[NATIONAL-ALERTS] (AUSCERT AL-2005.0030) Trojan "Hesive" Targets Microsoft Access Vulnerability (fwd)

Jeff A. Earickson jaearick at COLBY.EDU
Thu Oct 6 02:32:19 IST 2005 

Gang,

FYI below.  In the course of attempting to figure out what an mdb file
is, I stumbled across this website, telling what types of attachments
Outlook 2003 blocks.  Wow, what a list...

http://office.microsoft.com/en-us/assistance/HA011402971033.aspx

Jeff Earickson
Colby College

---------- Forwarded message ----------
Date: Thu, 06 Oct 2005 10:04:05 +1000
From: AusCERT <auscert at auscert.org.au>
To: national-alerts at auscert.org.au
Subject: [NATIONAL-ALERTS] (AUSCERT AL-2005.0030) Trojan "Hesive" Targets
     Microsoft Access Vulnerability

-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160

===========================================================================
A  U  S  C  E  R  T                                           A  L  E  R  T

                        AL-2005.0030 -- AUSCERT ALERT
           Trojan "Hesive" Targets Microsoft Access Vulnerability
                               4 October 2005

===========================================================================

         AusCERT Alert Summary
         ---------------------

Product:           Microsoft Access
Operating System:  Windows
Impact:            Administrator Compromise
Access:            Remote/Unauthenticated
Member-only until: Thursday, October 06 2005

OVERVIEW:

     A new trojan, Hesive, targets a flaw in Microsoft Access that allows a
     remote attacker to execute arbitrary code or commands in the context of
     the currently logged in user. The vulnerability exploited by this trojan
     is five months old, and no patch is currently available.

     The trojan requires a local user to open a specially crafted Access .mdb
     file. This file can be received via email. Once activated, it opens a
     backdoor onto the system to allow further access to the remote attacker.


IMPACT:

     While the trojan itself performs minimal actions on the infected system,
     it allows a remote attacker to access the system. Since many home users
     log on to Windows as an Administrator level user, this is effectively an
     Administrator Compromise.

     The trojan itself is simple to remove using an antivirus product, however
     actions taken by a remote attacker through the back door the trojan sets
     up are unpredictable and may not be reversible.


MITIGATION:

     Treat Microsoft Office files as you would an executable program - do not
     open Office files that you have received from an unknown, untrusted or
     unexpected source, especially Access '.mdb' files.

     Ensure Windows Update is enabled on your systems so that any updates to
     fix this problem are installed.


REFERENCES:

     Symantec Virus Definition:
       http://securityresponse.symantec.com/avcenter/venc/data/backdoor.hesive.html

     SecurityFocus:
       http://www.securityfocus.com/news/11335

     Secunia:
       http://secunia.com/advisories/14896/

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:

         http://www.auscert.org.au/render.html?it=3192

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert at auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                 AusCERT personnel answer during Queensland business hours
                 which are GMT+10:00 (AEST).
                 On call after hours for member emergencies only.
===========================================================================


-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
Comment: http://www.auscert.org.au/render.html?it=1967

iQCVAwUBQ0Rp9Ch9+71yA2DNAQMxyQP/czgdZNIbzc3mK5xk6kSV9agUWPqe6lxq
cguUcWHRLPQI437an3urcpepZXTozrhrBDW2h1+C+sxaMxe4os9Cy1B12TeJrR8j
TUNYZGBbKKL5b/MK0nTdWZlHTIQGKBPYrZcR8QLBoMYVKnR41/GXXR1TANc3WqfC
UFZ1gGTUntk=
=sEsT
-----END PGP SIGNATURE-----

AusCERT is the national computer emergency response team for Australia.  We
monitor various sources around the globe and provide reliable and independent
information about serious computer network threats and vulnerabilities.
AusCERT, which is a not-for-profit organisation, operates a cost-recovery
service for its members and a smaller free security bulletin service to
subscribers of the National Alerts Service.

In the interests of protecting your information systems and keeping up to date
with relevant information to protect your information systems, you should be
aware that not all security bulletins published or distributed by AusCERT are
included in the National Alert Service.  AusCERT may publish and distribute
bulletins to its members which contain information about serious computer
network threats and vulnerabilities that could affect your information
systems. Many of these security bulletins are publicly accessible from our web
site.

AusCERT maintains the mailing list for access to National Alerts Service
security bulletins. If you are subscribed to the National Alerts Service and
wish to cancel your subscription to this service, please follow the
instructions at:

         http://www.auscert.org.au/msubmit.html?it=3058

Previous security bulletins published or distributed as part of the National
Alerts Service can be retrieved from:

         http://national.auscert.org.au/render.html?cid=2998

Previous security bulletins published or distributed by AusCERT can be
retrieved from:

         http://www.auscert.org.au/render.html?cid=1

If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:

         http://national.auscert.org.au/render.html?it=3192

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the Wiki (http://wiki.mailscanner.info/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!

More information about the MailScanner mailing list