A leak in the Windows 2000 Service Pack 1 source code last February immediately led to the discovery of an integer overflow exploit involving BMP files and was published on the Internet in mid-February 2004. TROJ_BMPAGENT is the first known live exploit resulting from that disclosure.
Though the source code leak involved Windows 2000 SP1, the exploit impacts all Windows users who have either Internet Explorer v5 or v5.5 installed. Those versions of Internet Explorer simply need to be installed; they do not need to be the user's default browser in order to be exploited. Though the integer overflow condition remains unpatched in versions 5 and 5.5 of Internet Explorer, versions 6 and higher are not impacted.
The Agent Trojan, a.k.a. TROJ_BMPAGENT specifically impacts users of the Russian language version of Windows running either Internet Explorer version 5 or 5.5.
The exploit involves a specially crafted BMP file that can allow code to run with the privileges of the impacted user. In the case of TROJ_BMPAGENT a.k.a. the Agent trojan, the user receives an email carrying the specially crafted BMP image file. When received on systems with IE 5 or IE 5.5 installed, viewing the BMP drops the file sys.exe to the root of drive C:\ and executes it. Sys.exe then downloads and executes the Throd trojan from a domain in Lybia. The Throd trojan installs itself to the system using a filename derived from one each of the following groups:
- ms 16 mes
svc 32 prn
win 64 reg
For example, the filename might be ms64prn.exe.
Throd modifies the system registry to launch whenever Windows is started:
HKey_Current_User\Software\Microsoft\Windows\CurrentVersion\Run
using one of the following names and pointing to the file described above:
-
MS Driver Management
Synchronization Messager
System Directory Service
System Service Control
Windows Messaging System
Throd sends certain identifying info to the trojan author and also sends collected email address to the same remote locations. Throd is also capable of downloading and executing other presumably malicious files and it works as a proxy server as well.
Troj_BMPagent is not the first malicious exploit involving image files. In June 2002, the Perrun virus was discovered exploiting JPG image files. However, that virus required a helper application (an EXE file) in order to infect the JPG files and thus the actual threat was not from the JPG files but rather from the EXE used to exploit them. Though at the time, the Perrun virus received much publicity, it was neither noteworthy nor novel. Conversely, Troj_BMPAgent (a.k.a. Agent Trojan) is noteworthy because the executable content is coming directly from the BMP file, i.e. the threat is self-contained in the BMP file and does not require a helper application in order to execute its malware. Unless, of course, one wishes to consider IE 5 or 5.5 as an unwitting 'helper' application.
