Exploit: GodMessage Type: Malicious ActiveX, Trojan System Affected: Microsoft Internet Explorer 5.5 Microsoft Internet Explorer 5.01 Microsoft Internet Explorer 5.0 for Windows NT 4.0 Microsoft Internet Explorer 5.0 for Windows 98 Microsoft Internet Explorer 5.0 for Windows 95 Microsoft Internet Explorer 5.0 for Windows 2000 Microsoft Internet Explorer 4.0 for Windows NT 4.0 Microsoft Internet Explorer 4.0 for Windows NT 3.51 Microsoft Internet Explorer 4.0 for Windows 98 Microsoft Internet Explorer 4.0 for Windows 95 Microsoft Internet Explorer 4.0 for Windows 3.1 Date Discovered: ? FBI Nipc report 18 June 2001 Security consultants have warned of two new varieties of viruses, and said IT managers should ensure their anti-virus measures are kept up to date. Last week Jonathon Mynott, a technical consultant at security specialist Cryptic Software, said hacker interest was growing in a virus tool called GodMessage. It will be easy to fall victim once the method becomes popular, Mynott warned. "You only have to browse a Web page to be infected," he said. Mynott added that GodMessage, which is available for download on hacking sites, allows malicious hackers to place ActiveX code on Web pages. When Internet Explorer users visit an infected site, their browser downloads a compressed program. This then resides on users' hard disks, ready to be uncompressed on startup. Innocent sites could be surreptitiously hacked and have the virus implanted in their pages. (Source: Ziff Davis News, 18 June) http://www.zdnet.com/zdnn/stories/news/0,4586,2775804,00.html Description of Exploit: A GODMESSAGE page is an HTML page that works with an ACTIVEX bug founded in IE5.5/OUTLOOK/OUTLOOK EXPRESS. Thanks to this bug when someone views a "godmessaged" page he downloads an .HTA file into his Startup folder. On Win9x/ME systems this file is totally hidden even if it's deployed in startup folder. Behind the HTA file there is a Trojan in ASCII format. At target machine reboot the ASCII formatted Trojan will be compiled into a full working .EXE file and executed. At next machine reboot HTA file in startup folder will be deleted thanks to a WININIT.INI file (previously created by HTA file itself). Godmessage allows the creation of hostile ActiveX controls that are either Hex encoded or clear text. Once loaded into a webserver, most likely through a webserver compromise, any vulnerable browser hitting that page will download the malicious control. Using the files in the .zip archive you can make a control containing any Trojan payload of your choosing. Default Payload It is a modified tHing 1.6 server without ICQ notification, without hide process (so it will run on NT/W2K). The tHing listens on port 7777 and the password is pass. URL for exploit code (if applicable): http://packetstorm.securify.com/0010-exploits/godmessageIV.zip (get package) Additional Information URL's: http://www.zdnet.com/zdnn/stories/news/0,4586,2775804,00.html http://neworder.box.sk/showme.php3?id=3072 http://www.tlsecurity.net/archive/code/activex/ http://www.astonsoft.com/godmes01.htm http://www.astonsoft.com/godmes4.htm -- Bill Warner Unix/Linux Admin. Direct Alliance Corporation Confidential