Video Screencast Help
Security Response

MIDI exploit in the wild

Created: 27 Jan 2012 13:06:53 GMT • Updated: 23 Jan 2014 18:17:40 GMT • Translations available: 日本語
Shunichi Imano's picture
0 0 Votes
Login to vote

Symantec Security Response is aware of in-the-wild malware exploiting the Microsoft Windows Media Player 'winmm.dll' MIDI File Parsing Remote Buffer Overflow Vulnerability (BID 51292). Microsoft has already issued a patch against this vulnerability in the monthly patch release this January. Applying the patch is strongly recommended.

There are several components involved in this live attack:

  • a.exe
  • baby.mid
  • i.js
  • mp.html

Symantec products detect mp.html and i.js as Trojan.Malscript. The vulnerable baby.mid file is detected as Trojan Horse and the end-result file, a.exe, is flagged as Downloader.Darkmegi. The Downloader.Darkmegi detection also covers a couple of dropped files: com32.dll and com32.sys.

On the IPS side, i.js is blocked by the Web Attack: Malicious JavaScript signature while the initial exploit attempt is blocked by the Web Attack: Malicious JavaScript Heap Spray Generic signature.