Hebolani Alert

infectionvectors.com

February 2005

Vector:             ANI or Icon file

Impact:             Medium (Distribution low, allows backdoor/arbitrary software)

MS05-002 warns users of Windows 9x, NT4, 2000, and XP (not SP2) platforms that icon and cursor files can carry a stack overflow exploit, allowing execution of arbitrary code on the local machine.

Hebolani takes advantage of this vulnerability via a web page with a specially crafted ANI (animated cursor) file. Be advised, however, that there are many applications that can use the vulnerable Windows file, not just a web browser. Other applications that may employ this file (and are therefore possible entry ways for Hebolani) are Outlook, Outlook Express, MS Word, as well as other MS Office applications.

Hebolani executes a fairly simple set of instructions: it redirects the vulnerable machine to 62.112.194.15 (which can change at any time) and then opens a shell on the local device.

The distribution for this threat has been quite low; details for this report came from the Symantec brief, available at:

 http://www.sarc.com/avcenter/venc/data/backdoor.hebolani.html

for more information.

Users are advised to patch BID 12233, officially known as the User32.dll ANI File Header Handling Stack-based Buffer Overflow (KB 891711).