MSRC blog on the current 0-day .ani vulnerability

  • Thread starter Thread starter Bill Sanderson MVP
  • Start date Start date
That could be it Stu... I'm at 11.1.2007 on WinPatrol which was the only
thing available before 3/28 when he released 11.2.2007.

Still it's curious why WD didn't alert you... do you have HOSTS excluded
because, at one time I did that due to alerts from both WD and SpySweeper
everytime I updated the MVPS hosts file, then thought better of it and just
turned that shield off in SS but WD alerts me faithfully at every MVPS
HOSTS announcement & update, which of course I permit (thanks Randy.)


--

Regards, Dave

Thanks for the input Dave. I use Hostsman also and just reinstalled
Winpatrol
. Reran an edit of my hosts file this time (adding and deleting) an entry
which Winpatrol detected on both occasions but WD did not (all options
selected). Tried deleting and restoring Hosts - neither detected. Now I`m
totally confused and concerned. Interestingly if you reject the change in
Winpatrol, the hosts file count does not revert to the original count. eg
right now I show 16972 MVPS entries. If I delete one entry it shows 16971
BUT
Winpatrol pops up and asks me if I accept the change. In this case I
reject
but Hostsman still shows 16971 entries. One would have thought it would
revert back to 16972. Oh well, it is in Beta so maybe thats the answer.

Stu

Dave M said:
....Yes, that would be ominous. My addition to HOSTS using HostsMan was
immediately spotted by Defender and I permitted it. Assuming you have
RTP
activated on all items and with both not yet classified software
(HostsMan)
and permitted to run software checked allowing you to be notified. I
also
received a duplicate notification about 30 seconds later from WinPatrol.

--

Regards, Dave

I was wondering the exact same thing myself. I`m sure my test would not
be so
thorough as yours Bill but I have just tried editing my hosts file as
follows:

1. Adding an entry
2. Deleting an entry
3. Deleting the Hosts File to the recycle bin and restoring again.

WD remained ominously silent throughout.

Stu

Stu

:

Presumably, Windows Defender would say something about that
ShellExecuteHooks registration--and possibly the Hosts file change as
well.

I doubt that I'm going to be in a position to test this even though
you've
laid it out pretty clearly--but thanks, anyway!

--



[...]
I read somewhere else (and can't find it now) of a variation that
deletes
the hosts file.

I found it.<g>

http://www.mnin.org/write/ani-notes.pdf
There are several malicious ANI files in circulation. The one to
discuss
is
mm.jpg from newasp, but others are likely very similar. Shellcode in
mm.jpg
basically resolves kernel32 functions, downloads, and executes xx.exe
(from
behavioral analysis). It doesn't do much but delete the system's
HOSTS
file,
write bdscheca001.dll to %SYSTEM%, and registers the DLL as
ShellExecuteHooks entry.

Bob Vanderveen
Click to expand...
Click to expand...
Click to expand...
 
Hi Tom

I noticed that SANS was in "Yellow mode" and this NG is
an excellent place to find more information.

This one can cause a lot of trouble and therefore
information is needed everywhere to stop this junk.

regards
plun
 
Back
Top