Yesterday, we were further analyzing an executable that we recently haven’t been seeing all that much of, tmpms45.exe. The filename is familiar, as sometimes various executables with that name are delivered by malicious emails or malicious web pages. Most often, we see it as a part of a commodity exploit kit (i.e. Mpack), and the malicious web site operators simply forgot to change the filename in the kit’s scripts that they just purchased.
This time, however, a file delivered with that filename is receiving a lot of attention as the newest piece of malware writing directly to raw disk and the master boot record on WindowsXP systems. It may also go by several other names, like mat16.exe, mat17.exe, mat18.exe and so on. The code for the malicious dropper itself is getting attention partly because it is the first in the wild malware found to contain a slightly modifed version of the “BootRoot” code presented at Blackhat 2005 by eEye researchers.
This malicious dropper executable is being distributed from web sites via a set of exploits targeting a vulnerability patched in 2003, the common Microsoft MDAC (MS06-014) vulnerabilities that we see targeted on a daily basis, along with the somewhat more recent VML and XML CoreServices BoF.