QUOTE
Chinese Internet Security Response Team is reporting on a new worm using the ANI exploit to spread.
Full Topic : ANI worm from F-Secure Weblog
Full Version: Outbreak Of Ani Worm
Thanks for sharing 
... copy of blog post below also ...
ANI Exploit - New Email Worms Surface
The Internet Storm Center has declared a Yellow Alert to emphasize an increased risk in HTML based email and malicious websites that could contain the new ANI exploits. Please be extra careful with email until an official patch is in place. Even plain text processing by some email clients may not be safe until Microsoft issues a new patch. AV protection can help as well as recommendations shared in the Microsoft security advisory.
Below are 3 new worms that have recently surfaced:
New Email Worm using new ANI Exploit
http://www.f-secure.com/v-descs/anito_a.shtml
Agent.BKY - New ANI downloader worm
http://www.f-secure.com/v-descs/agent_bky.shtml
W32/Fujacks.aa
http://vil.mcafeesecurity.com/vil/content/v_141877.htm
ADDITIONAL LINKS:
Internet Storm Center - Declares Yellow Alert
http://isc.sans.org/diary.html?n&storyid=2542
Chinese Internet Security Response Team Reports ANI Worm
http://isc.sans.org/diary.html?storyid=2550
Microsoft Security Advisory
http://www.microsoft.com/technet/security/...ory/935423.mspx
CERT
http://www.kb.cert.org/vuls/id/191609
ANI 0-Day Exploit Info
http://vil.nai.com/vil/content/v_vul28505.htm
MSRC
http://blogs.technet.com/msrc/archive/2007...423-posted.aspx
Microsoft Windows Animated Cursor Handling Vulnerability
http://secunia.com/advisories/24659/
... copy of blog post below also ...ANI Exploit - New Email Worms Surface
The Internet Storm Center has declared a Yellow Alert to emphasize an increased risk in HTML based email and malicious websites that could contain the new ANI exploits. Please be extra careful with email until an official patch is in place. Even plain text processing by some email clients may not be safe until Microsoft issues a new patch. AV protection can help as well as recommendations shared in the Microsoft security advisory.
Below are 3 new worms that have recently surfaced:
New Email Worm using new ANI Exploit
http://www.f-secure.com/v-descs/anito_a.shtml
QUOTE
The Email-Worm: W32/Anito.A is an e-mail worm. It sends out e-mail messages with a URL to a malicious file that contains the recently discovered ANI exploit. The worm also drops another malware, a worm and trojan downloader that we detect as 'Worm:W32/Anito.A'. This worm is similar to the one, that we detect as 'Trojan-Downloader.Win32.Agent.bky' and 'Worm.Win32.Diska.c'.
Agent.BKY - New ANI downloader worm
http://www.f-secure.com/v-descs/agent_bky.shtml
QUOTE
Agent.BKY is a worm and a trojan downloader. It infects html files with a small script that downloads a file with a recently discovered ANI exploit. The worm also spreads to remote drives, modifies HOSTS file and downloads more malicious files onto an infected computer. This worm is dropped by the e-mail worm that we detect as 'Email-Worm:W32/Anito.A'.
W32/Fujacks.aa
http://vil.mcafeesecurity.com/vil/content/v_141877.htm
QUOTE
Instead of the usual W32/Fujacks strings used in earlier variants, inside the virus body of each variant contain one or more of these silly messages: "I Hate AVP!!" "Well, Boss will come in !!" "I will by one BMW this year!"The W32/Fujacks.aa thread in notepad.exe then prepends itself to Win32 PE files. It may also create a copy of itself in A:\tools.exe and A:\autorun.inf to autostart itself.
ADDITIONAL LINKS:
Internet Storm Center - Declares Yellow Alert
http://isc.sans.org/diary.html?n&storyid=2542
Chinese Internet Security Response Team Reports ANI Worm
http://isc.sans.org/diary.html?storyid=2550
Microsoft Security Advisory
http://www.microsoft.com/technet/security/...ory/935423.mspx
CERT
http://www.kb.cert.org/vuls/id/191609
ANI 0-Day Exploit Info
http://vil.nai.com/vil/content/v_vul28505.htm
MSRC
http://blogs.technet.com/msrc/archive/2007...423-posted.aspx
Microsoft Windows Animated Cursor Handling Vulnerability
http://secunia.com/advisories/24659/
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.