|
Vulnerability in IE 5.01 and IE 5.5
A vulnerability in IE 5.01 and IE 5.5 that arises from the way it handles MIME (Multipurpose Internet Mail Extensions) types could lead to a malicious user running whatever code he wants on your machine. When you receive HTML e-mail, IE opens it and any attachments with it using information about MIME types carried in the MIME header (A MIME type specifies what kind of attachment is coming with the e-mail—an image or text). If it’s a video file, IE lets you view it using the appropriate application. The threat arises from attachments like EXEs, in which case it prompts you to specify whether you want to open and execute the attachment. The problem is that there are certain unusual MIME types that IE handles incorrectly. So, if the malicious user modifies the MIME header to one of these types and sends you an executable attachment with the e-mail, IE will open and execute it without prompting you. The same scenario can arise if you visit a website on which such an e-mail is posted and you’re prompted to open it. In both cases, the malicious user will be able to run any code on your machine and do whatever actions you have permission to do on it.
Fixing it: A patch is available at www.microsoft.com/windows/ie/download/critical/Q290108/default.asp. The patch will work with IE 5.01 SP 1 and IE 5.5 SP 1. There is already a fix for this problem in IE 5.01 SP 2. If you’re using an older version of IE, upgrade to one of these and then apply the patch.
|
It’s best to bypass PassThison.com |
| If you’ve visited this site once, you’ll probably be forced to visit it again and again because code on this site forces PassThisOn.com on your browser.
The site features some ‘funny’ material, and some ‘sentimental’ stuff. However, once you reach this site, it’s very difficult to get out, especially if you’re using IE. When you try to close the site’s homepage an embedded HTML tag in the current page opens another page, that takes you to a dialog box saying ‘Do you like fun pages?’ If you click ‘Yes’, PassThisOn is supposed to become your homepage. However, when you start IE again, you’ll be redirected to an advertising site. (To rectify this, go to your preferred homepage and click on Tools>Internet Options>Use Current.) Clicking ‘No’ will bring up an advertising page, and when you close it, another dialog box will open, which claims that you can win something every time you connect to the Net. If you click ‘Yes’ you’ll be prompted to download and execute a file called win.vbs. This is something you should not do. Cancelling this is the safest option.
If you chose to download and execute win.vbs, the code will extract another VB script, reg.vbs, into the StartUp folder of Windows. So, every time you start up your computer after this, reg.vbs will write the PassThisOn.com URL to the registry key that handles the Start Page of IE, with the result that your browser will connect to this site whenever you open it. The solution is to delete reg.vbs from the StartUp menu and edit the registry. Details of how to do this are available at www.bugnet.com/alerts/ba0103233.html
|
VBS.VBSWG2.X@mm or VBS. Homepage
This worm spreads via e-mail, e-mailing itself to all the recipients in your Outlook address book. The e-mail message comes to you with the subject of ‘Homepage’, and the message says, ‘Hi! You’ve got to see this page! It’s really cool ;0)’, and the attachment is called ‘Homepage. HTML.vbs’. The worm executes in the background when you open the attachment. Before mass mailing itself, the worm searches your e-mail for messages with the subject Homepage and deletes all such messages if found. It mass mails itself only once. It then randomly selects one of four pornographic sites and opens it.
Removal: Update your anti-virus software and do a complete scan of your system. Also, don’t open any e-mail with the subject ‘Homepage’.
W32.Badtrans.13312@mm
This is a MAPI worm that comes via e-mail. The attachment of this e-mail could have one of the following names: Pics.ZIP.scr, images.pif, README.TXT.pif, New_ Napster_ Site.DOC.scr, news_ doc.scr, hamster.ZIP.scr, YOU_ are_FAT!.TXT.pif, searchURL.scr, SETUP.pif, Card.pif, Me_nude. AVI.pif, Sorry_about_ yesterday.DOC.pif, s3msong. MP3. pif, docs.scr, Humor.TXT.pif, fun.pif. The worm executes when you open the attachment. It drops a Trojan Hkk32.exe in the \Windows folder and executes it. This trojan send the IP address of your machine across the Internet to the author and is also capable of capturing information like credit card numbers and bank account numbers. The author can also use the IP address of your machine to capture information like usernames and passwords. It then copies itself to the Windows folder as inetd.exe, adds a run= line to win.ini, and displays a message box that states, ‘File data corrupt: probably due to bad data transmission or bad disk access’. The next time you start or reboot your PC, the worm waits for five minutes, and then finds all unread e-mail messages and replies to them, mailing a copy of itself as an attachment.
Removal: Update your anti-virus software and run a scan of all files. Delete any files that have the name of the worm. Also, some of the removal instructions for this worm are OS-specific. So visit the website of your anti-virus software’s vendor for more details.
Compiled by Pragya Madan
| 
