[Dshield] An unfixed highly critical vulnerability discoveredin Microsoft Internet Explorer

Johannes B. Ullrich jullrich at sans.org
Thu Apr 8 19:09:25 GMT 2004


> Q #1: Is it possible to create a Trojan web site that would contain
> a link that could infect a system in a manner similar to an email?

If its a web page, it doesn't need a link (I think).

> Q #2: If the AV sigs are up to date, will that stop the worm, or as
> Johannes' email says "Just clicking on the URL sent by the worm will 
> get you infected. NO POPUPS! NO WARNINGS!" (Does that mean you will
> get infected even if you have the latest AV sigs?)

I don't think there are 'generic' AV sigs. So you would rely on 
the virus arriving after the AV sigs got updated. Given the
recent track record of Bugbear and such, it is likely that
your users will see the virus before they see the new signature.

So far, only Bugbear.C is using this exploit. There are signatures
for Bugbear.C.

However, I expect numerous variations to show up shortly. The exploit
is rather simple and easy to copy. 

It may be possible to come up with a generic rule that will trigger on
the exploit. But so far, I haven't seen one.



-- 
CTO SANS Internet Storm Center               http://isc.sans.org
phone: (617) 837 2807                          jullrich at sans.org 

contact details: http://johannes.homepc.org/contact.htm
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://www.dshield.org/pipermail/list/attachments/20040408/565430ad/attachment.bin


More information about the list mailing list