symantecTM

symantec security response

ISSN 1444-9994

August 2002 Newsletter


These are the most common Viruses, Trojans, Worms and Exploits reported to Symantec Security Response during the last month.




Country Spotlight
Singapore

W32.Klez.H@mm
JS.Exception.Exploit
Backdoor.DSNX
W95.Hybris.worm
W32.Kwbot.Worm
W32.Klez.E@mm
W32.Frethem.L@mm
Backdoor.Trojan
W32.Nimda.enc
Trojan Horse


Top Global Threats

W32.Klez.H@mm
JS.Exception.Exploit
W32.Frethem.L@mm
W32.Datom.Worm
Trojan Horse
W32.Yaha.F@mm
W95.Hybris.worm
W32.Klez.E@mm
W32.Kitro.D.Worm
W32.Kitro.C.Worm

Asia Pacific
W32.Klez.H@mm
JS.Exception.Exploit
W32.Datom.Worm
Trojan Horse
HTML.Redlof.A
W95.Hybris.worm
W32.Frethem.L@mm
Backdoor.Trojan
W32.Yaha.F@mm
W32.HLLW.Acebo

Europe, Middle East & Africa
W32.Klez.H@mm
JS.Exception.Exploit
W32.Frethem.L@mm
W32.Datom.Worm
W32.Yaha.F@mm
W32.Kitro.D.Worm
W32.Kitro.C.Worm
W32.Klez.E@mm
Trojan Horse

W95.Hybris.worm

Japan
W32.Klez.H@mm
W32.Frethem.L@mm

W32.Klez.E@mm
VBS.LoveLetter.A
VBS.LoveLetter.Var
VBS.Network.E
W95.Hybris.worm
W32.Badtrans.B@mm
Trojan Horse
JS.Exception.Exploit

The Americas
W32.Klez.H@mm
JS.Exception.Exploit
Trojan Horse
W32.Datom.Worm
W95.Hybris.worm
W32.Frethem.L@mm

VBS.LoveLetter.AS
Backdoor.Trojan
W32.Magistr.39921@mm
JS.Seeker



Removal Tools for malicious code are on our web site

A list of Virus Hoaxes
reported to Symantec

A list of Joke Programs
reported to Symantec.

Glossary for definitions of viruses, Trojans and worms and more.



This month we have another collection of low profile worms. Peer-to-peer(P2P) worms appear to be on the increase but nothing is a high risk at the moment. W32.Kitro.A.Worm targets MSN Messenger and there are a few worms targeting the KaZaA network, such as W32.Shermnar.Worm and W32.HLLW.Kazmor. W32.HLLW.Yoohoo, another P2P worm targets KaZaA, Bearshare, Morpheus, and eDonkey2000.

We would suggest that extreme caution is used when using P2P networks, always make sure you have anti-virus installed (and it is up-to-date) and some sort of personal firewall to block any backdoor activities that may result from an infection by a Trojan or worm.

We have a great article this month, Securing the Enterprise: A New Integrated Approach. This is a must read and explains why you need an integrated security solution if you are running your companies enterprise security systems.

We now have, courtesy of one of our latest acquisitions(Riptech) two Internet Security Threat Reports, they can be accessed from this link.
http://enterprisesecurity.symantec.com/content.cfm?articleid=1539&PID=12807550&EID=0

David Banes.
Editor, securitynews@symantec.com
 
Symantec News

There have been a number of announcments about Symantec's new acquisitions over the last month or so. These are significant enhancements to Symantecs existing products and services.

SecurityFocus. With this acquisition, Symantec will offer customers the most comprehensive, proactive early warning system across the broadest range of threats.
http://www.symantec.com/press/2002/n020717.html

Recourse. This acquisition will bring to Symantec true gigabit speed network intrusion detection with next generation hybrid technology and the industry's leading "honeypot" solution.
http://www.symantec.com/press/2002/n020819.html

Riptech. The combination of Symantec and Riptech will create the leading provider of managed security services worldwide monitoring and managing the largest number of security devices across the broadest array of solutions.
http://www.symantec.com/press/2002/n020819.html

The Mountain Wave acquisition brings to Symantec the patent-pending CyberWolf technology designed to automate the detection of security incidents by the intelligent analysis of security events and alerts in real-time.
http://www.symantec.com/press/2002/n020702.html
Viruses, Worms & Trojans
W32.Datom.Worm

Moderate Threat [3]

Win32

Global Infection breakdown by geographic region

% of Total

 
America (North & South)

34.0%

EMEA (Europe, Middle East, Africa)

61.6%

Japan

0.3%

Asia Pacific

4.2%

Date
% reports

6 Jul

8 Jul

9 Jul

10 Jul

14 Jul

18 Jul

27 Jul

1 Aug

4 Aug

6 Aug

0.1%

4.3%

6.8%

6.6%

2.0%

4.6%

1.1 %

3.5%

0.6%

3.4%


W32.Datom.Worm is a worm that spreads through open shares. This worm does not contain a damaging payload.

W32.Datom.Worm exists as three files:

Msvxd.exe
Msvxd16.dll
Msvxd32.dll

These files are located in the %Windir% folder.

NOTE: %Windir% is a variable. The worm locates the Windows main installation folder (by default this is C:\Windows or C:\Winnt) and copies itself to that location.

The tasks in each file have likely been separated in an attempt to avoid heuristic detection:
Msvxd.exe simply runs Msvxd16.dll.
Msvxd16.dll adds a reference to Msvxd.exe to the registry and then runs Msvxd32.dll.
Msvxd32.dll enumerates network shares and copies all three files to those shares into the %Windir% folder and adds a reference to Msvxd.exe in the Run= line in Win.ini.

http://securityresponse.symantec.com/avcenter/venc/data/w32.datom.worm.html
Peter Ferrie
Symantec Security Response, APAC.
 
W32.Chir.B@mm

Low Threat [2]

Win32


W32.Chir.B@mm is a network-aware, mass-mailing worm, as well being as a file infector virus. It is a variant of W32.Chir@mm. It uses its own SMTP engine to send itself to all email addresses that it finds in the Windows Address Book (.wab), and in .adc, r.db, .doc, and .xls files.

The email message has the following characteristics:

From: <username>@yahoo.com or imissyou@btamail.net.cn
Subject: <username> is coming!
Attachments: PP.exe

W32.Chir.B@mm also searches all local and network drives, and infects files that have .htm, .html, .exe, and .scr extensions. On the first day of each month, W32.Chir.B@mm attempts to overwrite the first 4660 bytes of the files that have .adc, r.db, .doc, and .xls extensions in all folders and subfolders.

http://securityresponse.symantec.com/avcenter/venc/data/w32.chir.b@mm.html
Yana Liu and Peter Szor
Symantec Security Response, USA
 
W32.Manymize@mm

Low Threat [2]

Win32


W32.Manymize@mm is a mass mailing worm that sends itself and three other files to all email addresses in the Microsoft Windows Address Book. The email message has the following characteristics:

Subject: The subject of the email will be one of the following:

Hi <recipient's user name>
Dear <recipient's user name>
Hello <recipient's user name>
My friend, <recipient's user name>
How are you !! <recipient's user name>

Attachments: The attachments are:
Mi2.htm
Mi2.chm
Mi2.wmv
Mi2.exe

http://securityresponse.symantec.com/avcenter/venc/data/w32.manymize@mm.html
Douglas Knowles
Symantec Security Reponse, USA
 
Security Advisories
PHP multipart/form-data POST parsing error allows arbitrary code

High [4]

Multiple


A vulnerability exists in the PHP parsing code that handles file uploads (multipart/form-data). By sending a specially crafted POST request to the Web server that corrupts the internal data structures used by PHP, a remote attacker can run arbitrary code with privileges of the Web server and, potentially, gain privileged access.

PHP is a popular HTML-embedded scripting language used to create dynamically generated Web pages.

PHP versions starting with 4.2.0 contain updated multipart/form-data handler code to intelligently parse HTTP POST request headers and differentiate variables and files sent by the user agent in a multipart/form-data request. The parser, however, fails to provide sufficient input checking in the way the mime headers are processed. Anyone who can send HTTP POST requests to an affected Web server can exploit the vulnerability to compromise the web server and, under certain conditions, gain privileged access.

PHP running on x86 platforms is currently verified to be safe from the execution of arbitrary code. However, the vulnerability can still be exploited against x86 platforms to crash PHP and, in most cases, the Web server.

Components Affected
Apache Software Foundation PHP 4.2.0, 4.2.1

References
Source: CERT CA-2002-21
URL: http://www.cert.org/advisories/CA-2002-21.html
Source: CERT CERT Vulnerability Note VU#929115
URL: http://www.kb.cert.org/vuls/id/929115
Source: Apache Software Foundation PHP Security Advisory: Vulnerability in PHP versions 4.2.0 and 4.2.1
URL: http://www.php.net/release_4_2_2.php

More details and Symantec's Recommendations are here;
http://www.symantec.com/avcenter/security/Content/2208.html
 
Sun ONE (iPlanet) Web Server search buffer overflow

High [4]

Multiple


A buffer overflow vulnerability in the Sun ONE (iPlanet) Web Server may allow a remote attacker to run arbitrary code.

Sun ONE Web Server is a software product for developers who build dynamic Web applications for e-commerce sites. The iPlanet Web Server, which is owned and maintained by Sun Microsystems, has been rolled into the Sun product line as the Sun ONE Web Server.

The search capability in iPlanet Web Server is vulnerable to a remotely exploitable stack overflow. By supplying an overly long value for the NS-rel-doc-name parameter, which results in a saved return address being overwritten on the stack, a remote attacker gains control over the vulnerable process. Any code supplied by the attacker will run in the security context of the account running the Web Server. On Windows NT/2000 this account is the local SYSTEM account which, by default, allows any code to run uninhibited.

Components Affected
Sun Microsystems Sun ONE Web Server (iPlanet) 4.1
Sun Microsystems Sun ONE Web Server (iPlanet) 6.0

References
Source: Security Focus.com NISR09072002
URL: http://online.securityfocus.com/archive/1/281199/2002-07-07/2002-07-13/2
Source: Security Focus.com 4851
URL: http://online.securityfocus.com/bid/4851

More details and Symantec's Recommendations are here;
http://www.symantec.com/avcenter/security/Content/2126.html
 
Security News
 Securing the Enterprise: A New Integrated Approach

 
As organizations become more dependent on networks for business transactions, data sharing, and everyday communications, their networks have to be increasingly accessible to customers, employees, suppliers, partners, contractors, and telecommuters. But as accessibility increases, so too does the exposure of critical data that is stored on the network. The challenge, of course, is to ensure that only the right people gain access. The complexity of today's networks and the emergence of new security threats make the challenge more difficult every day.

Evolving environments and new threats drive the need for integrated security.
The ability to use enterprise networks for commerce and collaboration is a key business enabler, leading to the widespread emergence of "hyper-connected businesses." To meet the requirements of such businesses, the gateway, server, and client levels of the network have to be interconnected, which means that business-critical information must now reside at multiple levels of the internal network, each requiring its own protection. At the same time, threats to the network have become more sophisticated, with attack techniques that employ multiple methods to discover and exploit network vulnerabilities becoming more commonplace. For instance, the viruses, worms, and Trojan horses that often hide within files or programming code are able to self-replicate and self-propagate, allowing them to be spread easily by unknowing computer users. And, a new breed of threats like CodeRed and Nimda are taking the worst characteristics of viruses, worms, and Trojan horses, and combining them with server and Internet vulnerabilities in order to initiate, transmit, and spread an attack. Explicitly designed to exploit the vulnerabilities of security technologies working independently from one another, these so-called blended threats utilize multiple methods of attack and self-propagation, enabling them to spread rapidly and cause widespread damage.

What are the risks?
Given the multiple levels of network vulnerability and the ever-increasing number of attack techniques, the risks to corporate well being are also growing. The impact of network attacks on businesses can range from easy-to-quantify consequences, such as interrupted business operations to losses that are difficult to calculate such as damaged brand equity. Network attacks can also impact businesses in other ways, including:

  • Interruption of Business Operations Downtime due to an attack results in lost productivity and revenues, and the costs associated with restoring a hacked network can increase the overall financial impact.
  • Legal Liability and Potential Litigation. Organizations that have been hacked may find themselves in court as a defendant or key witness.
  • Reduced Ability to Compete. Information is often a company's most valuable asset. The loss or theft of data can pose serious consequences, even rendering a company's market position untenable.
  • Damage to Brand Equity. Damage to a brand can degrade a company's position in the marketplace. For example, companies that have had credit card information stolen may have a hard time restoring customer confidence in their brand.

The traditional approach to security is not efficient or sufficient
Current security solutions typically consist of multiple point products, each working independently. These products must be purchased, installed, deployed, managed, and updated separately. With this approach, IT managers are faced with labor-intensive configuration and implementation issues and need to address the problem of interoperability between products. Because they are not integrated, multiple point products are difficult to manage, which increases IT administration and support costs. Protection is usually not comprehensive because the lack of cross-vendor interoperability often allows threats to slip through the cracks. What's more, when an outbreak occurs, the "fixes" that each vendor provides must be tested and verified across the various technologies. This can slow response to attacks, potentially augmenting the costs that are incurred. And, since they were not designed to work together, independent point products can also degrade network performance.

The implications of current security solutions include inefficiencies, inadequate protection against blended threats, and a higher cost of ownership. It all adds up to an under-performing security posture that is difficult to understand and provides little insight into enterprise security planning.

Integration: A logical solution
The concept of integrated security has emerged to address the new challenges facing e-businesses. Integrated security combines multiple security technologies with policy compliance, customer management, service and support, and advanced research for complete protection. By adopting a comprehensive, holistic strategy that addresses network security at the gateway, server, and client tiers, organizations may be able to reduce costs, improve manageability, enhance performance, tighten security, and reduce the risk of exposure. An integrated security approach offers the most effective security posture at the optimal cost-benefit ratio.

Integrated security uses the principles of defense in depth and employs complementary security functions at multiple levels within the IT infrastructure. By combining multiple functions, integrated security can more efficiently protect against a variety of threats at each tier to minimize the effects of network attacks. Key security technologies that can be integrated include:

  • Firewalls. Control all network traffic by screening the information entering and leaving a network to help ensure that no unauthorized access occurs.
  • Intrusion Detection. Detects unauthorized access and provides alerts and reports that can be analyzed for patterns and planning.
  • Content Filtering. Identifies and eliminates unwanted traffic.
  • Virtual Private Networks (VPN). Secures connections beyond the perimeter, enabling organizations to safely communicate across the Internet.
  • Vulnerability Management. Uncovers security gaps and suggests improvements.
  • Virus Protection. Protects against viruses, worms, and Trojan horses.

Why integrated security?
When integrated into a single solution, security technologies offer more comprehensive protection while helping to reduce complexity and cost. An integrated solution eliminates the need to manage multiple products from multiple vendors or address interoperability issues. And, since integrated security can be implemented at all network tiers, it offers greater protection of proprietary assets and reduces risks to business continuity. What's more, an integrated approach enables IT personnel to focus on other strategic initiatives while maximizing the productivity of often-overburdened IT departments.

Today, organizations can improve efficiency of security functions, minimize the impact of attacks, and enhance their overall security posture with an integrated security framework. It's an approach whose time has come.

To learn more about all of Symantec's security solutions, visit the Enterprise Security Resource Center.
http://enterprisesecurity.symantec.com/Content/esrc.cfm?PID=12754467&EID=0

 
 
Contacts and Subscriptions:
Correspondence by email to: securitynews@symantec.com, no unsubscribe or support emails please. Follow this link to subscribe or unsubscribe http://securityresponse.symantec.com/avcenter/newsletter_regions/en.html Send virus samples to: avsubmit@symantec.com
Disclaimer- THIS DOCUMENT IS PROVIDED FOR INFORMATIONAL PURPOSES ONLY.

This message contains Symantec Corporation's current view of the topics discussed as of the date of this document. The information contained in this message is provided "as is" without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability, fitness for a particular purpose, and freedom from infringement. The user assumes the entire risk as to the accuracy and the use of this document. This document may not be distributed for profit.

Symantec and the Symantec logo are U.S. registered trademarks of Symantec Corporation. Other brands and products are trademarks of their respective holder(s). (c) Copyright 2002 Symantec Corporation. All rights reserved. Materials may not be published in other documents without the express, written permission of Symantec Corporation.