MIDI exploit in the wild

Symantec Security Response is aware of in-the-wild malware exploiting the Microsoft Windows Media Player 'winmm.dll' MIDI File Parsing Remote Buffer Overflow Vulnerability (BID 51292). Microsoft has already issued a patch against this vulnerability in the monthly patch release this January. Applying the patch is strongly recommended.

There are several components involved in this live attack:

  • a.exe
  • baby.mid
  • i.js
  • mp.html

Symantec products detect mp.html and i.js as Trojan.Malscript. The vulnerable baby.mid file is detected as Trojan Horse and the end-result file, a.exe, is flagged as Downloader.Darkmegi. The Downloader.Darkmegi detection also covers a couple of dropped files: com32.dll and com32.sys.

On the IPS side, i.js is blocked by the Web Attack: Malicious JavaScript signature while the initial exploit attempt is blocked by the Web Attack: Malicious JavaScript Heap Spray Generic signature.