Re: HTML.dropper

[Nick FitzGerald <nick () virus-l demon co uk>]

> Internet Explorer 5.5 and accompanying mail and news client afford
> us the unique ability to dictate which icons and file extensions we
> require. Specifically, we are able to manufacture an email message
> to appear as one thing when in fact it is not:

I did not have an IE/OE 5.5 install handy to test, so...

Quick testing with IE/OE 5.0 suggests you need a 1 char longer
Subject: for this to work on that version (OE Help/About reports
5.00.2314.1300).  (I believe standard 5.0, no patches or SPs.)

Quick testing with Outlook 2000 suggests you need a 3 char shorter
Subject: for this to work on that version (Outlook Help/About reports
9.0.0.2711).  Rather oddly, Outlook 2000 sees such messages as having
two attachments -- with the right Subject: length both of these
"attachments" work as under OE.  (This is standard Office 2000 release
-- no SPs or patches.)

Quick testing with Outlook 98 suggests you need a 3 char shorter
Subject: for this to work on that version (Outlook Help/About reports
8.5.5104.5).  Like Outlook 2000, Outlook 98 sees such messages as
having two attachments -- with the right Subject: length both of these
"attachments" work as under OE.  If the Subject: string is a few chars
longer (I tried 1 and 3) than that required for the exploit to work,
Outlook 98 causes an IPF in OUTLMIME.DLL during download of the
message from a server (i.e. before you have chance to delete the
message, and, in fact, before Outlook has deleted the message from the
server, so this becomes something like that earlier invalid MIME
header DoS.  (This is standard Office 98 release -- no SPs or patches
-- so the DoS may be fixed by any patches released to deal with that
earlier bug.)

This exploit seems to be based on some form of buffer overflow.
With some of the mailers above, when the Subject: line is four chars
too short, if you try to save the "attachment" you get a filename of
".hta.gif", if three chars too short, ".hta.gi" and so on.

> This will create an email message with no reference to attachments
> in the headers.This can be particularly troublesome to content
> filtering gateways and/or security applications that strip
> attachments through header information that is content disposition:
> attachment; content-type: application/malware; filename:
> iloveyou.vbs

Since JS/Kak's ascendency began a year ago, any Email scanning system
that does not process message bodies has been a dead-duck.  In a
perfect world, that means your point would be moot, but in this
world...


Regards,

Nick FitzGerald