Code Analysis of ANI 'anih' Header Stack Overflow Vulnerability

This is a really, really rough explanation of the exploit and the actions performed to research the vulnerability. There are several malicious ANI files in circulation. The one to discuss is mm.jpg from newasp, but others are likely very similar.

Shellcode in mm.jpg basically resolves kernel32 functions, downloads, and executes xx.exe (from behavioral analysis). It doesn’t do much but delete the system’s HOSTS file, write bdscheca001.dll to %SYSTEM%, and registers the DLL as ShellExecuteHooks entry.

This means whenever a process calls ShellExecute() or ShellExecuteEx(), the new DLL will be loaded into that process’ address space and its startup routine will be executed. So practically everything is going to call one of these two functions eventually. It will result in all processes being trojanized. Here is a view of the xx.exe sections (who is MrOwen?) and the hooked process list.