Proof of concept virus targeting InfoPath

Print page

RSS FEEDS

Latest Security articles

Latest Blog items

Latest News

Latest Support issues

Current Virus threats

[Malware discussion, Spreading mechanisms]

9 March 2006

A new proof of concept virus has been discovered infecting yet another application of the Microsoft Office Suite. The targeted application this time is InfoPath and the virus at case is called W32/Icabdi.A. The virus is rather ‘interesting’ as it relies on the presence of external applications as the good old ‘debug.exe’ and “makecab.exe" as well as writing and execution permission from a specific location on the user’s harddisk.

If all these criteria are matched, the virus will extract the content of any *.xsn file, insert its code into the script.js file if present and reconstruct the found xsn-file (for those that are not aware of xsn-files, these are basically cabinet-files with some extras files for InfoPath to operate and know what to do).

Based on a random number one out of 10 messages will appear on screen:

Let the bells of freedom ring!
- (Magician’s Birthday by Uriah Heep)
No Gods, No Masters - Against all Authority: ANARCHISM!
Freedom is just another word for nothing left to lose!
- (Me And Bobby McGee by Janis Joplin)
I’m not a prisoner - I’m a FREE man!
- (The Prisoner by Iron Maiden)
Sometime they will give a war and nobody will come!
- (by Carl Sandberg)
Fighting for peace is like fucking for virginity!
The easiest way to gain control of the population is to carry out acts of terror the public will clamor for such laws if the personal security is threatened.
- (by Joseph Stalin)
Our Word is Our Weapon.
- (by Subcomandante Marcos)
I do not know with what weapons World War III will be fought, but World War IV will be fought with sticks and stones.
- (by Albert Einstein)
Imagine all the people living life in PEACE!
- (Imagine by John Lennon)

Due to a possible oversight of the author, the last message will not be seen on the screen as with the same probability, the message will be overwritten with:

This proof-of-concept InfoPath virus has been done by [Second Part To Hell/rRlf]
http://www.[REMOVED].de.vu/
http://www.[REMOVED].de.vu/

The [REMOVED] part will actually point to the author’s website where he proudly acknowledges the fact that he created this virus. The author, using the name SPTH (Second Part To Hell), claims to be an Austrian citizen and has contributed to several electronic magazines of viruswriting groups as 29A. It seems, as with many viruswriters, that he seems to have a musical taste for metal music. He promises to release the source, the exact explanation of the virus and some InfoPath secrets, together with infected xsn-files, in a next electronic virus magazine.

Since this proof of concept virus does not carry and payload and relies on the presence of external applications, the risk of this virus is that low that users should not be concerned. Of course, like with any proof of concept virus, we might see a flood of viruses now using the same technique. So the best advice Norman can give the user is as usual: “Use common sense when executing files you received but did not ask for!"