MIDI feat in a wild
Symantec Security Response is wakeful of in-the-wild malware exploiting a Microsoft Windows Media Player ‘winmm.dll’ MIDI File Parsing Remote Buffer Overflow Vulnerability (BID 51292). Microsoft has already issued a patch opposite this vulnerability in a monthly patch recover this January. Applying a patch is strongly recommended.
There are several components concerned in this live attack:
- a.exe
- baby.mid
- i.js
- mp.html
Symantec products detect mp.html and i.js as Trojan.Malscript. The exposed baby.mid record is rescued as Trojan Horse and a end-result file, a.exe, is flagged as Downloader.Darkmegi. The Downloader.Darkmegi showing also covers a integrate of forsaken files: com32.dll and com32.sys.
On a IPS side, i.js is blocked by a Web Attack: Malicious JavaScript signature while a initial feat try is blocked by a Web Attack: Malicious JavaScript Heap Spray Generic signature.
