The Web    Google
3/30: Anicmoo-C Trojan Arrives in Package

3/30: Anicmoo-C Trojan Arrives in Package
March 30, 2005

Troj_Anicmoo.C is a Trojan that may arrive as a part of a malware package. It may also be downloaded from the Internet.

Once a certain Windows Animated Cursor file (.ANI) is opened using Windows Explorer, the Trojan downloads another malware from the following site: http://70..74/hi.exe

The Trojan drops and executes this file in the Windows system folder as M00.EXE. This file is detected by Trend Micro as WORM_WOOTBOT.HO.

This Trojan is a downloader that exploits USER32.DLL's ANI File Parsing Crash vulnerability. USER32.DLL is a normal Windows file.

For more information about this Windows vulnerability, please refer to the following Microsoft Web page:

Microsoft Security Bulletin MS05-002

A remote code execution vulnerability exists in the way animated cursor and icon formats are handled. A malicious user could try to exploit the vulnerability by constructing a cursor or icon file that could potentially allow remote code execution when a user visits a malicious Web site.

A malicious user who successfully exploits this vulnerability could take complete control of an affected system.

Technical details can be found at Trend Micro page.

  • Sober-I Hits Hard, Nears Nov. Title Spot
  • FTC Urges Industry Solutions to Spyware
  • 3/4: Rbot-WV Worm Uses Bad Passwords
  • Searching for Wi-Fi Security Solutions
  • Cobalt RaQ 4 Security Flaw Detected
  • 2/18: Poebot-H Worm Hits Remote Shares
  • Sun, Check Point Jointly Unveil VPN/Firewall Appliance
  • VeriSign Intros WS-Security Implementation, Toolkit
  • 8/2: MyDoom-P Sends Spoofed Emails
  • Virus Alert Activity Intensifies
  • Linux Heavies Issue Patches
  • Discussion on Security Camera