Security Manifest

Benjamin Johnstone-Anderson, Microsoft MVP - Windows Security

A Look at New GDI+ Exploit Threats

Minor Trojans, Not Major Mass-Mailers, Appear

In addition to the Moo Trojan that I recently reported on, we now four new threats based on the recent MS04-028 vulnerability.

Roxe
Roxe is a simple backdoor that also abuses the MS04-028 vulnerability. Note that it does not spread itself, and the vulnerability has only been used to drop it. When executed, Roxe connects to a predefined computer and gives it control of the target system. Roxe may also download various files onto the machine, perhaps more advanced backdoors.

Ducky
Ducky is a Trojan horse that downloads the file y.exe from maybeyes.biz, which is registered to what is likely a fake (based on the misspelled last name and email address) P.O. Box in New York City. Other things suggest that Ducky actually originates from France.

Ducky.B
Ducky.B is identical to the original Ducky, except y.exe is downloaded from a Russian web server.

Unnamed AIM Worm
This is the most interesting new GDI+ exploit threat. I am going to devote an entire post to this worm, and should be posted shortly.

Posted: Sep 30 2004, 06:50 PM by trafton | with 584 comment(s)
Filed under: ,