Beavuh is a malware exploit of the so-called MS IIS “.printer” vulnerability, which is described by Microsoft in the “Security Bulletin MS01-23”,released May 1, 2001.
The MS01-23 Security Bulletin can be viewed at the following location:
This exploit program gives remote access to a simple Windows NT command shell on the target machine. Beavuh was recently reported (on March 2nd, 2002) to have been used in a large number of hacking attempts.
The exploit program has the following parameters:
The remote exploit code gets executed on the target machine if the IIS vulnerability was not previously patched. The code is encrypted so it will first proceed to decrypt itself, and then it will scan the system memory for the Windows NT library (“kernel32.dll”). From there it will acquire the ‘offset’ of the ‘GetProcAddress’ function and will further use it to obtain a couple of other API addresses, both from “kernel32.dll” and “wsock32.dll”.
Next Beavuh connects to the address specified by the attacker, launches the executable “cmd.exe” and links the input and output of the command shell to the socket opened to the attacker’s control machine.