Weekly Report on Viruses and Intruders -Mitglieder.HE and Spymaster.A Trojans and Mytob.ML worm
Today’s report looks at three security problems affecting several Microsoft products and which could allow an attacker to take control of vulnerable systems, two Trojans -Mitglieder.HE and Spymaster.A-, and a worm -Mytob.ML-.
The first security problem that we are looking at affects Office 2000 SP3, Office XP SP3, Office 2003 SP1 and SP2, and Exchange Server. It stems from the way in which Outlook and Exchange Server encrypt email messages using the TNEF (Transport Neutral Encapsulation Format) protocol.
The second vulnerability in today’s report affects Windows 2003/XP/2000/Me/98, and stems from the way Windows processes malformed embedded Web fonts. This can be exploited by an attacker by hosting malicious web font on a specially created web page and enticing users to visit it, or sending an email message containing malicious Web font.
The third and last security problem we’re looking at today lies in the Graphics Rendering Engine, in computers running Windows 2003/XP/2000, and could allow arbitrary code to be run on vulnerable systems. This could be exploited by an attacker hosting a WMF (Windows MetaFile) image on a specially crafted website, and convincing users to visit it, or sending an email message containing the WMF image.
Microsoft has released three security bulletins -MS06-003, MS06-002 and MS06-001-, announcing the availability of patches to resolve these three vulnerabilities, and users of affected systems are advised to install them.
The first Trojan in today’s report is Mitglieder.HE, which needs to be spread manually by an attacker, although it can also start an SMTP server and send a copy of itself by email.
Mitglieder.HE opens port 9031 on infected computers and acts as a proxy server. In addition, it awaits remote control commands, such as downloading and running files, starting an SMTP server, changing the access port or updating itself.
The next Trojan in today’s report is Spymaster.A. Like the Trojan described above, it does not spread automatically and requires the intervention of an attacker. It is normally spread via email in a message with an attachment called SERVER.EXE.
Spymaster.A logs keystrokes entered by the user in order to obtain passwords and other confidential information, and monitors web pages visited. At the same time, it can see the programs running and the files created, modified or deleted by the user. The information it compiles is saved to a file which is sent to an FTP server. Spymaster.A also uses a special stealth system to pass itself off as MSN messenger, so that users are unaware of its presence.
We end today’s report with Mytob.ML, a worm that spreads via email in a message containing a link. Once it has infected a computer, it connects to an IRC server and awaits remote control commands. It also terminates processes belonging to other types of malware and to certain security programs, such as firewalls, and prevents access to certain web pages, mostly those of antivirus companies.