MS05-002: Trojan.Anicmoo.B

  MS05-002: Trojan.Anicmoo.B

This new risk is not widespread, but represents a new method of attack based on a security exposure Microsoft patched during January 2005.  This illustrates the importance of installing security patches as soon as they are available. 

http://www.symantec.com/avcenter/venc/data/trojan.anicmoo.b.html

Trojan.Anicmoo.B is a downloader Trojan that exploits the Windows User32.DLL ANI File Header Handling Stack-Based Buffer Overflow Vulnerability (as described in the Microsoft Security Bulletin MS05-002). The Trojan exists as a malformed animated cursor (.ani). The Trojan downloads a copy of SecurityRisk.Downldr.

Once a malformed .ani file is viewed using Windows Explorer or Internet Explorer, Trojan.Anicmoo.B performs the following actions:

1. Downloads a file from a hostile domain.
2. Saves the downloaded file
3. Terminates its running process.
4. SecurityRisk.Downldr downloads the file update.txt 
5. This file contains commands from a remote attacker to perform actions on the compromised computer.
6. Currently update.txt contains commands to download a Browser Helper Object file and register it as a service. The .dll is currently harmless, but it attempts to connect to the sweetbar.com domain without being detected on the compromised computer.