Although the fix for these vulnerabilities has been released on 14th Nov. 2007, attackers still exploit these flaws to spread malware without the users consent.
After execution, with Trojan starts a new process with the same name as its filename.
It inject an executable into the process’ memory and then it drops it into a
system file called netmon.exe. It creates registry keys to ensure that the
dropped executable file is started on each boot.
injected netmon.exe drops a driver into %system%driverssysdrv32.sys and
registers it as a service.
In order to
spread it creates copies of itself on every detected removable drive and uses
an autorun.inf file to execute them.
itself, it is hidden from user mode.
Storm Player is a popular Chinese media player. It comes bundled with an
ActiveX Control used for media playback on websites. However certain versions
of it are prone to multiple buffer overflow vulnerabilities which allow
attackers to execute arbitrary code on the affected system.
“advancedOpen()”, “isDVDPath()” and “rawParse()” and
the properties “backImage”, “titleImage” and
“URL” which reside inside “sparser.dll” and “mps.dll”
fail to validate user supplied input and allow the attacker to gain control
over the system within the security context of the running process. Vulnerable
versions are all below 2.08.
only the method “rawParse()” has been seen in the wild, exploiting the above
mentioned vulnerabilities. Specially crafted websites make use of this method
to spread other malware. The exploit is downloading executable files from URLs
like http://[removed]de.com/bf.css and http://[removed]p.cn:6135/qwer/bf.css,
saves them inside the system32 folder under the name “a.exe” and executes them
with the priviledges of the browser.
recommends immediate upgrade to the latest version of the player, since that
has fixed these vulnerabilities.
in this article is available courtesy of BitDefender virus researchers: Marius
Barat and Balazs Biro