Security - Virus/Trojan

A new, yet-to-be-patched security vulnerability in Microsoft's Excel has been exploited in at least one targeted cyberattack, experts warned on Friday.

A malicious Excel document is sent as an e-mail attachment or otherwise delivered by the attacker to the intended victim, Microsoft said in a posting to its Security Response Center blog. The Redmond, Wash., software maker said it has received one report from a customer who had been hit by such a problem.

"In order for this attack to be carried out, a user must first open a malicious Excel document," a Microsoft representative wrote. "So remember to be very careful opening unsolicited attachments from both known and unknown sources."

Samples of malicious Excel files called "okN.xls" have been found, Symantec said in an advisory. The malicious spreadsheet file contains a Trojan horse, called "Mdropper.J," and program called "Booli.A" that can download more malicious files to an infected PC, the security company said.

"Attackers are actively exploiting this vulnerability in targeted attacks," Symantec said. The issue appears to affect all versions of Excel, including Excel 2003 and Excel 2000. If the attempt is successful, the intruder will gain full control over the targeted computer, the company said.

Word of the outbreak and of the new flaw comes just days after Microsoft released 12 security bulletins with fixes for 21 vulnerabilities in several of its products, including Office. Some experts believe the timing of the new attack is no coincidence.

"In recent similar attacks, Microsoft has not issued an out-of-cycle patch," Scott Carpenter, director of Security Labs at Secure Elements, said in a statement. "The exploit's immediate release after 'Patch Tuesday' is evidently designed to take advantage of a full month before Microsoft is scheduled to patch it."

In addition, the monthly set of patches Microsoft released Tuesday included a fix for a Word flaw that had already been used in targeted cyberattacks. Instead of issuing an out-of-cycle patch, Microsoft recommended that users be careful in opening Word documents and that they run the application in safe mode.

Microsoft has not said whether it plans to release a fix for the new Excel flaw. The software maker said it has added detection capabilities to its Windows Live Safety Center for removal of malicious software that attempts to exploit the vulnerability.

Downloader.Booli.A may arrive on the compromised computer, dropped by Trojan.Mdropper.J, with the following name:

%System%\svc.exe

Note: %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

When Downloader.Booli.A is executed, it performs the following actions:

Attempts to run Internet Explorer and inject its code into Internet Explorer to potentially bypass firewalls.


Attempts to download a file from the following location:

[http://]210.6.90.153:7890/svcho[REMOVED]

Note: At the time of writing the remote file was not available.


Saves the file as the following and if the download was successful, executes the file:

c:\temp.exe


Creates an empty file before exiting:

c:\bool.ini (My comment : This is the key file which is used by windows to boot. So first take a backup. Open notepad and in open file dialog box move to C: drive or where your window is installed and write boot.ini. hit enter. The file will appear . You may save as boot.bak and exit This assumes that it is not yet infected.)


Turn off and remove unneeded services. By default, many operating systems install auxiliary services that are not critical, such as an FTP server, telnet, and a Web server. These services are avenues of attack.

If they are removed, blended threats have less avenues of attack and you have fewer services to maintain through patch updates.

If a blended threat exploits one or more network services, disable, or block access to, those services until a patch is applied.

Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services (for example, all Windows-based computers should have the current Service Pack installed.).

Additionally, please apply any security updates that are mentioned in this writeup, in trusted Security Bulletins, or on vendor Web sites.

Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.

Configure your email server to block or remove email that contains file attachments that are commonly used to spread viruses, such as .vbs, .bat, .exe, .pif and .scr files.

Isolate infected computers quickly to prevent further compromising your organization. Perform a forensic analysis and restore the computers using trusted media.
Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.



The following instructions pertain to all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.

Disable System Restore (Windows Me/XP).
Update the virus definitions.
Run a full system scan.

For specific details on each of these steps, read the following instructions.

1. To disable System Restore (Windows Me/XP)
If you are running Windows Me or Windows XP, we recommend that you temporarily turn off System Restore. Windows Me/XP uses this feature, which is enabled by default, to restore the files on your computer in case they become damaged. If a virus, worm, or Trojan infects a computer, System Restore may back up the virus, worm, or Trojan on the computer.

Windows prevents outside programs, including antivirus programs, from modifying System Restore. Therefore, antivirus programs or tools cannot remove threats in the System Restore folder. As a result, System Restore has the potential of restoring an infected file on your computer, even after you have cleaned the infected files from all the other locations.

Also, a virus scan may detect a threat in the System Restore folder even though you have removed the threat.

For instructions on how to turn off System Restore, read your Windows documentation, or one of the following articles:
How to disable or enable Windows Me System Restore
How to turn off or turn on Windows XP System Restore

Note: When you are completely finished with the removal procedure and are satisfied that the threat has been removed, reenable System Restore by following the instructions in the aforementioned documents.

For additional information, and an alternative to disabling Windows Me System Restore, see the Microsoft Knowledge Base article: Antivirus Tools Cannot Clean Infected Files in the _Restore Folder (Article ID: Q263455).

As for Trojan.Mdropper.J

Trojan.Mdropper.J may arrive as a Microsoft Excel file attachment to a spoofed email with the following name:

okN.xls

Recognition

1. When the file is opend the trojan places the foliwing file:

%System%\svc.exe



2. Silently closes Microsoft Excel.

One of the dozen security updates Microsoft released last week is causing network connection trouble for some users, the company said.

The fix delivered with security bulletin MS06-025 can interfere with a certain types of dial-up networking connections, Microsoft said in an article on its support Web site published late Monday. The patch repairs two "critical" security flaws in Windows that could allow an attacker to commandeer a vulnerable PC.

Problems occur only with dial-up connections that use a terminal window, or dial-up scripting, Microsoft said. This type of connection may stop responding after applying the patch, the software maker said.

"This is an older technology that is rarely used by modern dial-up connections," Microsoft said in the support article. The issue may affect direct-dial connections to a corporate network, to a university network or to some Internet service providers, it said.

Microsoft is working on a revised security patch to address the issue. Meanwhile, the company recommends that people who need to use dial-up scripting or terminal window features do not install the security update.

The MS06-025 patch is one of 12 security bulletins Microsoft released last week with fixes for 21 flaws. Attack code that exploits some of those flaws is already out, increasing the risk to users. There is no known public exploit for the flaws patched by MS06-025, however a private exploit is available to users of a tool made by security vendor Immunity, according to Symantec.

Patches cause trouble at times, on occasion prompting Microsoft to fix those it's released. In April, Microsoft released a second version of a Windows Explorer update because the original interfered with Hewlett-Packard software and Nvidia drivers.

A new Trojan horse making the rounds has been installing itself as a Firefox extension, according to security company McAfee.

The FormSpy Trojan attacks computers that have already been infected with the Downloader-AXM Trojan, according to a security advisory McAfee issued Tuesday. Once FormSpy is executed, it installs itself as a component of the Firefox Web browser.

The FormSpy spyware then gleans sensitive information, such as credit card and bank account numbers, from the user's browser and forwards it to a malicious Web site. But this Trojan is capable of other tricks, as well, McAfee noted.

The main executable is also capable of sniffing passwords from traffic for ICQ (the "I seek you" program that alerts users to the presence of acquaintances online), FTP (file transfer protocol), IMAP (Internet message access protocol, an e-mail management program) and POP3 (post office protocol, a data format for e-mail), McAfee warned.

Although the FormSpy Trojan is circulating, it is considered a low risk, McAfee said. What's more, people may have already taken steps to mitigate the earlier Downloader-AXM Trojan that is needed for the FormSpy Trojan to take hold.

Mozilla on Wednesday released an update to its popular Firefox Web browser that fixes a dozen vulnerabilities, seven of which it deems "critical."

The most serious of the flaws could be exploited by cyberattackers to commandeer a vulnerable PC, according to Mozilla. The company, which oversees Firefox development, has published security advisories for each of the flaws repaired by the Firefox update.

The flaws are fixed in Firefox 1.5.0.5, which Mozilla has started pushing out to Firefox users via the update feature in the open-source Web browser. In addition to the security fixes, the browser update includes stability improvements, as well as changes for the Frisian version for some users in the Netherlands, Mozilla said.

"Firefox 1.5.0.5 is a security update that is part of our ongoing program to provide a safe Internet experience for our customers," Mozilla said on its Web site. "We recommend that all users upgrade to this latest version."

Security monitoring company Secunia rates the update as "highly critical," one notch below its most serious ranking.

Mozilla also released updates for its SeaMonkey suite of applications to address security issues that apply to those programs.

While some of the security flaws may affect the earlier 1.0 versions of Firefox, Mozilla is not providing updates for those releases. Its version 1.0.8 was the last refresh for the 1.0.x line of Firefox. All users are advised to upgrade to the 1.5.0.5 version. The 1.0.8 version came out in April.

Developers are working on Firefox 2, the next major version of the Web browser. Mozilla earlier this month shipped the first beta of the new browser, which includes such features as a phishing shield to protect against information thieving online.

Microsoft, meanwhile, is putting the final touches on Internet Explorer 7, a reinforced version of its Web browser. Designed, in part, in response to competition from Firefox, IE 7 is due out in the fourth quarter of this year.