| WineVar Redefines Executables | ||||||||||||
| Simple technique may have far-reaching implications | ||||||||||||
It may seem like a no-brainer, but it's never been done before. The WineVar worm uses an old vulnerability in Microsoft's ActiveX to automatically register an erroneous extension as an executable. The extension, .CEO, means nothing to antivirus and filtering products, meaning it can successfully bypass this protection and run as an executable file on the target system. While antivirus vendor Symantec recommends users add .CEO to their filtering lists, doing so will not protect against other threats that use this technique. The next one could just as easily automatically add or change anything from .AAA to .ZZZ to become an executable file type - meaning it can bypass standard filtering and antivirus products and launch independently on the system.
For example, suppose you took the Windows calculator executable (calc.exe) and renamed it to calc.ceo (or any other non-registered extension). Afterwards, if you try to launch it, the file will not run because Windows does not recognize the extension. Additionally, a great number of scanners and filtering products will ignore it because it is not a known executable. However, if you make a few simple registry edits, adding the chosen extension to HKEY_CLASSES_ROOT and specifying it as an executable, it will not only run, but it will continue to be ignored by these scanning and filtering products. The implication, of course, is that this technique can be used to bypass protective products and launch malicious programs on users' systems.
Fortunately, the WineVar worm failed in its initial attempt due to a bug in the worm's code causing it to delete all files on the system rather than specific folder files. Doing so leaves the worm with no means to spread further, and thus it dies along with the operating system. WineVar was first detected on November 22nd, 2002 and is believed to have originated in South Korea. According to antivirus vendor F-Secure, the WineVar worm arrives in an email with the following characteristics:
AVAR(Association of Anti-Virus Asia Reseachers) - Report.
The email arrives with three attached files: WINxxx.TXT (12.6 KB) MUSIC_1.HTM, WINxxx.GIF (120 bytes) MUSIC_2.CEO, WINxxx.PIF (where XXX represents random hex numbers). The email was designed to exploit two vulnerabilities in Microsoft products. The first, the 'Microsoft VM ActiveX Component' vulnerability, allows the registry modification to take place and the second, the 'Incorrect MIME Header Can Cause IE to Execute E-mail Attachment' vulnerability, allows the newly registered attachment to automatically run when the email is previewed or read.
The ActiveX vulnerability that makes all of this possible was first reported by Georgi Guninski in October 2000. Protecting against the exploit requires ensuring that no active content can run from within an email. To accomplish this, you can either follow the steps outlined in the Email Help Center, use a product such as MailDefense, or upgrade to Outlook Express v6.0 with Service Pack 1.
|
||||||||||||
Explore Antivirus Software
Must Reads
About.com Special Features
Holiday Central
What to eat, where to go, fun things to do and how to save money on the perfect gifts. More >
Family Tech Center
Stay connected and entertained with reviews on tips on the latest HDTVs, cellphones and more. More >
©2009 About.com, a part of The New York Times Company.
All rights reserved.