has anyone else seen this?

Bill Warner plug-discuss@lists.PLUG.phoenix.az.us
21 Jun 2001 11:15:40 -0700


Exploit:    GodMessage 

Type: Malicious ActiveX, Trojan

System Affected:
Microsoft Internet Explorer 5.5
Microsoft Internet Explorer 5.01
Microsoft Internet Explorer 5.0 for Windows NT 4.0
Microsoft Internet Explorer 5.0 for Windows 98
Microsoft Internet Explorer 5.0 for Windows 95
Microsoft Internet Explorer 5.0 for Windows 2000
Microsoft Internet Explorer 4.0 for Windows NT 4.0
Microsoft Internet Explorer 4.0 for Windows NT 3.51
Microsoft Internet Explorer 4.0 for Windows 98
Microsoft Internet Explorer 4.0 for Windows 95
Microsoft Internet Explorer 4.0 for Windows 3.1



Date Discovered: ?

            FBI Nipc report 18 June 2001
Security consultants have warned of two new varieties of viruses, and
said IT managers should ensure their anti-virus measures are kept up to
date.  Last week Jonathon Mynott, a technical consultant at security
specialist Cryptic Software, said hacker interest was growing in a virus
tool called GodMessage.  It will be easy to fall victim once the method
becomes popular, Mynott warned.  "You only have to browse a Web page to
be infected," he said.  Mynott added that GodMessage, which is available
for download on hacking sites, allows malicious hackers to place ActiveX
code on Web pages.  When Internet Explorer users visit an infected site,
their browser downloads a compressed program.  This then resides on
users' hard disks, ready to be uncompressed on startup.  Innocent sites
could be surreptitiously hacked and have the virus implanted in their
pages.   
(Source:  Ziff Davis News, 18 June)
<http://www.zdnet.com/zdnn/stories/news/0,4586,2775804,00.html>
http://www.zdnet.com/zdnn/stories/news/0,4586,2775804,00.html



Description of Exploit: 

A GODMESSAGE page is an HTML page that works with an ACTIVEX bug founded
in IE5.5/OUTLOOK/OUTLOOK EXPRESS. Thanks to this bug when someone views
a "godmessaged" page he downloads an .HTA file into his Startup folder.
On Win9x/ME systems this file is totally hidden even if it's deployed in
startup folder. Behind the HTA file there is a Trojan in ASCII format.
At target machine reboot the ASCII formatted Trojan will be compiled
into a full working .EXE file and executed. At next machine reboot HTA
file in startup folder will be deleted thanks to a WININIT.INI file
(previously created by HTA file itself).

Godmessage allows the creation of hostile ActiveX controls that are
either Hex encoded or clear text. Once loaded into a webserver, most
likely through a webserver compromise, any vulnerable browser hitting
that page will download the malicious control. Using the files in the
.zip archive you can make a control containing any Trojan payload of
your choosing.



Default Payload
It is a modified tHing 1.6 server without ICQ notification, without hide
process (so it will run on NT/W2K). 

The tHing listens on port 7777 and the password is pass.


URL for exploit code (if applicable): 
http://packetstorm.securify.com/0010-exploits/godmessageIV.zip
<http://packetstorm.securify.com/0010-exploits/godmessageIV.zip>    (get
package)

Additional Information URL's:
http://www.zdnet.com/zdnn/stories/news/0,4586,2775804,00.html
<http://www.zdnet.com/zdnn/stories/news/0,4586,2775804,00.html> 
http://neworder.box.sk/showme.php3?id=3072
<http://neworder.box.sk/showme.php3?id=3072> 
http://www.tlsecurity.net/archive/code/activex/
<http://www.tlsecurity.net/archive/code/activex/> 
http://www.astonsoft.com/godmes01.htm
<http://www.astonsoft.com/godmes01.htm> 
http://www.astonsoft.com/godmes4.htm
<http://www.astonsoft.com/godmes4.htm> 


-- 
Bill Warner
Unix/Linux Admin.
Direct Alliance Corporation Confidential