Microsoft is warning users about a vulnerability in Internet Explorer that has been used in targeted e-mail attacks in which people were sent links directing them to a Web site where exploit code could be activated to take over their computers. The exploit code has been taken down. It was written specifically for IE 6 and 7. IE8 in the default installation with Data Execution Prevention enabled, and IE9 beta are not vulnerable. Microsoft has released a security advisory that includes workarounds, such as enabling DEP, reading e-mails in plain text, and setting Internet and local intranet security zone settings to “high” to block ActiveX Controls and Active Scripting. A Fix-it tool that will ease the implementation of workarounds is expected some time today. There is no timeline on a security update.
According to C-Net’s article, once a machine is compromised, the malware sets itself for auto start up, along with a service named “NetWare Workstation” using encrypted .gif files to provide instructions to the Trojan. Symantec researchers were able to grab a screenshot of the manually entered attacker’s commands. Symantec has named the threat “Backdoor.Pirpi.”