This new risk is not widespread, but represents a new method of attack based on a security exposure Microsoft patched during January 2005. This illustrates the importance of installing security patches as soon as they are available.
Trojan.Anicmoo.B is a downloader Trojan that exploits the Windows User32.DLL ANI File Header Handling Stack-Based Buffer Overflow Vulnerability (as described in the Microsoft Security Bulletin MS05-002). The Trojan exists as a malformed animated cursor (.ani). The Trojan downloads a copy of SecurityRisk.Downldr.
Once a malformed .ani file is viewed using Windows Explorer or Internet Explorer, Trojan.Anicmoo.B performs the following actions:
1. Downloads a file from a hostile domain.
2. Saves the downloaded file
3. Terminates its running process.
4. SecurityRisk.Downldr downloads the file update.txt
5. This file contains commands from a remote attacker to perform actions on the compromised computer.
6. Currently update.txt contains commands to download a Browser Helper Object file and register it as a service. The .dll is currently harmless, but it attempts to connect to the sweetbar.com domain without being detected on the compromised computer.