SYSTEM32\Updater.exe.
* Creates directory C:\WINDOWS\SYSTEM32\kazaabackupfiles.
* Creates file C:\WINDOWS\SYSTEM32\kazaabackupfiles\download_me.exe.[ Changes to registry ]
* Creates value “Windsupdate”=”Updater.exe” in key “HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce”.
* Creates value “Windsupdate”=”Updater.exe” in key “HKLM\Software\Microsoft\Windows\CurrentVersion\Run”.
* Modifies value “Dir0″=”012345:C:\WINDOWS\SYSTEM32\kazaabackupfiles\” in key “HKCU\Software\Kazaa\LocalContent”.[ Network services ]
* Connects to “kronkrak.servequake.com” on port 6667 (IP).
* Connects to IRC server.
* IRC: Uses nickname CurrentUser7.
* IRC: Uses username CurrentUser7.[ Security issues ]
* Possible backdoor functionality [Authenticate] port 113.[ Process/window information ]
* Enumerates running processes.
* Will automatically restart after boot (I’ll be back…).
* Attemps to open C:\WINDOWS\SYSTEM32\Updater.exe NULL.
* Enumerates running processes several parses….
* Creates a mutex coolbot1.c4.
There is no patch available for this exploit. The only way to avoid it is
– turn off Active Scripting
– use a non-IE browser (although the latest version of IE 7, the March 20 beta 2 preview, is not affected).
Your standard protections should be in place — antivirus, firewall, antispyware.
