Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: InfoSec Handlers Diary Blog - SANS Internet Storm Center InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Windows Animated Cursor Handling vulnerability - CVE-2007-0038

Published: 2007-03-29
Last Updated: 2007-03-31 11:36:34 UTC
by Maarten Van Horenbeeck (Version: 14)
0 comment(s)

Important Update
Proof of Concept Exploit code was released publicly after US business hours on Friday. While nowhere near an official patch, please consider the below mitigation measures and handler Donald's entry on detecting and blocking these attacks.

Microsoft has released advisory 935423 regarding a vulnerability in Windows Animated Cursor Handling. A bug in the way Windows renders  animated cursor files can allow execution of arbitrary code under the privileges of the user that downloaded the malicious file. CVE-2007-0038 (previously also CVE-2007-1765) has been assigned to this vulnerability

Affected are Win2k, XP, Server 2003 and Vista (UPDATED). While Animated cursors are usually downloaded as .ani files, blocking these files is not sufficient to mitigate the vulnerability. We have received reports of this vulnerability being exploited in the wild using files renamed to jpeg.

McAfee has a blog entry up on this. They also have a second blog entry with a video showing windows explorer crashing in a loop on windows vista when dropping a malicious animated cursor on the desktop. Trend Micro is reporting here on malicious .ANI files and related links being spread over the web and through e-mail that attempt to download a trojan executable WINCF.EXE.


  • Microsoft is reporting that users of Internet Explorer 7 with Protection Mode are protected from active exploitation.
  • E-mails opened in plaintext will not show embedded ANI files. Note that HTML attachments can still be interpreted when separately clicked upon.  [Thunderbird | Outlook & 2.0].
  • Anti-virus detection is improving now, with F-Secure, CA, Kaspersky, Trend, Sophos, McAfee and Microsoft detecting malicious ANI files. One specific file was also discovered by a product triggering on a signature written for MS05-002, a similar vulnerability from 2005. This will not apply to most exploits in the wild.
  • Microsoft has now confirmed that:
    • Outlook 2007 users are protected (as the tool uses Word to display HTML messages);
    • Users of Windows Mail on Vista are protected if they do not forward or reply to malicious e-mail;
    • Outlook Express users remain vulnerable even when reading e-mail as plaintext.
  • Eeye has released an unofficial patch that you may wish to consider

The vulnerability has been added to our missing microsoft patches table.

Vulnerability timeline
Microsoft has provided an update on their MSRC blog, answering a number of questions that people have been asking.

  • Vulnerability was reported to MSFT in December by Determina.
  • MSFT has been working on the vulnerability
  • Reports of the exploit were sent to MSFT on the 28th, they initiated their incident response plan
  • An update is expected with the normal monthly fixes


CVE 2007-0038
A good write-up and analysis of one ani exploit in action
Arbor Network's write-up

0 comment(s)


Published: 2007-03-29
Last Updated: 2007-03-29 23:29:59 UTC
by Swa Frantzen (Version: 1)
0 comment(s)

We've received a number of reports of spam appearing to come from "" containing a link to a file called IE7.0.exe .

This is what VirusTotal has to say about it:

Antivirus Version Update Result
AhnLab-V3 2007.3.30.0 20070329 -
AntiVir 20070329 TR/Proxy.Agent.CL
Authentium 4.93.8 20070329 -
Avast 4.7.936.0 20070329 -
AVG 20070329 -
BitDefender 7.2 20070329 -
CAT-QuickHeal 9.00 20070329 (Suspicious) - DNAScan
ClamAV devel-20070312 20070329 -
DrWeb 4.33 20070329 -
eSafe 20070329 -
eTrust-Vet 30.6.3522 20070329 -
Ewido 4.0 20070329 -
F-Prot 20070328 -
F-Secure 6.70.13030.0 20070329 Virus.Win32.Grum.a
FileAdvisor 1 20070330 -
Fortinet 20070329 suspicious
Ikarus T3.1.1.3 20070329 -
Kaspersky 20070329 Virus.Win32.Grum.a
McAfee 4995 20070329 -
Microsoft 1.2306 20070329 -
NOD32v2 2154 20070329 -
Norman 5.80.02 20070329 -
Panda 20070329 Suspicious file
Prevx1 V2 20070330 Covert.Sys.Exec
Prevx info:
Sophos 4.16.0 20070329 -
Sunbelt 2.2.907.0 20070329 VIPRE.Suspicious
Sunbelt info: VIPRE.Suspicious is a generic detection for potential threats that are deemed suspicious through heuristics.
Symantec 10 20070330 Trojan Horse
TheHacker 20070323 -
UNA 1.83 20070316 -
VBA32 3.11.3 20070329 suspected of Trojan-PSW.Pinch.1 (paranoid heuristics)
VirusBuster 4.3.7:9 20070329 -
Webwasher-Gateway 6.0.1 20070329 Trojan.Proxy.Agent.CL

Name IE7.0.exe
Size 33280
md5 8e12a8281a6c6ebdbd75c26a93e69437
sha1 de94c34d51e8c04df174e27bc04eed134aca57d7
Date scanned 03/30/2007 00:22:04 (CET)

Norman Sandbox doesn't detect it and it seems to not want to run in certain virtual machines either.

Check your logs on proxy servers etc. for IE7.0.exe, it's being hosted in multiple places around the world.

Thanks to Dan, Brian, Sean, Richard and many other readers.

Swa Frantzen --- NET2S
0 comment(s)

Cisco VoIP vulnerabilities.

Published: 2007-03-29
Last Updated: 2007-03-29 16:22:43 UTC
by donald smith (Version: 1)
0 comment(s)
Cisco announced software updates to address 5 Cisco Bug IDs for 3 separate DOS vulnerabilities that affect two of their VoIP products.
Cisco Security Advisory: Multiple Cisco Unified CallManager (CUCM) and
Cisco Unified Presence Server (CUPS) Denial of Service Vulnerabilities

Advisory ID: cisco-sa-20070328-voip

Vulnerable Products
* Cisco Unified CallManager 3.3 versions prior to 3.3(5)SR2a
* Cisco Unified CallManager 4.1 versions prior to 4.1(3)SR4
* Cisco Unified CallManager 4.2 versions prior to 4.2(3)SR1
* Cisco Unified CallManager 5.0 versions prior to 5.0(4a)SU1
* Cisco Unified Presence Server 1.0 versions prior to 1.0(3)

There are no workarounds.

Filtering traffic as follows for affected CUCM / CUPS systems can be used as a mitigation technique:

Permit TCP port 2000 (SCCP) and TCP port 2443 (SCCPS) to CUCM systems only from VoIP endpoints.

ICMP Echo Requests (type 8) should be blocked for CUCM and CUPS systems. This may affect network management applications and troubleshooting procedures.

UDP Port 8500 (IPSec Manager) should only be permitted between CUCM / CUPS systems configured in a cluster deployment.
0 comment(s)
Diary Archives