ANI exploit / SDBot

Date:03.30.2005

Threat Type: Malicious Website / Code Alert

Websense® Security Labs™ has received several reports of a SPAM email message which attempts to exploit a Microsoft Windows vulnerability in the handling of icon and cursor files. This vulnerability allows remote execution of code. 

See http://www.microsoft.com/technet/security/bulletin/MS05-002.mspx for more information on this vulnerability, a list of affected operating systems, and links to updates that will fix this vulnerability.

The SPAM email directs the user to a malicious website, which hosts the code and triggers the download of a file called hi.exe.  This file attempts to exploit the vulnerability. Upon execution of the code, the machine downloads a version of the SDbot (a.k.a., Wootbot) backdoor/Trojan horse. This backdoor/Trojan horse allows un-authorized use and access to the machine.

The sites that are part of the original attack are hosted in Amsterdam. The site to which the users are redirected is hosted in the US.  This site downloads the backdoor code.  All sites were up and running at the time of this alert.