Symantec Security Response is aware of in-the-wild malware exploiting the Microsoft Windows Media Player 'winmm.dll' MIDI File Parsing Remote Buffer Overflow Vulnerability (BID 51292). Microsoft has already issued a patch against this vulnerability in the monthly patch release this January. Applying the patch is strongly recommended.
There are several components involved in this live attack:
- a.exe
- baby.mid
- i.js
- mp.html
Symantec products detect mp.html and i.js as Trojan.Malscript. The vulnerable baby.mid file is detected as Trojan Horse and the end-result file, a.exe, is flagged as Downloader.Darkmegi. The Downloader.Darkmegi detection also covers a couple of dropped files: com32.dll and com32.sys.
On the IPS side, i.js is blocked by the Web Attack: Malicious JavaScript signature while the initial exploit attempt is blocked by the Web Attack: Malicious JavaScript Heap Spray Generic signature.