ISSN 1444-9994

Symantec Security Response Newsletter

November/December 2003


A Comparison Study of Three Worm Families and Their Propagation in a Network

In November, the DeepSight Threat Analyst Team released a research report, "Defense in Depth: A Comparison Study of Three Worm Families and Their Propagation in a Network," which investigated the effects that three recent worms would have should they breach the perimeter of a relatively well-filtered network.

One weakness in previous studies of worm propagation methods is the sole focus they have taken on the impact of a worm propagating across a permissive, global Internet. This analysis focuses on the impact of three prominent worms and examines their expected impact on a network largely protected from direct infection from the Internet. We analyze different paths that each of the worms may use to penetrate the security perimeter and examine the effects that a small number of infected hosts may have once the perimeter is breached.

A better understanding of the true impact of a worm on a protected network is useful for any individual tasked with protecting private networks, as much of the existing research does not help in designing strong defenses, other than ensuring that firewalls are in place or deciding where to assign limited organizational resources.

Organizations with Internet connectivity should consider the impact that different worm propagation strategies are likely to have on the local environment. We will see that some propagation strategies that are inappropriate for rapid global spread can have far greater impact, if considering the impact on a localized, isolated network.


Security News

Online crime up in 2003
By Kevin Poulsen Dec 24 2003
It seems 2003 was a productive year for phishers, online auction scammers and Nigerians professing a deep sense of purpose and utmost sincerity, judging from the latest statistics from the Internet Fraud Complaint Center. The center reports receiving over 120,000 online fraud complaints through its Web site this year-an increase of 60% over the 75,000 complaints counted in 2002... >>

Defenses lacking at social network sites
By Annalee Newitz Dec 31 2003
Services like LiveJournal and Tribe are poised to be the next big thing on the Web in 2004, but their security and privacy practices are more like 1997... >>


Monthly Security Round-up from Symantec DeepSight Threat Management System

November 2003 did not see significant worms, but experienced a continued evolution of malicious code, primarily with Backdoor.Spotcom, and its ability to insert itself into instances of Internet Explorer to bypass host-based firewalls. Remotely accessible vulnerabilities were disclosed in the workstation service of several versions of the Microsoft Windows operating system, and local privilege escalation vulnerabilities were noted in OpenBSD.

Activity focusing on ports frequently bound by the Windows Messenger service caused concern among administrators, but further investigation revealed that the activity appeared to be popup SPAM messages. The risk is that this activity will mask the actual exploitation of the Microsoft Messenger Service Buffer Overrun Vulnerability.

Microsoft Windows Workstation Service Remote Buffer Overflow Vulnerability
This vulnerability affects all the default installations of Windows XP and 2000 and potentially allows an attacker to remotely run arbitrary code on the target host. This vulnerability occurs due to a stack-based buffer overflow in logging functions implemented in WKSSVC.dll. Within the logging function, a call is made to vsprintf(). The string arguments to the logging function are passed to vsprintf() without bounds checking.

As this vulnerability is a stack-based overflow, implementing an exploit to leverage it is relatively easy.

  1. The first exploit, released on November 12, 2003, could only successfully target Windows 2000 Service Pack 4 on an FAT32 file system.
  2. The second exploit, also released on November 12, 2003, was claimed to work on Windows XP without Service Pack installed on an NTFS file system.
  3. A third exploit, released on November 13, 2003, has options to target Windows XP or 2000 on an FAT32 file system.

System administrators are advised to deploy the necessary patches released with the Microsoft Security Bulletin. System administrators are also advised to block TCP ports 135, 139, 445, 593, as well as UDP ports 135, 137, 138 at the network perimeter. More information is available at:

Microsoft Internet Explorer Script URL Cross-Domain Access Violation Vulnerability
An issue has been reported in Microsoft Internet Explorer that could allow malicious script code from one domain to be executed in the context of another domain. The issue exists because the Script URL method is able to bypass cross-domain security checks, which Internet Explorer performs. This vulnerability could allow a Web page from one domain to access information from another domain, including the local system.

Additionally, a remote attacker could run any executable file on the local system, though this would require exploiting multiple vulnerabilities in tandem. Further information has been made available, stating that Liu Die Yu discovered this issue and was publicly known prior to the release of MS03-048. This issue was originally described as one of the vulnerabilities in BID 8577, "Multiple Microsoft Internet Explorer Script Execution vulnerabilities."


Viruses, Trojans & Worms

Risk: Medium [2]
Date: December 18, 2003
Systems Affected: Windows 9.x, Windows 2000, Windows 2003, Windows XP
CVE Reference: Not available
W32.Sober.B@mm is a mass-mailing worm that uses its own SMTP engine to spread. The subject of the email varies and will be in either English or German. The email's attachment name also varies, but will have a .com, .cmd, .exe, or .pif file extension.

The first time W32.Sober.B@mm is activated, it displays a fake error message, with the subject "%Error%," and the text "Header is missing."

This worm, like others, sends a fake email message that can spoof the return address. It uses its own SMTP engine to send email messages. The email will have one of the following Subjects and Attachment names:


  • George W. Bush wants a new war
  • George W. Bush plans new wars
  • Have you been hacked?
  • You Got Hacked
  • Hihi, ich war auf deinem Computer
  • Der Kannibale von Rotenburg
  • Du bist Ge-Hackt worden
  • Ich habe Sie Ge-hackt


  • allfiles.cmd
  • Daten-Text.pif
  • DateiList.pif
  • yourlist.pif

Aliases: W32/Scold@MM [McAfee], Win32.Scold.A [Computer Associates], WORM_SCOLD.A [Trend], W32/Scold-A [Sophos], I-Worm.Scold [Kaspersky]
Risk: Medium [2]
Date: December 10, 2003
Systems Affected: Windows 9.x, Windows ME, Windows 2000, Windows XP
CVE Reference: Not available
W32.Scold@mm is a mass-mailing worm that uses Microsoft Outlook to send itself to contacts in the Outlook address book.

When W32.Scold@mm runs, it displays a picture of a baby seal.

The worm is written in Microsoft Visual Basic, version 6.0, and is packed with UPX.

The email has the following characteristics:

Subject: (one of the following)

  • When It's Cold Outside She Gives Me Warm Inside [blank spaces and random characters]
  • Fw: When It's Cold Outside She Gives Me Warm Inside [blank spaces and random characters]
  • Re: When It's Cold Outside She Gives Me Warm Inside [blank spaces and random characters]

Message: (one of the following)

  • You will love this cute picture.
  • Enjoy this great picture.
  • Don't miss this cool picture.

Attachment: [random characters]


Top Malicious Code Threats

Risk Threat Discovered Protection
4 W32.Bugbear.B@mm 4 June 2003 5 June 2003
3 W32.Swen.A@mm 18 Sep 2003 18 Sep 2003
3 W32.Welchia.Worm 18 Aug 2003 18 Aug 2003
3 W32.Blaster.Worm 11 Aug 2003 11 Aug 2003


Common Vulnerabilities

Vulnerability Bugtraq ID CVE Reference Exploited by
Microsoft IE MIME Header Attachment Execution Vulnerability 2524 CVE-2001-0154 W32.Swen.A, W32.Klez, W32.Sobig, W32.Bugbear, W32.Yaha, W32.Nimda
MS IIS/PWS Escaped Characters Decoding Command Execution Vulnerability 2708 CVE-2001-0333 W32.Nimda
MS Buffer overflow in DCOM interface for RPC in Microsoft Windows 8205 CAN-2003-0352 W32.Blaster.Worm, W32.Welchia.Worm
Microsoft IIS and PWS Extended Unicode Directory Traversal Vulnerability 1806 CVE-2000-0884 W32.Nimda
Microsoft Windows 9x / Me Share Level Password Bypass Vulnerability 1780 CVE-2000-0979 W32.Opaserv
Microsoft SQL Server Resolution Service buffer overflows allow arbitrary code execution 5311 CAN-2002-0649 W32.SQLExp.Worm
Microsoft IE Virtual Machine (VM) allows an unsigned applet to create and use ActiveX controls 1754 CVE-2000-1061 JS.Exception.Exploit


Security Advisories

Microsoft Windows Workstation Service Remote Buffer Overflow Vulnerability
Risk: High
Date: November 11, 2003
Components Affected: Many listed at:
It has been reported that the Microsoft Windows Workstation (WKSSVC.DLL) service is prone to a vulnerability that may allow a remote attacker to gain unauthorized access to a vulnerable host. The problem is in the handling of requests by the Workstation Service. The Workstation Service does not properly check bounds on remote data, thus making it possible to overwrite sensitive regions of system memory.

Symantec Solutions: Symantec Manhunt, Symantec Enterprise Firewall, Symantec Vulnerability Assessment, Symantec Gateway Security, Symantec Host IDS.

Mitigating factors:

  • Block external access at the network boundary, unless external parties require service.
  • Filter network traffic of questionable integrity at network boundaries. Use ingress and egress filtering to block the entry and exit of prohibited traffic.
  • Deploy network intrusion detection systems to monitor network traffic for malicious activity.
  • Use network intrusion detection systems to monitor networks for anomalous activity and report attempted attacks against network resources.
  • Disable any services that are not needed.
  • Systems not requiring the ability of remote users to execute commands should disable Remote Procedure Call (RPC) where possible.

Microsoft has released security advisory MS03-049 to address this issue.

Vulnerability discovery credited to eEye Digital Security.

Source: CERT Advisory CA-2003-28 Buffer Overflow in Windows Workstation Service

Source: Microsoft Security Bulletin MS03-049

Source: Windows Workstation Service Remote Buffer Overflow

Microsoft IE Self Executing HTML Arbitrary Code Execution Vulnerability
Microsoft Internet Explorer has been reported to be prone to an arbitrary code execution vulnerability.

The issue presents itself when Internet Explorer is rendering malicious HTML pages that contain embedded executables, which are invoked in a specific manner. When a malicious page is rendered, the embedded code is executed with the privileges of the user running the vulnerable Web browser.

Mitigating factors:

  • Run all client software as a non-privileged user with minimal access rights.
  • Running Internet Explorer with the least possible privileges may help mitigate the impact of a successful exploitation of this vulnerability.
  • Set the Web browser security to disable the execution of script code or active content.
  • Disabling script code or active content functionality in Internet Explorer may help prevent potential attacks.

Risk: High
Date: November 5, 2003
Components Affected:
Microsoft Windows 2000 Advanced Server, SP1, SP2
Microsoft Windows 2000 Datacenter Server, SP1, SP2
Microsoft Windows 2000 Professional , SP1, SP2
Microsoft Windows 2000 Server , SP1, SP2
Microsoft Windows 2000 Terminal Services , SP1, SP2
Microsoft Windows 95
Microsoft Windows 98
Microsoft Windows 98SE
Microsoft Windows ME
Microsoft Windows NT Enterprise Server 4.0, SP1 - SP6a
Microsoft Windows NT Server 4.0 , SP1 - SP6a
Microsoft Windows NT Terminal Server 4.0 , SP1 - SP6
Microsoft Windows NT Workstation 4.0 , SP1 - SP6a
Microsoft Windows Server 2003 Datacenter Edition , 64-bit
Microsoft Windows Server 2003 Enterprise Edition , 64 bit
Microsoft Windows Server 2003 Standard Edition
Microsoft Windows Server 2003 Web Edition

Discovery of this vulnerability has been credited to http-equiv.

Source: POS#1 Self-Executing HTML: Internet Explorer 5.5 and 6.0 Part III

Source: Re: POS#1 Self-Executing HTML: Internet Explorer 5.5 and 6.0 Part III

Source: Re: POS#1 Self-Executing HTML: Internet Explorer 5.5 and 6.0 Part III

Yahoo! Messenger YAuto.DLL Open Buffer Overflow Vulnerability
A problem has been identified in the handling of some types of requests by ActiveX controls that are installed with Yahoo! Messenger, exposing a remotely exploitable buffer overrun. Because of this issue, an attacker may be able to execute arbitrary code on a vulnerable host.

Mitigating factors:

  • Run all client software as a non-privileged user with minimal access rights.
  • Non-administrative tasks, such as browsing the Web, should always be performed as an unprivileged user with minimal access rights, reducing the consequences of a successful exploitation of this and other vulnerabilities.
  • Do not follow the links that unknown or untrusted sources provide.
  • Unless required, do not visit the URIs that sources of questionable integrity provide.
  • If required, use additional security precautions through software configuration and privilege management.
  • Set Web browser security to disable the execution of script code or active content.
  • Modify the default browser security policy to disable potentially dangerous features and eliminate a common vector of client-side attacks.

The vendor has released an update to address this issue:

Yahoo! Messenger 5.6 .0.1347:
Yahoo! Upgrade update4

Yahoo! Messenger 5.6:
Yahoo! Upgrade update4

Risk: High
Date: December 3, 2003
Components Affected:
Yahoo! Messenger 5.6 .0.1347
Yahoo! Messenger 5.6

Discovery credited to Tri Huynh.

Source: Yahoo Instant Messenger YAUTO.DLL buffer overflow

Source: Yahoo! Messenger Product Page
URL: Internet Explorer Patch Buffer Overflow Vulnerability
It has been reported that the Internet Explorer patch, which for the Multiple Browser URI Display Obfuscation Weakness (BID 9182) supplied, may be prone to a buffer overflow condition that may allow an attacker to execute arbitrary code on a vulnerable system to gain unauthorized access.

The condition is present due to insufficient boundary checking. The problem is reported to exist in the BeforeNavigateEvent() function of the IETray.cpp module. This may also cause a Denial of Service (DoS) condition in Internet Explorer.

Mitigating factors:
Microsoft has made two workarounds available for the Multiple Browser URI Display Weakness (BID 9182):

  • The first uses Javascript to output the true URL of a document being viewed in MSIE.
  • The second relies on URLs listed in the Explorer Bar History.

The second workaround involves using the History Explorer Bar. In the "View" menu, select "Explorer Bar," and then select "History." This should open a pane that displays recently visited URLs. Placing the mouse pointer over an entry in the Explorer Bar History will display the associated URL for that entry. Review those URLs to make sure they are correct and that the entry for the visited site matches what is presented in the address bar. If they do not match, the content may be spoofed and should not be trusted.

Risk: High
Date: December 19, 2003
Components Affected:
Microsoft Internet Explorer 5.0
Microsoft Internet Explorer 5.0.1
Microsoft Internet Explorer 5.0.1 SP1
Microsoft Internet Explorer 5.0.1 SP2
Microsoft Internet Explorer 5.0.1 SP3
Microsoft Internet Explorer 5.5
Microsoft Internet Explorer 5.5 SP1
Microsoft Internet Explorer 5.5 SP2
Microsoft Internet Explorer 6.0
Microsoft Internet Explorer 6.0 SP1

Discovery of these vulnerabilities has been credited to Heise Security.

Source: Homepage

Source: Open SOURCE developers eliminate errors in the InterNet Explorer


Security Events Calendar

RSA 2004 - Security Conference & Exhibition
Date: February 23-26th, 2003
San Francisco, CA, USA

InfoSec World Conference & Expo 2004
Date: March 22-23rd, 2004
Orlando, FL, USA

InfoSecurity 2004
Date: April 27-29th, 2004
London, United Kingdom

EICAR (European Institute for Computer Anti-Virus Research) 2004
Date: May 1-4th, 2004

AusCERT 2004
Date: May 23-27th, 2004
The Gold Coast, Australia

For more events go to our online Events Calendar:


Useful Links

Use Symantec Security Alerts on Your Web Site

Virus Removal Tools
Fix tools for repairing threats.

Virus Hoaxes
There are many email virus hoaxes, so please check here before forwarding any email virus warnings.

Virus Calendar
Monthly calendar showing viruses which trigger on each day.

Symantec and the Symantec logo are U.S. registered trademarks of Symantec Corporation. Windows, Windows NT, and the Windows logo are registered trademarks of Microsoft Corporation in the United States and other countries. All other brand and product names are trademarks of their respective holder(s). Copyright © 2004 Symantec Corporation. All rights reserved.

Follow this link to subscribe or unsubscribe