Animated Cursor Worm Attacks Grow Over Weekend

Microsoft to release out-of-cycle patch.

by / April 2, 2007
A new worm which exploits a zero day vulnerability in the way that Microsoft Windows handles animated cursors (.ANI files) was discovered Friday. The worm infects executable and HTML files.

Most of the activity around the ANI exploit has been via dozens of malicious Web sites that will attack the user if he visits the page with the most common versions of Internet Explorer. However, on Sunday the first worm using this exploit to spread was found.

Worm attacks increased over the weekend. According to F-Secure, the majority of the attacks have been traced back to different Chinese hacker groups.

"We've seen a lot of activity relating to the ANI exploit during the weekend", says Mikko Hypponen, the Chief Research Officer at F-Secure. "This vulnerability is really tempting for the bad guys. It's easy to modify the exploit, and it can be launched via web or e-mail fairly easily."

Microsoft has announced that it plans to issue an out-of-cycle security update on Tuesday, April 3 to address the critical vulnerability in its code.

"Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. This will include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs," Microsoft stated in a release.

"Normally Microsoft releases security patches on the second Tuesday of the month. Clearly the danger that the ANI vulnerability represents has encouraged them to release a patch as quickly as possible, which is good news for vulnerable Internet users," said Graham Cluley, senior technology consultant for Sophos. "The fact that a worm has been seen in-the-wild exploiting the Microsoft security bug has raised the stakes over the weekend. Proactive protection has ensured that Sophos customers are not at risk from this viral attack."

Gina M. Scott Writer