Patches for Zero-Day Vulnerability ineffective?

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
My client's laptop (XP Pro, SP2) is running Trend Micro Internet
Security 2007. It keeps alerting on a file surreptitiously downloaded
upon visiting hxxp:// The file (BMW3[1].pig) appears

<username>\Local Settings\Temp\Temporary Internet

...and the alert is that it contains EXPL_ANICMOO.GEN. Virustotal

Complete scanning result of "bmw3_1_.pig.vir", received in VirusTotal
at 04.05.2007, 03:53:46 (CET).

Antivirus    Version    Update    Result
AhnLab-V3    2007.4.5.0    04.04.2007
AntiVir    04.04.2007     no virus found
Authentium    4.93.8    04.04.2007     no virus found
Avast    4.7.936.0    04.04.2007     no virus found
AVG    04.04.2007    Downloader.Small.58.AW
BitDefender    7.2    04.05.2007    Exploit.Win32.MS05-002.Gen
CAT-QuickHeal    9.00    04.04.2007    Exploit.MS05-002
ClamAV    devel-20070312    04.05.2007    Exploit.CVE_2007_0038-2
DrWeb    4.33    04.04.2007    Exploit.ANIFile
eSafe    04.04.2007     no virus found
eTrust-Vet    30.7.3543    04.05.2007    Win32/MS07-017!exploit
Ewido    4.0    04.04.2007     no virus found
FileAdvisor    1    04.05.2007     no virus found
Fortinet    04.05.2007     no virus found
F-Prot    04.04.2007    CVE-2004-1305
F-Secure    6.70.13030.0    04.05.2007     no virus found
Ikarus    T3.1.1.3    04.04.2007    Exploit.Win32.IMG-ANI.i
Kaspersky    04.05.2007     no virus found
McAfee    5001    04.04.2007     no virus found
Microsoft    1.2405    04.05.2007    Exploit:Win32/Anicmoo.A
NOD32v2    2168    04.04.2007    a variant of
Norman    5.80.02    04.04.2007     no virus found
Panda    04.05.2007     no virus found
Prevx1    V2    04.05.2007     no virus found
Sophos    4.16.0    03.30.2007     no virus found
Sunbelt    2.2.907.0    04.03.2007 (v)
Symantec    10    04.05.2007    Trojan.Anicmoo
TheHacker    04.04.2007     no virus found
VBA32    3.11.3    04.04.2007     no virus found
VirusBuster    4.3.7:9    04.04.2007    Exploit.ANIFile.G
Webwasher-Gateway    6.0.1    04.05.2007
Exploit.Win32.MS05-002.gen (suspicious)
Aditional Information
File size: 918 bytes
MD5: 2e07798a5a64634f511d0e275429cd6b
SHA1: 396f0d633267ea3a598a7a9a6ce5f5f824c5c9f3

I can delete the infected file without problem but the next visit to
the site puts it back.

The MS patch in KB925902 was installed but makes no difference in the
alert each time the Asus site is visited. I also subsequently
installed the eEYE temporary fix discussed in the article at
but it, too, seems to make no difference. I added the site to the
Restricted Zone and when I visit the site now, the page loads but I
get an alert in IE7 that Active X has been turned off so the page
might not load correctly, and I don't get the Trend Micro alert.

My questions are:

1. Why does Kaspersky not detect this trojan in VirusTotal?
2. Why do the two patches seem not to work?
3. How can I determine...
   a. if the system has been compromised
   b. if/when the vulnerability has been properly patched
4. Why did the restricted zone addition allow the page to load at all
5. How would you recommend I deal with this threat?

My client is wondering if his system is owned and he should just
reformat and re-install.

Thanks for any suggestions you might offer.


Re: Patches for Zero-Day Vulnerability ineffective?

Quoted text here. Click to load it
Quoted text here. Click to load it

Thanks for the two responses received so far, neither of which
addressed any of my questions, unfortunately. Given the severity of
the threat, I was expecting more replies, and hoping the questions
would be addressed. Anyone?


Re: Patches for Zero-Day Vulnerability ineffective?

Larry Sabo wrote:
Quoted text here. Click to load it
[snip virus total log]
Quoted text here. Click to load it
Quoted text here. Click to load it

perhaps kaspersky hasn't seen this variant yet and/or virus total's
version of the kaspersky product doesn't know of this variant yet...

Quoted text here. Click to load it

you seem to be under the impression that the vulnerability is how it got
onto the local system... that's not what happened at all...

someone visited a web page with a browser, it is standard behaviour for
the browser to download the contents of that page to the local machine
in order to render the page and one of the contents was an exploit for a

the fact that it was downloaded to the local machine has nothing to do
with whether or not the machine vulnerable or whether it got exploited,
it's just the way browsers work...

alternatively, it could have been a drive-by-download, but that's still
just a download - so long as the patch had already been applied the
exploit code itself shouldn't be able to do anything...

Quoted text here. Click to load it

the same way you determine if your system has been compromised by
anything else...

Quoted text here. Click to load it

if you installed the microsoft patch then you're properly patched...

Quoted text here. Click to load it

adding the page to the restricted zone just means certain web
technologies won't be used (depending on how you've set up the
restricted zone) when rendering the page...

Quoted text here. Click to load it

learn how browsers work... the only threat here is not recognizing the
difference between an exploit and normal browser behaviour...

"it's not the right time to be sober
now the idiots have taken over
spreading like a social cancer,
is there an answer?"

Re: Patches for Zero-Day Vulnerability ineffective?

Kurt, thanks for your reply, and for addressing my questions directly.
I've commented in-line....

Quoted text here. Click to load it
Quoted text here. Click to load it

Of course; it's just that most of the "premier" A-V programs seem to
take a pass on this file, whereas most of the "second-tier" programs
identify it as problematic. Strange, hence my question.

Quoted text here. Click to load it

Quoted text here. Click to load it

Yeah, you're right. Muddled thinking on my part. Thanks for clarifying

Quoted text here. Click to load it

I knew I shouldn't have asked that, it was so obvious when I re-read
it after posting.

Quoted text here. Click to load it

Again, I was confusing the ability to download the file with the
purpose of the patch, which is to render such downloads ineffective
should they be executed. It's the anti-virus program that should catch
such downloads and deal with them. I guess I was wondering, how will I
know the patch will work, since Kaspersky doesn't alert on the
downloaded file. KAV should pick up on whatever the exploit yields,
i.e. trojan, but not alerting on the download shakes my confidence.

Quoted text here. Click to load it

I had better read up on such settings. I had just assumed it would be
like a HOSTS file in effect, i.e. frustrate downloads from restricted
sites. Wrong.

Quoted text here. Click to load it

I know how browsers work and that downloaded malware is not a problem
until one tries to open/run it. The potential of a downloaded file to
wreak havoc and cause damage is what I call a threat, even if it
hasn't yey been unleashed. If the downloaded file in question has this
potential, it's a threat in my books.

Perhaps the correct answer to this question, is to just delete the
file should an AV product alert on it, and confirm that the patch for
the vulnerability has been installed. I know of no way to verify that
the patch protects the system against the threat, short of running it
and picking through the debris.

Again, thanks for your thoughts.


Site Timeline