An attacker could trick a user of Microsoft Corp.’s Internet Explorer (IE) Web browser into downloading and running a malicious program by disguising it as an innocent file, a Finnish security company has warned.
The file name as it appears in the IE file download dialog box can be faked by using certain URLs and HTTP headers on a Web page, making the user think he is opening a media file when in fact he is installing a “back door” on his PC, according to Oy Online Solutions Ltd. IE won’t show the warnings it typically displays when a program file is downloaded or opened, because the .exe file extension may have been hidden or replaced with another such as .txt or .htm. The file is run without any warnings because IE, just as the user, thinks it is a harmless file, Oy Online Solutions said. Details of the vulnerability were first released on the Bugtraq mailing list in late November. Microsoft at the time did not consider it a flaw, but will now release a patch.
Gokar worm spreads by e-mail, Web, chat
A new worm called “Gokar” recently began to spread across the Internet via e-mail, the chat program mIRC and the Web, according to a trio of antivirus firms.
The worm is not destructive and has not yet infected many systems, but as with any mass-mailer worm, could become a nuisance as unsuspecting users spread it. Like other mass-mailing worms such as Anna Kournikova or Badtrans, Gokar spreads through Microsoft Corp.’s Outlook and Outlook Express e-mail clients when a user clicks on an attachment sent with the infected message, according to antivirus firms Symantec Corp., F-Secure Corp. and Trend Micro Inc. Infected e-mail arrives in user inboxes with dozens of combinations of different subject lines, body messages and filenames, though each attachment will end with the .PIF, .SCR, .EXE., .COM or .BAT extensions, the companies said. When the attachment is double-clicked, the worm installs a file called Karen.exe on the infected system and mails itself to all addresses listed in the computer’s address book.