symantecTM

symantec security response

ISSN 1444-9994

April 2002 Newsletter


These are the most common Viruses, Trojans and Worms reported to Symantec Security Response during the last month.



Country Spotlight
United Kingdom

JS.Exception.Exploit
Backdoor.Trojan
W32.Klez.E@mm
W32.Badtrans.B@mm
W32.Gibe@mm
W95.Hybris.worm
W32.Magistr.39921@mm
W32.Sircam.Worm@mm
Trojan Horse
JS.Seeker



Top Global Threats

JS.Exception.Exploit
W32.Klez.E@mm
W95.Hybris.worm
W32.Magistr.39921@mm
Backdoor.Trojan
W32.Badtrans.B@mm
Trojan Horse
W32.Gibe@mm
W32.Sircam.Worm@mm
VBS.Haptime.A@mm

Asia Pacific
JS.Exception.Exploit
W32.Klez.E@mm
W95.Hybris.worm
Backdoor.Trojan
W32.Sircam.Worm@mm
W32.Badtrans.B@mm
W32.Magistr.39921@mm
W32.Gibe@mm
VBS.Haptime.A@mm
Trojan Horse

Europe, Middle East & Africa
W32.Klez.E@mm
JS.Exception.Exploit
W32.Badtrans.B@mm
W95.Hybris.worm
W32.Magistr.39921@mm
Backdoor.Trojan
Trojan Horse
W32.Sircam.Worm@mm
W32.Gibe@mm
VBS.Haptime.A@mm

Japan
W32.Klez.E@mm
JS.Exception.Exploit
W32.Badtrans.B@mm
W95.Hybris.worm
W32.FBound.gen@mm
W32.Badtrans.B@mm
W32.Gibe@mm
W32.Nimda.enc
Backdoor.Trojan
W32.Aliz.Worm

The Americas
JS.Exception.Exploit
W95.Hybris.worm
W32.Klez.E@mm
W32.Magistr.39921@mm
W32.Gibe@mm
Backdoor.Trojan
Trojan Horse
W32.Badtrans.B@mm
W32.Sircam.Worm@mm
W32.Nimda.enc



Removal Tools for malicious code are on our web site

A list of Virus Hoaxes
reported to Symantec

A list of Joke Programs
reported to Symantec.

Glossary for definitions of viruses, Trojans and worms and more.




This month we had W32.MyLife and W32.Gibe peaking at around the same time in the second week of March. This was an unwelcome coincidence and whilst it rapidly increased the number of customer sample submissions we received the Digital Immune System coped very well.

We had a mix up with the naming of W32.FBound.gen@mm, in the process of getting detection out as soon as possible. We all focussed on the analysis and not the name, which caused some debate in some of the public anti-virus online forums about the naming standards in use. I must say that whilst I agree it's important to get names correct it humours me to see us spending more time discussing the names of threats than it takes to do the detection and roll out the update. :)

This month has seen the faltering of a keystone of the product testing framework of the anti-virus industry with the announcement that The Wildlist (http://www.wildlist.org) may have to cease operation due to lack of funds. The Wildlist has been used as the benchmark to test anti-virus software against for many years and has contributors from many prominent individuals and organizations. Each of these contributors reports the names of viruses reported to them to The Wildlist who then collates this information to produce monthly-consolidated virus prevelance reports. The is good news though, apparently there is a certain amount of industry support and the April Wildlist will be published.

David Banes.
Editor, securitynews@symantec.com
Viruses, Worms & Trojans

W32.MyLife

Moderate [3] Threat

Win32

Global Infection breakdown by geographic region

% of Total

 
America (North & South)

70.2%

EMEA (Europe, Middle East, Africa)

22.7%

Japan

0.7%

Asia Pacific

6.4%


Date
% Reports

8 Mar

9 Mar

10 Mar

11 Mar

12 Mar

13 Mar

14 Mar

15 Mar

16 Mar

17 Mar

12.0%

1.9%

4.7%

25.2%

19.6%

14.0%

7.5%

7.0

0.5%

1.4%


W32.MyLife@mm is a simple mass-mailer that sends itself to all contacts in the Microsoft Outlook address book. The worm is a compiled Visual Basic executable that has been compressed. It attempts to delete files that have the extensions .com, .sys, .ini, .exe, .sys, .vxd, .exe, or .dll. (This could not be reproduced in a controlled test environment.).

There are several variants of this worm, W32.MyLife.B@mm, W32.MyLife.C@mm, D, E and F, G, H and J.

http://securityresponse.symantec.com/avcenter/venc/data/w32.mylife@mm.html

Douglas Knowles
Symantec Security Response, USA

W32.Gibe@mm

Moderate [3] Threat

Win32

Global Infection breakdown by geographic region

% of Total

 
America (North & South)

67.4%

EMEA (Europe, Middle East, Africa)

24.6%

Japan

3.4%

Asia Pacific

4.6%


Date
% Reports

5 Mar

8 Mar

10 Mar

11 Mar

12 Mar

13 Mar

14 Mar

15 Mar

18 Mar

24 Mar

0.3%

5.9%

10.4%

14.7%

16.4%

12.7%

4.6%

3.1%

2.2%

0.4%


W32.Gibe@mm is a worm that uses Microsoft Outlook and its own SMTP engine to spread. This worm arrives in an email message--which is disguised as a Microsoft Internet Security Update--as the attachment Q216309.exe. The worm also attempts to copy itself to all locally mapped remote drives.

The fake message, which is not from Microsoft, has the following characteristics:

From: Microsoft Corporation Security Center
Subject: Internet Security Update
Message:
Microsoft Customer,
this is the latest version of security update, the update which eliminates all known security vulnerabilities affecting Internet Explorer and MS Outlook/Express as well as six new vulnerabilities
.
.
How to install
Run attached file q216309.exe
How to use
You don't need to do anything after installing this item.
.
.
Attachment: Q216309.exe

The attached file, Q216309.exe, is written in Visual Basic; it contains other worm components inside itself.

http://securityresponse.symantec.com/avcenter/venc/data/w32.gibe@mm.html

Gor Nazaryan
Symantec Security Response, USA.

W32.FBound.gen@mm

Moderate [3] Threat

Win32

Global Infection breakdown by geographic region

% of Total

 
America (North & South)

18.7%

EMEA (Europe, Middle East, Africa)

40.6%

Japan

19.4%

Asia Pacific

21.2%


Date
% Reports

17 Mar

18 Mar

19 Mar

20 Mar

21 Mar

22 Mar

23 Mar

26 Mar

30 Mar

4 Apr

1.9%

16.8%

17.1%

11.8%

7.1%

8.1%

5.0%

4.0%

2.2%

1.6%


This is a mass-mailing worm that uses the infected computer's SMTP server to send itself to all addresses in the Windows address book. It contains no payload. The email arrives with an attachment named Patch.exe. For addresses ending in .jp (Japan), there are 17 Japanese language subjects, one of which is randomly chosen each time

http://securityresponse.symantec.com/avcenter/venc/data/w32.fbound.gen@mm.html

Peter Ferrie
Symantec Security Response, APAC
 Linux.Jac.8759

Very Low [1] Threat

Linux


Linux.Jac.8759 is a virus that infects files under Linux. The virus infects ELF executables that exist in the same directory as the virus. When Linux.Jac.8759 is executed, it starts by checking all files that are in the same directory as the one from which the virus was executed. If it finds executable files that have write permission, it attempts to infect them. The virus will not infect files that end with the letters ps, nor will it infect files that were not created for the x86 (Intel) platform.

The virus modifies several fields in the header of the file. One of the modifications is used as an infection marker. This check prevents the virus from infecting a file multiple times.

http://securityresponse.symantec.com/avcenter/venc/data/linux.jac.8759.html

Neal Hindocha
Symantec Security Response, EMEA.
Security Advisories
Zlib compression library double free bug could allow arbitrary code

High [4] Risk

 Various


There is a programming error in the zlib compression library used by many versions of software. Under the proper circumstances an attacker may be able to manipulate a system call in such a manner as to create a denial of service condition or potentially allow arbitrary code to be run on the targeted system. Such code would run with the permissions of the affected program to include root.

The zlib compression library is an open-source loss less data-compression library that can be used on virtually any computer hardware and operating system to provide in-memory compression and decompression functions. Zlib has been ported and modified to work on a wide variety of operating systems and applications.

A bug in the zlib compression library has been posted and widely discussed that can cause programs linked to zlib to be vulnerable. Under certain circumstances segments of dynamically allocated memory may be attempted to be de-allocated (freed up) twice, i.e., a specially crafted segment of compressed data can cause an allocated chunk of memory that is freed or de-allocated by a system call to return an unexpected memory error. A subsequent system call then attempts to free the same chunk of memory a second time. In most instances, this will result in a denial of service when the application crashes. However, there is a potential that this vulnerability could be manipulated by an attacker to run arbitrary code with the permission of the affected application. If the application runs with privileged access this could result in a critical compromise of the targeted system.

This vulnerability potentially affects a multitude of operating systems and applications that either contain the zlib application or dynamically link to the zlib application.

Not all affected applications have been found and patched yet. There is a partial list of over 500 know zlib applications located at http://www.gzip.org/zlib/apps.html. If you do not know or if you suspect you may be using a vulnerable version of zlib, Symantec recommends contacting your vendor for update information.

More informnation and recommendations are available here;
http://securityresponse.symantec.com/avcenter/security/Content/1720index.html
Microsoft Virtual Machine multiple flaws allow malicious control

High [4] Risk

Win32


Two vulnerabilities exist in the Microsoft Virtual Machine (VM) implementation. The first, which affects users who access the Internet through a proxy server, may permit a malicious applet to redirect Web traffic to another destination or record unencrypted confidential information that is sent during the Internet session. The second affects Java applets and may permit an attacker to gain control of a user's computer.

The Microsoft VM runs Java code in an operating environment that, for security, is isolated from the computer on which it is run. Microsoft Virtual Machine is supplied for Windows 95, 98, ME, NT 4.0, 2000, and XP. It is also available as part of Internet Explorer 6 and earlier.

The first vulnerability was reported on March 4, 2002. Because both concern the Microsoft VM, Microsoft modified the vulnerability on March 18, 2002 after discovering the second critical flaw. The flaws affect Microsoft VM Build 3802 and earlier.

The first vulnerability, which only affects computers that utilize a proxy server, lies in how Java requests for proxy resources are handled. This flaw affects not only Microsoft VM, but others as well. (See the References for details.) When exploited, a malicious applet could redirect Web traffic to a destination of the attacker's choice. The attacker could then take control and discard the user's session to simulate a denial of service (DoS) or search for the user's session for unencrypted confidential data.

Microsoft's best practices strongly recommend using SSL to encrypt sensitive information such as user names, passwords, and credit card numbers. If done, sensitive information is protected from examination and disclosure by an attacker exploiting this vulnerability.

The second vulnerability lies in the Microsoft VM verifier and may enable an attacker to execute code in the context of the user outside of the security of the Virtual Machine. This flaw only affects Java applets, not Java applications. To exploit the vulnerability, the attacker lures the victim to a site where the malicious applet resides. Once the victim is compromised, the attacker can execute any action on the victim's computer that the victim could. These actions include creating, deleting, or modifying files, sending and receiving data to or from a Web site, or even reformatting the victim's hard drive.

More informnation and recommendations are available here;
http://securityresponse.symantec.com/avcenter/security/Content/1685index.html

Various Buffer Overflows and vulnerabilities.

Various

 Various


CDE dtspcd Buffer Overflow
Exploit to a buffer overflow vulnerability in most versions of the CDE's Subprocess Control Service dtspcd daemon. Successful exploitation of this vulnerability could provide root access to the malicious user.
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2001-0803

HTTP IIS ISAPI Extension
This exploit attempts to overflow the buffer in the ISAPI extensions of the IIS server. Successful exploitation of this vulnerability allows remote attackers to execute arbitrary commands via a long argument to Internet Data Administration (.ida) and Internet Data Query (.idq) files such as default.ida.
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2001-0500

MSIE Pop Up Object Tag Bug
Vulnerabilities exist in Internet Explorer 5.5 and 6.0 wherein the Javascript object handler allows remote access to locally stored objects. By referencing a known registry key, or identifying executable code on the local hard drive, the remote attacker can execute code on the browsing computer.

SNMP Community BO
Vulnerabilities exist in multiple vendors' implementations of simple network management protocol version 1 (SNMPv1) wherein the SNMP community name buffer may be overrun. This vulnerability may cause routers, switches, and managed hubs to perform erratically, or to stop processing altogether. Carefully crafted exploits may give administrator-level control of a router or computer to the attacker. This alert may also indicate a pre-strike probe using the Uolu University SNMPv1 vulnerability assessment tool, Protos.
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2002-0013

Wuftpd Site Exec Overflow
Washington University's FTP server versions 2.6.0 and 2.6.1 have a file globbing heap address error in the server that potentially may allow an attacker to execute a buffer overflow in the Site Exec command and gain root level access to the server.
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2001-0550
Enterprise Security News Clips

Visit the Symantec Enterprise Security Web Site - http://enterprisesecurity.symantec.com/
Recent Enterprise Security News headlines include:

Workers Are No. 1 Threat to Russia's IT;
The Moscow Times
http://enterprisesecurity.symantec.com/content.cfm?articleid=1264

Security Researcher Uncovers Two Office XP Flaws;
InfoWorld Daily News
http://enterprisesecurity.symantec.com/content.cfm?articleid=1263

Filtering Porn; Librarians in Court Over Internet Law;
Newsday (New York, NY)
http://enterprisesecurity.symantec.com/content.cfm?articleid=1255

Get the latest Enterprise Security News delivered straight to your inbox.Register for Symantec's free Enterprise Security newsletters.
https://enterprisesecurity.symantec.com/Content/Subscribe.cfm
Security News
 Symantec Contribution to Microsoft Security Operations Guide    

Symantec is pleased to collaborate with Microsoft on their Security Operations Guide. The Security Operations Guide is an excellent set of specific configuration recommendations that if followed will result in formidable security for Windows server platforms. Below is a set of information security articles written by Symantec security experts that expand on key points within the Security Operations Guide. Symantec products play a key role in building a defense-in-depth security posture. The security principles and recommendations outlined in the Security Operations Guide and the following articles are best managed by Symantec product solutions.

As part of our commitment to the Windows platform, Symantec Security Response has created seven new Enterprise Security Managerô policies to cover many of the recommendations covered in the Security Operations Guide for Windows 2000 Servers, Windows 2000 ADS, Windows 2000 Professional, Windows NT 4 PDC, Windows NT 4 Server, and Windows NT 4 Workstations. These policies were developed from industry recognized best practices and from guidelines in the Security Operations Guide. These Symantec Enterprise Security Managerô policies are free to Enterprise Security Managerô maintenance paying customers.

Enterprise Security Managerô Windows Policies
http://securityresponse.symantec.com/avcenter/security/Content/windows.os.hardening.policies.html

Symantec Security Articles
General information security articles that elaborate on Security Operations Guide recommendations:

Fundamentals of Information Security (80-20 Rule)
http://securityresponse.symantec.com/avcenter/security/Content/security.articles/fundamentals.of.info.security.html

Defense in Depth Benefits
http://securityresponse.symantec.com/avcenter/security/Content/security.articles/defense.in.depth.html

Corporate Security Policy
http://securityresponse.symantec.com/avcenter/security/Content/security.articles/corp.security.policy.html

Microsoft Security Operations Guide
Review Microsoft's Security Operations Guide.
http://www.microsoft.com/technet/treeview/default.asp?url=
/technet/security/prodtech/windows2000serv/staysecure/default.asp
 
 
Contacts and Subscriptions:
Correspondence by email to: securitynews@symantec.com, no unsubscribe or support emails please. Follow this link to subscribe or unsubscribe http://securityresponse.symantec.com/avcenter/newsletter.html Send virus samples to: avsubmit@symantec.com
Disclaimer- THIS DOCUMENT IS PROVIDED FOR INFORMATIONAL PURPOSES ONLY.

This message contains Symantec Corporation's current view of the topics discussed as of the date of this document. The information contained in this message is provided "as is" without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability, fitness for a particular purpose, and freedom from infringement. The user assumes the entire risk as to the accuracy and the use of this document. This document may not be distributed for profit.

Symantec and the Symantec logo are U.S. registered trademarks of Symantec Corporation. Other brands and products are trademarks of their respective holder(s). (c) Copyright 2002 Symantec Corporation. All rights reserved. Materials may not be published in other documents without the express, written permission of Symantec Corporation.