|
|
This month we had W32.MyLife and W32.Gibe peaking at around the same time in the second week of March. This was
an unwelcome coincidence and whilst it rapidly increased the number of customer sample submissions we received
the Digital Immune System coped very well.
We had a mix up with the naming of W32.FBound.gen@mm, in the process of getting detection out as soon as possible.
We all focussed on the analysis and not the name, which caused some debate in some of the public anti-virus online
forums about the naming standards in use. I must say that whilst I agree it's important to get names correct it
humours me to see us spending more time discussing the names of threats than it takes to do the detection and roll
out the update. :)
This month has seen the faltering of a keystone of the product testing framework of the anti-virus industry with
the announcement that The Wildlist (http://www.wildlist.org) may have to cease operation due to lack of funds.
The Wildlist has been used as the benchmark to test anti-virus software against for many years and has contributors
from many prominent individuals and organizations. Each of these contributors reports the names of viruses reported
to them to The Wildlist who then collates this information to produce monthly-consolidated virus prevelance reports.
The is good news though, apparently there is a certain amount of industry support and the April Wildlist will be
published.
David Banes.
Editor, securitynews@symantec.com |
| Viruses, Worms & Trojans |
|
| W32.MyLife |
Moderate [3] Threat
|
Win32
|
| Global Infection breakdown by geographic region |
% of Total
|
|
| America (North & South) |
70.2%
|
| EMEA (Europe, Middle East, Africa) |
22.7%
|
| Japan |
0.7%
|
| Asia Pacific |
6.4%
|
Date
% Reports |
8 Mar
|
9 Mar
|
10 Mar
|
11 Mar
|
12 Mar
|
13 Mar
|
14 Mar
|
15 Mar
|
16 Mar
|
17 Mar
|
|
12.0%
|
1.9%
|
4.7%
|
25.2%
|
19.6%
|
14.0%
|
7.5%
|
7.0
|
0.5%
|
1.4%
|
|
|
W32.MyLife@mm is a simple mass-mailer that sends itself to all contacts in the Microsoft Outlook address book.
The worm is a compiled Visual Basic executable that has been compressed. It attempts to delete files that have
the extensions .com, .sys, .ini, .exe, .sys, .vxd, .exe, or .dll. (This could not be reproduced in a controlled
test environment.).
There are several variants of this worm, W32.MyLife.B@mm, W32.MyLife.C@mm, D, E and F, G, H and J.
http://securityresponse.symantec.com/avcenter/venc/data/w32.mylife@mm.html
Douglas Knowles
Symantec Security Response, USA |
|
| W32.Gibe@mm |
Moderate [3] Threat
|
Win32
|
| Global Infection breakdown by geographic region |
% of Total
|
|
| America (North & South) |
67.4%
|
| EMEA (Europe, Middle East, Africa) |
24.6%
|
| Japan |
3.4%
|
| Asia Pacific |
4.6%
|
Date
% Reports |
5 Mar
|
8 Mar
|
10 Mar
|
11 Mar
|
12 Mar
|
13 Mar
|
14 Mar
|
15 Mar
|
18 Mar
|
24 Mar
|
|
0.3%
|
5.9%
|
10.4%
|
14.7%
|
16.4%
|
12.7%
|
4.6%
|
3.1%
|
2.2%
|
0.4%
|
|
|
W32.Gibe@mm is a worm that uses Microsoft Outlook and its own SMTP engine to spread. This worm arrives in an email
message--which is disguised as a Microsoft Internet Security Update--as the attachment Q216309.exe. The worm also
attempts to copy itself to all locally mapped remote drives.
The fake message, which is not from Microsoft, has the following characteristics:
From: Microsoft Corporation Security Center
Subject: Internet Security Update
Message:
Microsoft Customer,
this is the latest version of security update, the update which eliminates all known security vulnerabilities affecting
Internet Explorer and MS Outlook/Express as well as six new vulnerabilities
.
.
How to install
Run attached file q216309.exe
How to use
You don't need to do anything after installing this item.
.
.
Attachment: Q216309.exe
The attached file, Q216309.exe, is written in Visual Basic; it contains other worm components inside itself.
http://securityresponse.symantec.com/avcenter/venc/data/w32.gibe@mm.html
Gor Nazaryan
Symantec Security Response, USA. |
|
| W32.FBound.gen@mm |
Moderate [3] Threat
|
Win32
|
| Global Infection breakdown by geographic region |
% of Total
|
|
| America (North & South) |
18.7%
|
| EMEA (Europe, Middle East, Africa) |
40.6%
|
| Japan |
19.4%
|
| Asia Pacific |
21.2%
|
Date
% Reports |
17 Mar
|
18 Mar
|
19 Mar
|
20 Mar
|
21 Mar
|
22 Mar
|
23 Mar
|
26 Mar
|
30 Mar
|
4 Apr
|
|
1.9%
|
16.8%
|
17.1%
|
11.8%
|
7.1%
|
8.1%
|
5.0%
|
4.0%
|
2.2%
|
1.6%
|
|
|
| Linux.Jac.8759 |
Very Low [1] Threat
|
Linux
|
|
Linux.Jac.8759 is a virus that infects files under Linux. The virus infects ELF executables that exist in the same
directory as the virus. When Linux.Jac.8759 is executed, it starts by checking all files that are in the same directory
as the one from which the virus was executed. If it finds executable files that have write permission, it attempts
to infect them. The virus will not infect files that end with the letters ps, nor will it infect files that were
not created for the x86 (Intel) platform.
The virus modifies several fields in the header of the file. One of the modifications is used as an infection marker.
This check prevents the virus from infecting a file multiple times.
http://securityresponse.symantec.com/avcenter/venc/data/linux.jac.8759.html
Neal Hindocha
Symantec Security Response, EMEA. |
|
| Security
Advisories |
| Zlib compression library double free bug could allow arbitrary code |
High [4] Risk
|
Various
|
|
There is a programming error in the zlib compression library used by many versions of software. Under the proper
circumstances an attacker may be able to manipulate a system call in such a manner as to create a denial of service
condition or potentially allow arbitrary code to be run on the targeted system. Such code would run with the permissions
of the affected program to include root.
The zlib compression library is an open-source loss less data-compression library that can be used on virtually
any computer hardware and operating system to provide in-memory compression and decompression functions. Zlib has
been ported and modified to work on a wide variety of operating systems and applications.
A bug in the zlib compression library has been posted and widely discussed that can cause programs linked to zlib
to be vulnerable. Under certain circumstances segments of dynamically allocated memory may be attempted to be de-allocated
(freed up) twice, i.e., a specially crafted segment of compressed data can cause an allocated chunk of memory that
is freed or de-allocated by a system call to return an unexpected memory error. A subsequent system call then attempts
to free the same chunk of memory a second time. In most instances, this will result in a denial of service when
the application crashes. However, there is a potential that this vulnerability could be manipulated by an attacker
to run arbitrary code with the permission of the affected application. If the application runs with privileged
access this could result in a critical compromise of the targeted system.
This vulnerability potentially affects a multitude of operating systems and applications that either contain the
zlib application or dynamically link to the zlib application.
Not all affected applications have been found and patched yet. There is a partial list of over 500 know zlib applications
located at http://www.gzip.org/zlib/apps.html. If you do not know
or if you suspect you may be using a vulnerable version of zlib, Symantec recommends contacting your vendor for
update information.
More informnation and recommendations are available here;
http://securityresponse.symantec.com/avcenter/security/Content/1720index.html
| Microsoft Virtual Machine multiple flaws allow malicious control |
High [4] Risk
|
Win32
|
|
Two vulnerabilities exist in the Microsoft Virtual Machine (VM) implementation. The first, which affects users
who access the Internet through a proxy server, may permit a malicious applet to redirect Web traffic to another
destination or record unencrypted confidential information that is sent during the Internet session. The second
affects Java applets and may permit an attacker to gain control of a user's computer.
The Microsoft VM runs Java code in an operating environment that, for security, is isolated from the computer on
which it is run. Microsoft Virtual Machine is supplied for Windows 95, 98, ME, NT 4.0, 2000, and XP. It is also
available as part of Internet Explorer 6 and earlier.
The first vulnerability was reported on March 4, 2002. Because both concern the Microsoft VM, Microsoft modified
the vulnerability on March 18, 2002 after discovering the second critical flaw. The flaws affect Microsoft VM Build
3802 and earlier.
The first vulnerability, which only affects computers that utilize a proxy server, lies in how Java requests for
proxy resources are handled. This flaw affects not only Microsoft VM, but others as well. (See the References for
details.) When exploited, a malicious applet could redirect Web traffic to a destination of the attacker's choice.
The attacker could then take control and discard the user's session to simulate a denial of service (DoS) or search
for the user's session for unencrypted confidential data.
Microsoft's best practices strongly recommend using SSL to encrypt sensitive information such as user names, passwords,
and credit card numbers. If done, sensitive information is protected from examination and disclosure by an attacker
exploiting this vulnerability.
The second vulnerability lies in the Microsoft VM verifier and may enable an attacker to execute code in the context
of the user outside of the security of the Virtual Machine. This flaw only affects Java applets, not Java applications.
To exploit the vulnerability, the attacker lures the victim to a site where the malicious applet resides. Once
the victim is compromised, the attacker can execute any action on the victim's computer that the victim could.
These actions include creating, deleting, or modifying files, sending and receiving data to or from a Web site,
or even reformatting the victim's hard drive.
More informnation and recommendations are available here;
http://securityresponse.symantec.com/avcenter/security/Content/1685index.html
| Various Buffer Overflows and vulnerabilities. |
Various
|
Various
|
|
CDE dtspcd Buffer Overflow
Exploit to a buffer overflow vulnerability in most versions of the CDE's Subprocess Control Service dtspcd daemon.
Successful exploitation of this vulnerability could provide root access to the malicious user.
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2001-0803
HTTP IIS ISAPI Extension
This exploit attempts to overflow the buffer in the ISAPI extensions of the IIS server. Successful exploitation
of this vulnerability allows remote attackers to execute arbitrary commands via a long argument to Internet Data
Administration (.ida) and Internet Data Query (.idq) files such as default.ida.
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2001-0500
MSIE Pop Up Object Tag Bug
Vulnerabilities exist in Internet Explorer 5.5 and 6.0 wherein the Javascript object handler allows remote access
to locally stored objects. By referencing a known registry key, or identifying executable code on the local hard
drive, the remote attacker can execute code on the browsing computer.
SNMP Community BO
Vulnerabilities exist in multiple vendors' implementations of simple network management protocol version 1 (SNMPv1)
wherein the SNMP community name buffer may be overrun. This vulnerability may cause routers, switches, and managed
hubs to perform erratically, or to stop processing altogether. Carefully crafted exploits may give administrator-level
control of a router or computer to the attacker. This alert may also indicate a pre-strike probe using the Uolu
University SNMPv1 vulnerability assessment tool, Protos.
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2002-0013
Wuftpd Site Exec Overflow
Washington University's FTP server versions 2.6.0 and 2.6.1 have a file globbing heap address error in the server
that potentially may allow an attacker to execute a buffer overflow in the Site Exec command and gain root level
access to the server.
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2001-0550 |
|
| Enterprise Security News Clips |
|
|
| Security News |
| Symantec Contribution to Microsoft Security Operations Guide |
|
|
|
|
| |
Contacts and Subscriptions:
Correspondence by email to: securitynews@symantec.com, no unsubscribe or support
emails please. Follow this link to subscribe or unsubscribe http://securityresponse.symantec.com/avcenter/newsletter.html Send virus samples to: avsubmit@symantec.com |
Disclaimer- THIS DOCUMENT IS PROVIDED FOR INFORMATIONAL
PURPOSES ONLY.
This message contains Symantec Corporation's current view of the topics discussed as of the date of this document.
The information contained in this message is provided "as is" without warranty of any kind, either expressed
or implied, including but not limited to the implied warranties of merchantability, fitness for a particular purpose,
and freedom from infringement. The user assumes the entire risk as to the accuracy and the use of this document.
This document may not be distributed for profit.
Symantec and the Symantec logo are U.S. registered trademarks of Symantec Corporation. Other brands and products
are trademarks of their respective holder(s). (c) Copyright 2002 Symantec Corporation. All rights reserved. Materials
may not be published in other documents without the express, written permission of Symantec Corporation. |
|