Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: ANI: It Gets Better - SANS Internet Storm Center SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
ANI: It Gets Better
McAfee is now reporting a spam campaign that includes an ANI exploit attempt:

"March 31, 2007. The .ANI File Format vulnerability has seen an increase in exploit attempts in-the-wild. McAfee Avert Labs has detected many Web sites linking to other sites that attempt to exploit this vulnerability. We have also observed a spam run that tries to lure its recipients to Web sites hosting code exploiting this vulnerability. Technical details and exploit code can now be easily obtained from these malicious Web sites. Following links in unsolicited e-mails and visiting unknown Web sites are strongly discouraged."

This will affect email clients on vulnerable Operating Systems that render HTML.  Exploit could occur when the malicious message is either opened, previewed, or forwarded.


If you open up a folder with Explorer (not Internet Explorer) that has a malicious .ANI file (file-extension matters in this case) it will exploit the system.  At least automated processes won't trigger execution (unlike WMF.) (US-CERT Advisory)
Kevin Liston

292 Posts
ISC Handler
Mar 31st 2007

Sign Up for Free or Log In to start participating in the conversation!