Weekly Report on Viruses and Intruders – Trj/Semsy.B, SpyHeal and Microsoft vulnerabilities

This week’s PandaLabs report looks at the Trj/Semsy.B Trojan, the potentially unwanted program SpyHeal, and the seven vulnerabilities announced by Microsoft -MS06-033, MS06-034, MS06-035, MS06-036, MS06-037, MS06-038 and MS06-039.

Trj/Semsy.B is a Trojan that uses MSN Messenger to send messages containing a link. When users click on the link they are unwittingly downloading a banker Trojan. It also installs a component to steal passwords from users of the Orkut community, which are then sent via email to the attacker.

SpyHeal is a potentially unwanted program (PUP) that checks the system in which it is installed for possible threats. If it finds any, it tells the user that there is malware on the computer and asks them to buy a certain program. However, the threats detected are fictitious. Similarly, it creates a Registry entry to ensure it is run whenever the operating system starts up. SpyHeal can be downloaded from the website of the company that develops it.

Microsoft has recently published a series of security bulletins affecting several of its products.

MS06-033 is an important vulnerability in Microsoft.NET Framework 2.0 which could allow an attacker to bypass ASP.Net security and gain unauthorized access to objects in the Application folder.

MS06-034 is an important vulnerability in several versions of IIS (Internet Information Services) which could allow an attacker to take control of the computer with the same permissions as the active user account. A specially crafted ASP file is needed to exploit the vulnerability.

MS06-035 is a set of critical vulnerabilities in Server Service in Windows 2003/XP/2000 that could allow arbitrary code to be run remotely on the computer, and give access to information about the Server Message Block (SMB). Use of a firewall can prevent these vulnerabilities from being exploited across the Internet.

MS06-036 is a critical vulnerability in the DHCP client service which can be exploited to run code with the same permissions as the active user. For an attack to be successful the attacker must send the affected host a specially crafted DHCP response communication from the same network subnet. Use of a firewall will prevent attacks of this type launched from the Internet.

MS06-037, MS06-038 and MS06-039 are sets of critical vulnerabilities discovered in several versions of Microsoft Office for Windows and Mac, which if exploited, could allow an attacker to run arbitrary code on the affected system. If the user has administrator rights, the vulnerability could allow an attacker to take complete control of the computer.

To prevent the possible effects of these vulnerabilities, users are advised to download the security patches they need and to install an anti-malware solution and keep it up-to-date.