Last week (thursday and friday) was very hard for all malware researchers, working with the “new” ANI threat. Too much and different information were released. “Yes, it’s the same MS05-002 issue”, “No, it’s not the same issue…” , “It ‘s a user32.dll fault, but probably it’s only an Outlook and IE issue….”. What is really true? We spent last Friday analyzing the vulnerability and no, it’s not just an Outlook/IE issue. If you are a malware researcher (or not) and you usually use WinHex you should be careful. The sample we were analyzing tried to download an executable (wincf.exe) from: http://22x.x.x.189/wincf.exe. By now the file has been deleted from the site however we changed the URL in order to see if the exploit works, and it really works great, fast and with WinHex…..What? Yes, we are not crazy. We were as surprised as you.
See the demo in the following video (It’s encoded with XViD [870k]) or via YouTube:
It’s time of WinHex’s reverse engineer to discover why the exploit is working on it even if the ANI file is renamed to whatever you want. A call to Shell32.ExtractIconA is made and therefore triggering the ANI threat: