Vista is affected to Windows .ANI 0-day too

Microsoft has confirmed new 0-day type vulnerability related to Animated Cursor handling some hours ago.

The vulnerability (CVE-2007-1765) is being actively exploited to spread backdoor malware. When the workstation is being infected malicious executable wincf.exe will be copied to the machine. This malware will download more Trojans from the address http : //220 . 71.76.189 [Do not visit!].
The main attack vector is Internet Explorer. Readers familiar with MS05-002 remember that MSIE executes cursor files automatically.
This .ani file format is the format of Windows Animated Cursors.

Update: Some AV vendors detect this as Trojan.Anicmoo, TROJ_ANICMOO.AX, Exploit-ANIfile.c, Exploit:W32/Ani.C and Troj/Animoo-U.

  • mark

    On Windows Vista this trojan can’t be installed because the user has low privileges (UAC enabled by default)