Sunday 04 July 2004

Microsoft adds killbit to ADODB.Stream object

In response to the download.ject trojan reported last week, Microsoft has made configuration changes to Windows XP, 2000 and 2003 Server by adding a killbit to the ADODB.Stream object.

The configuration change is meant to turn off the ADODB.Stream ActiveX Control, which has been used in conjunction with last weeks russian web site defacements to install malware on unsuspecting user's PCs.

However, please note that even after 'ADODB.Stream' is disabled, it is still possible to launch programs on the users system without user interaction.

SANS Internet Storm Center reports that this issue was made public at Bugtraq about 10 months ago. SANS also has a link to the proof of concept exploit on their dairy for 02 July 2004

You can pick up the configuration changes via Windows Update or you could set the killbit on the ADODB.Stream Object yourself.

Related Reading