Analysis of an Ecard Exploit Page in Security http://www.dslreports.com/forum/r18866575 en Thu, 04 Dec 2008 13:26:31 EDT Thu, 04 Dec 2008 13:26:31 EDT Re: Analysis of an Ecard Exploit Page http://www.dslreports.com/forum/remark,18867201 TK Junk Mail :
said by MagnusM See Profile :

Ecard worm uses the MS06-006 Windows Media Player Plug-In EMBED Overflow Exploit to install the worm file on vulnerable systems. This means that unless you have KB911564 installed, you can get infected by just clicking the link in an Ecard email.
What about Vista? The original exploit you ID'd is for XP. Is there a similar Vista exploit that needs patching?
--
--
Internet News
My BLOG
My Web Page]]> http://www.dslreports.com/forum/remark,18867201 Mon, 13 Aug 2007 19:12:39 EDT Re: Analysis of an Ecard Exploit Page http://www.dslreports.com/forum/remark,18867148 redwolfe_98 : thanks, magnus.. i have been downloading a lot of those ecard.exe files and then uploading them to "virustotal", sometimes submitting them to av-vendors, as well..

today, i noticed that something was strange with the webpage where i was downloading another one of the ecard files from and i wanted someone to look at it, though i never contacted anyone about it..

i have been kind of paranoid because when i tried to download the ecard file, the first time, i clicked cancel but then it downloaded anyway, where "antivir" then flagged it.. (uhg) i didn't have all of my security-apps up at the time, either..

i wasn't able to find anything that indicated that my computer was infected by the malware.. i booted into safe mode and looked for the "spooldr.exe" and "spool.sys" files..

i also tried going through the same routine again, only with my other security-apps running to see if anything was flagged, but it wasn't..

the ecard files that i downloaded today would infect the cdrom.sys file instead of the tcpip.sys file..

i am glad that misec is at least looking into this zhelatin stuff..

as for checking for the patch, running the "belarc advisor" would be one way to do it, or (for me) to look at the update-history at the "windows updates" website.. belarc seems like the easy way to do it..

i deleted all of the windows updates log files, so i can't check those..

update: i just ran the "belarc advisor" and i can see that i have the update, according to the belarc advisor..]]> http://www.dslreports.com/forum/remark,18867148 Mon, 13 Aug 2007 19:03:11 EDT Re: Analysis of an Ecard Exploit Page http://www.dslreports.com/forum/remark,18866998 dannyboy 950 : Kinda odd doing a search I found a uninstall folder for it but not the file itself.]]> http://www.dslreports.com/forum/remark,18866998 Mon, 13 Aug 2007 18:42:17 EDT Re: Analysis of an Ecard Exploit Page http://www.dslreports.com/forum/remark,18866725 anon : Something along the lines of:

1] Click on "Start"
2] Then on "Search"

In the left-hand viewer pane:

3] Click on the "Advanced Options" checkbox
4] In the text box "Search for files or folders named", type: *911564]]> http://www.dslreports.com/forum/remark,18866725 Mon, 13 Aug 2007 17:58:37 EDT Analysis of an Ecard Exploit Page http://www.dslreports.com/forum/remark,18866575 MagnusM : I just finished analyzing an Ecard exploit page; thought it might be interesting to some. Basically, the Ecard worm uses the MS06-006 Windows Media Player Plug-In EMBED Overflow Exploit to install the worm file on vulnerable systems. This means that unless you have KB911564 installed, you can get infected by just clicking the link in an Ecard email.

The full analysis is available here: »blog.misec.net/2007/08/13/analys···it-page/

I also have a question that someone might be able to help answer: What is the easiest way a user can check if he has the KB911564 patch installed? In my analysis, I suggest checking for the presence of the file C:\Windows\KB911564.log -- perhaps someone can suggest a better way for less experienced users? (I deliberated whether to suggest "wmic qfe" in a Command Prompt, but I doubt many less computer-literate users will find it easy to do that.)
--
Mischel Internet Security
http://www.misec.net]]> http://www.dslreports.com/forum/remark,18866575 Mon, 13 Aug 2007 17:36:46 EDT