Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Klez.H worm found

0 views
Skip to first unread message

chuck

unread,
Jul 25, 2002, 9:51:49 AM7/25/02
to
I just forwarded a sample e-mail to the F-Prot folks.
They say that it contains a sample of Klez.H worm.

Note that the actual worm was "invisible" to me because it was set
in an i-frame and used a non-standard MIME type. Netscape
did not even show an attachment. I had to use Ctrl-U to see it.

Question: Since I use Netscape 4.7.8 for my e-mail, would
I be in danger of that worm??

thanks,

chuck

Frederic Bonroy

unread,
Jul 25, 2002, 9:55:33 AM7/25/02
to

No. You are safe. In fact, I have yet to see a virus exploiting
a security hole in Netscape 4.x (or Mozilla/Netscape 6/7).

Bart Bailey

unread,
Jul 25, 2002, 3:31:50 PM7/25/02
to
Frederic Bonroy wrote:

Hey Fred;

when I use proxomitron I don't see this iframe applet,
but with it bypassed, IOW just a plain NS (408) browser,
I get all the clickable features that an html internal frame code
offers.
Are we really as safe as I would like to hope?
http://www.codebrain.com/java/iframe/

--
Bart


Frederic Bonroy

unread,
Jul 25, 2002, 4:43:00 PM7/25/02
to
Bart Bailey wrote:

> Hey Fred;
>
> when I use proxomitron I don't see this iframe applet,
> but with it bypassed, IOW just a plain NS (408) browser,
> I get all the clickable features that an html internal frame code
> offers.

It works fine here in Netscape 4.79 although I read somewhere that
Netscape 4.x does not support the iframe tag. Weird.

Anyway, I can assure you that you are safe, Netscape really does not
care about the iframe tag in mail; I don't know if it's by design,
a bug, or simply a (fortunate) browser shortcoming.
Or maybe Netscape simply will not accept erroneous MIME headers. That
is another possibility.

FromTheRafters

unread,
Jul 25, 2002, 5:08:07 PM7/25/02
to

"chuck" <chu...@attglobal.net> wrote in message
news:3D400275...@attglobal.net...

Probably not in danger of autoexecution, but I think yes to the user
assisted type of execution.


Frederic Bonroy

unread,
Jul 25, 2002, 5:17:51 PM7/25/02
to
FromTheRafters wrote:

> > Question: Since I use Netscape 4.7.8 for my e-mail, would
> > I be in danger of that worm??
>
> Probably not in danger of autoexecution, but I think yes to the user
> assisted type of execution.

That is quite difficult - Netscape does not display anything, the
message panel remains totally empty (except for possible message
text). It's impossible to run the attachment without copying and
pasting the source code to an editor, saving it, running a BASE64
decoder and then executing the file.

FromTheRafters

unread,
Jul 25, 2002, 7:29:45 PM7/25/02
to

"Frederic Bonroy" <yor...@yahoo.fr> wrote in message
news:ahppql$uuu2g$1...@ID-75150.news.dfncis.de...

True, but 'that worm' has other forms.


Nick FitzGerald

unread,
Jul 26, 2002, 4:22:21 AM7/26/02
to
"Bart Bailey" <bar...@nethere.net> wrote:

<<various others also wrote>>


> > > Question: Since I use Netscape 4.7.8 for my e-mail, would
> > > I be in danger of that worm??
> >
> > No. You are safe. In fact, I have yet to see a virus exploiting
> > a security hole in Netscape 4.x (or Mozilla/Netscape 6/7).
>
> Hey Fred;
>
> when I use proxomitron I don't see this iframe applet,
> but with it bypassed, IOW just a plain NS (408) browser,
> I get all the clickable features that an html internal frame code
> offers.
> Are we really as safe as I would like to hope?
> http://www.codebrain.com/java/iframe/

Klez has _nothing_ to do with iframes.

It uses one, but only because its writer is too clueless about how the
__IE Incorrect MIME Header Vulnerability__ works to do anything other
than copy the publicly posted exploit. That _just happened_ to use an
iframe, when several other tricks probably could have been used to
"refresh" the display of the HTML Email or other access the inline
attachment.

Doing that is also _irrelevant_ to how Klez works.

Note the name of the vulnerability it uses to "auto-detach and execute"
is the _Incorrect MIME Header_ vulnerability. Klez, like several other
viruses takes advantage of the fact that a few very widely deployed
versions of IE are completely brain dead (written by MS -- are we
surprised??) when it comes to handling certain types of attachments in
MIME message streams. Specifically, if the MIME "Content-Type:" header
says the ensuing section (loosely representing an "attachment") is of
various "multimedia" types ("audio/x-midi", "audio/x-wav", etc) that
are deemed "safe" to automatically "open and play" then the section is
written to a (temporary) file and "opened". The real problem is the
way second part of this is achieved -- it depends on different and
entirely arbitrary MIME component headers (MS coders just cannot
understand that just because Outlook does not make such screwy stuff
that no-one or nothing else might) _and_ the process that actually
decides _how_ to "open" the detached file __uses methods entirely
unrelated to the MIME headers that were the basis of IE deciding that
it was safe to "open" and "play" (aka "run") the attachment.

For example, a Klez message may have a MIME section with these headers:

Content-Type: audio/x-midi;
name=news.pif
Content-Transfer-Encoding: base64
Content-ID: <L0A944TXNA4s96An>

The "audio/x-midi" (cmbined with the default configuration for the file
type that "audio/x-midi" maps to) convinces IE that it should silently
(i.e. without prompting) detach and "open" the ensuing attachment. IE
detaches the attachment (using BASE64 decoding as specified in the
"Content-Transfer-Encoding:" MIME header) to a file named "news.pif",
as specified by the "name=news.pif" argument to the Content-Type: MIME
header.

Starting to see the actual problem?

IE then asks the OS/shell to "open" the "news.pif" file. It is
actually an EXE and the various handlers that process the file end up
working that out and loading and executing it as any other executable
file.

Thus, the real problem is that the "let's auto-detach and execute this
attachment" decision is made on the basis of the Content-Type: headers
in the MIME message, but the file's name and contents are independent of
that and able to be supplied in such a way that they will be run as any
other executable program file. Whoooops!

The iframe trick just "greases the wheels" making everything happen a
bit more smoothly. It is not, however, central to the problem or
necessary to make the virus "work" (and no, I won't tell anyone who
doesn't know other ways than using an iframe how to do it!).


--
Nick FitzGerald


Nick FitzGerald

unread,
Jul 26, 2002, 4:27:55 AM7/26/02
to
"FromTheRafters" <!00...@nomad.net> wrote:

> "Frederic Bonroy" <yor...@yahoo.fr> wrote ...
<<snip>>


> > > Probably not in danger of autoexecution, but I think yes to the user
> > > assisted type of execution.
> >
> > That is quite difficult - Netscape does not display anything, the
> > message panel remains totally empty (except for possible message
> > text). It's impossible to run the attachment without copying and
> > pasting the source code to an editor, saving it, running a BASE64
> > decoder and then executing the file.
>
> True, but 'that worm' has other forms.

Indeed.

For example, the "get Klez protection" style messages do _not_ use
message structures exploiting the Incorrect MIME Header vulnerability
and should (I imagine -- not tested) show up in Netscape Mail as
ordinary attachments...


--
Nick FitzGerald


0 new messages