MagnusM
Premium
join:2001-07-07
| Analysis of an Ecard Exploit Page
I just finished analyzing an Ecard exploit page; thought it might be interesting to some. Basically, the Ecard worm uses the MS06-006 Windows Media Player Plug-In EMBED Overflow Exploit to install the worm file on vulnerable systems. This means that unless you have KB911564 installed, you can get infected by just clicking the link in an Ecard email.
The full analysis is available here: »blog.misec.net/2007/08/13/analys···it-page/
I also have a question that someone might be able to help answer: What is the easiest way a user can check if he has the KB911564 patch installed? In my analysis, I suggest checking for the presence of the file C:\Windows\KB911564.log -- perhaps someone can suggest a better way for less experienced users? (I deliberated whether to suggest "wmic qfe" in a Command Prompt, but I doubt many less computer-literate users will find it easy to do that.)
--
Mischel Internet Security
http://www.misec.net |
|
Suggestion
@bell.ca | Something along the lines of:
1] Click on "Start"
2] Then on "Search"
In the left-hand viewer pane:
3] Click on the "Advanced Options" checkbox
4] In the text box "Search for files or folders named", type: *911564 |
|
dannyboy 950
Premium
join:2002-12-30
Port Arthur, TX | reply to MagnusM
Kinda odd doing a search I found a uninstall folder for it but not the file itself. |
|
redwolfe_98
join:2001-06-11
 ·RoadRunner Cable
2 edits | reply to MagnusM
thanks, magnus.. i have been downloading a lot of those ecard.exe files and then uploading them to "virustotal", sometimes submitting them to av-vendors, as well..
today, i noticed that something was strange with the webpage where i was downloading another one of the ecard files from and i wanted someone to look at it, though i never contacted anyone about it..
i have been kind of paranoid because when i tried to download the ecard file, the first time, i clicked cancel but then it downloaded anyway, where "antivir" then flagged it.. (uhg) i didn't have all of my security-apps up at the time, either..
i wasn't able to find anything that indicated that my computer was infected by the malware.. i booted into safe mode and looked for the "spooldr.exe" and "spool.sys" files..
i also tried going through the same routine again, only with my other security-apps running to see if anything was flagged, but it wasn't..
the ecard files that i downloaded today would infect the cdrom.sys file instead of the tcpip.sys file..
i am glad that misec is at least looking into this zhelatin stuff..
as for checking for the patch, running the "belarc advisor" would be one way to do it, or (for me) to look at the update-history at the "windows updates" website.. belarc seems like the easy way to do it..
i deleted all of the windows updates log files, so i can't check those..
update: i just ran the "belarc advisor" and i can see that i have the update, according to the belarc advisor.. |
|
LiamJunket
Premium
join:2002-03-03
Ocean City, NJ
·Comcast
| reply to MagnusM
said by MagnusM  :Ecard worm uses the MS06-006 Windows Media Player Plug-In EMBED Overflow Exploit to install the worm file on vulnerable systems. This means that unless you have KB911564 installed, you can get infected by just clicking the link in an Ecard email. What about Vista? The original exploit you ID'd is for XP. Is there a similar Vista exploit that needs patching?
--
--
Internet News
My BLOG
My Web Page |
|
