I do security work for a living and know better than to run without a virus checker but... An "upgrade to WIN2K left me without a scanner for a short period of time. During that time some dork sent a message to my HotMail account that contained this bug. Normally I find viruses somwhat entertaining an dhave saved a few but this was the first one in the wild that I'd ever gotten that autoexecuted when a message was simply viewed. Just looking at this message in Outlook caused it to download and run. Thankfully I noticed the quick download box but no quick enough to cancel it. I immedietly shut my firewall down tight and examined the headers on the message and it's source.

No title, no text, zero byte attachment but it consumed 40K worth of space - hrm! Mime type listed as audio, attachment listed as Readme.MP3.SCR. SCRs are pretty much just executables and I've seen bugs using this before - I knew I'd been had. A search found the two files listed above with brand new creation dates and a HEX edit of the Keyboard one made me suspicious that it was a logger. A quick Google search and I found out about BadTrans - grr! Cleaning it was no biggie, been there done that for other bugs but it was frustrating knowing code I didn't want was running. Damn thing kept updating my RunOnce key in the Registry and I had to drop to a commandshell boot to finally kill it comepletely. Yeah, I snagged a virus scaner too but the horse had already trotted out :-(

Interestingly enough when I checked the MSFT update site and tried to DL an update fo IE that was supposed ot fix this it claimed I didn't need it! Days later I found an update that actually worked - thanks Microsoft (not). Since this was a new OS load I hadn't quite worked my way through all of the updates, what a PITA!

Since I got this bug it's been sent to me about 5 other times. The patch catches it and asks for permission to DL now (duh) and my virus scanner also goes nuts even though I've supposedly not actually downloaded the file yet (hrm!). Had I not been expecting some oddball mail I'd probably never have opened this thing through Outlook but in the end I learned a few things and I'm sure no data was lost - this time. I got the adage about always being patched up and running a virus scanner driven home too - just like I bitch at my clients abou tthe same thing. Guess that was justice though (lol).

Anyway, had I not been paying attention I'd never have noticed this thing - it's pretty sneaky. The programmer could also have been MUCH more nasty about it and simply sent out some E-mail ten formatted people's drives. This could've been worse and next time it just might be. The bug this thing exploited is silly too - someone at Microsoft should be shot for not checking full extensions of files before autoexecuting those it feels are "safe". When will they ever actually consider security a feature? I make my living off of these bozos but they still manage to surprise me once in awhile...

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/49/9666#9666