3/30: Anicmoo-C Trojan Arrives in Package
March 30, 2005

Troj_Anicmoo.C is a Trojan that may arrive as a part of a malware package. It may also be downloaded from the Internet.

Once a certain Windows Animated Cursor file (.ANI) is opened using Windows Explorer, the Trojan downloads another malware from the following site: http://70..74/hi.exe

The Trojan drops and executes this file in the Windows system folder as M00.EXE. This file is detected by Trend Micro as WORM_WOOTBOT.HO.

This Trojan is a downloader that exploits USER32.DLL's ANI File Parsing Crash vulnerability. USER32.DLL is a normal Windows file.

For more information about this Windows vulnerability, please refer to the following Microsoft Web page:

Microsoft Security Bulletin MS05-002

A remote code execution vulnerability exists in the way animated cursor and icon formats are handled. A malicious user could try to exploit the vulnerability by constructing a cursor or icon file that could potentially allow remote code execution when a user visits a malicious Web site.

A malicious user who successfully exploits this vulnerability could take complete control of an affected system.

Technical details can be found at Trend Micro page.