symantecTM

symantec security response

ISSN 1444-9994

February 2002 Newsletter


These are the most common Viruses, Trojans and Worms reported to Symantec Security Response during the last month.



Country Spotlight
Australia

W32.Badtrans.B@mm
W95.Hybris.worm
W32.Magistr.39921@mm
Backdoor.Trojan
JS.Exception.Exploit
W32.Badtrans@mm.enc
W32.Myparty@mm
Trojan Horse
W32.Sircam.Worm@mm
W32.Magistr.24876@mm


Top Global Threats
W32.Badtrans.B@mm
Backdoor.Trojan
JS.Exception.Exploit
W32.Magistr.39921@mm
W95.Hybris.worm
W32.Myparty@mm
W32.Sircam.Worm@mm
Trojan Horse
W32.Nimda.A@mm
VBS.Haptime.A@mm

Asia Pacific
JS.Exception.Exploit
W32.Badtrans.B@mm
Backdoor.Trojan
W32.Magistr.39921@mm
W95.Hybris.worm
W32.Sircam.Worm@mm
VBS.Haptime.A@mm
W32.Nimda.A@mm
Trojan Horse
W32.Shoho@mm


Europe, Middle East & Africa
W32.Badtrans.B@mm
JS.Exception.Exploit
Backdoor.Trojan
W95.Hybris.worm
W32.Magistr.39921@mm
W32.Sircam.Worm@mm
W32.Myparty@mm
Trojan Horse
VBS.Haptime.A@mm
JS.Seeker.F

Japan
W32.Badtrans.B@mm
W95.Hybris.worm
W32.Myparty@mm
JS.Exception.Exploit
W32.Aliz.Worm
Backdoor.Trojan
W32.Sircam.Worm@mm
W32.Nimda.E@mm
W32.Nimda.E@mm (dr)
W95.MTX.dr

The Americas
Backdoor.Trojan
W95.Hybris.worm
W32.Magistr.39921@mm
JS.Exception.Exploit
W32.Badtrans.B@mm
W32.Myparty@mm
W32.Sircam.Worm@mm
Trojan Horse
W32.Nimda.enc
W32.Magistr.24876@mm



Removal Tools for malicious code are on our web site

A list of Virus Hoaxes
reported to Symantec

A list of Joke Programs
reported to Symantec.

Glossary for definitions of viruses, Trojans and worms and more.




Use this form to unsubscribe

First name:

Last name:

Email address:


The Symantec web site has been re-launched with a bright new look so we have taken the opportunity to tidy up the newsletter and add some new features. The first is a breakdown by geographic region for threats we write-up and are in the wild (reported by customers). The same chart shows the distribution by percentage over a date range of the number of reports from customers. This range highlights the peak in the number of reports, if the highlighted date is at the end of the scale then we may not have reached the peak yet.

The second is a new virus listing in the side bar, this month at the top, which will focus on a particular country. We've started with Australia and will work our way down a list which is sorted by the number of subscribers per country. Canada is next followed by Great Britain, Germany then the Netherlands. After that it'll be by request or we'll select countries that may be interesting because the types and numbers of viruses reported differs from the global picture in some way. For example a certain virus or worm may not work well on double byte Windows (Chinese, Japanese etc).

W32.Myparty@mm has the dubious honor of being the first threat of note in 2002 being discovered late in January. Thankfully it limited itself to a five day period to replicate. This should be a mandatory feature for a worm, a cut off date, virus authors please take note.


David Banes.
Editor,
securitynews@symantec.com
Viruses, Worms & Trojans

W32.Myparty@mm

Medium [3] Threat

Win32

Global Infection breakdown by geographic region

% of Total

 
America (North & South)

65.0%

 
EMEA (Europe, Middle East, Africa)

27.1%

 
Japan

3.9%

 
Asia Pacific

4.0%

 
Date
% Reports

26 Jan

27 Jan

28 Jan

29 Jan

30 Jan

31 Jan

1 Feb

2 Feb

3 Feb

4 Feb

0.02%

0.45%

24.83%

41.93%

14.13%

6.87%

4.79%

3.04%

2.06%

1.87%


W32.Myparty@mm is a mass-mailing email worm. This worm is capable of spreading itself only between January 25, 2002, and January 29, 2002. However, it remains active on infected computers after this period of time.

It has the following characteristics:


Subject: new photos from my party!
Message:
Hello!

My party... It was absolutely amazing!
I have attached my web page with new photos!
If you can please make color prints of my photos. Thanks!

Attachment: www.myparty.yahoo.com


The worm sends email to all contacts in the Windows address book and to email addresses that it finds in the Outlook Express inboxes and folders. In addition, the worm sends a message to the author so that the author can track the worm.

On Windows NT/2000/XP-based computers, the worm drops a backdoor Trojan that allows a hacker to control the system. Norton AntiVirus detects this as Backdoor.Myparty.

Finally, if the file name of the worm is Access.<any extension>, it may launch the Web browser to http:/ /www.disney.com. However, the worm does not contain code which can generate a file with the name Access.<any extension>, so it is highly unlikely that this will trigger.

http://securityresponse.symantec.com/avcenter/venc/data/w32.myparty@mm.html

Douglas Knowles and Eric Chien
Symantec Security Response, EMEA.

 W32.Donut

Minimal [1] Threat

Win32


W32.Donut is a virus that targets .exe files that were created for the Microsoft .NET framework. W32.Donut is a concept virus. It does not have any significant chance of becoming widespread. However, it shows that virus writers are paying close attention to the new .NET architecture and are attempting to learn how to exploit it before the .NET framework is available on most systems.

http://securityresponse.symantec.com/avcenter/venc/data/w32.donut.html

Peter Szor
Symantec Security Response, USA

W32.Klez.E@mm

Low [2] Threat

Win32

Global Infection breakdown by geographic region

% of Total

 
America (North & South)

19.8%

 
EMEA (Europe, Middle East, Africa)

57.1%

 
Japan

3.7%

 
Asia Pacific

19.4%

 
Date
% Reports

17 Jan

20 Jan

23 Jan

27 Jan

30 Jan

31 Jan

1 Feb

2 Feb

3 Feb

4 Feb

1.71%

2.33%

12.89%

13.82%

16.30%

11.96%

8.23%

5.28%

8.39%

11.34%



W32.Klez.E@mm is similar to W32.Klez.A@mm. It is a mass-mailing email worm that also attempts to copy itself to network shares. The worm uses random subject lines, message bodies, and attachment file names.

The worm exploits a vulnerability in Microsoft Outlook and Outlook Express in an attempt to execute itself when you open or even preview the message in which it is contained. Information and a patch for the vulnerability can be found at http://www.microsoft.com/technet/security/bulletin/MS01-020.asp

The worm overwrites files and creates hidden copies of the original. In addition, the worm drops the virus W32.Elkern.3587 which is similar to W32.ElKern.3326. The worm attempts to disable some common antivirus products and has a payload which fills files with all zeroes.

http://securityresponse.symantec.com/avcenter/venc/data/w32.klez.e@mm.html

Atli Gudmundsson and Eric Chien
Symantec Security Response, EMEA.
Security Advisories
Common Desktop Environment (CDE) dtspcd Buffer Overflow

Symantec Corporation advises its customers to be aware of a remote root-access buffer overflow vulnerability in the Common Desktop Environment's (CDE's) desktop subprocess control service(dtspc). A remote intruder can cause arbitrary code to be run with root-level privileges on the targeted system, potentially gaining root access to the system.

The CDE is an integrated graphical user interface that runs on Unix and Linux operating systems. "dtspcd" is a network daemon that accepts requests from clients to execute commands and launch applications remotely. On systems running CDE, dtspcd is spawned by the Internet services daemon (typically inetd or xinetd) in response to a CDE client request. The dtspcd is typically configured to run on port 6112/tcp with root privileges. dtspcd makes a function call to a shared library that contains a buffer overflow condition in the client connection routine. The buffer overflow can be exploited by a specially crafted CDE client request allowing a remote attacker to gain administrative privileges on the affected host.

Although this vulnerability can potentially affect any operating system using CDE functionality, there is information that an exploit has been specifically developed for and is being actively used against SunOS 5.51 through 8, both SPARC and x86 releases. If your system(s) is/are not running the CDE Subprocess Control Service, you are not vulnerable to this issue. To determine if you have CDE installed and enabled, check for the following entries.

In /etc/services check for "dtspc 6112/tcp"
In /etc/inetd.conf check for "dtspc stream tcp nowait root /usr/dt/bin/dtspcd /usr/dt/bin/dtspcd

http://securityresponse.symantec.com/avcenter/security/Content/995desc.html
Enterprise Security News Clips


Visit the Symantec Enterprise Security Web Site - http://enterprisesecurity.symantec.com/

Recent Enterprise Security News headlines include:

Worm Wiggles Its Way Into World's Computers;
Africa News
http://enterprisesecurity.symantec.com/content.cfm?articleid=1161

Survey: Banks Hit by Most Database Breaches;
InfoWorld Daily News
http://enterprisesecurity.symantec.com/content.cfm?articleid=1146

British ISP Put Out of Business by Cyberterrorism;
ComputerWire
http://enterprisesecurity.symantec.com/content.cfm?articleid=1151

Get the latest Enterprise Security News delivered straight to your inbox.Register for Symantec's free Enterprise Security newsletters.
https://enterprisesecurity.symantec.com/Content/Subscribe.cfm
Vulnerability & Exploit News
Creating a Security Policy    


You can enhance your small business security by establishing a company-wide policy on issues such as password usage, remote connections, workstation security and downloads. Once you decide the security standards you want to maintain, the security policy should be distributed to employees. Periodic meetings to review the policy, answer questions and gain employee feedback can be helpful.

One of the most important first steps is deciding what you want to allow in your operation. Before you create your policy, you should decide how restrictive or permissive you want the policy to be. If your company doesn't handle sensitive data, your security policy won't need to be as strict as one dealing with confidential customer information and credit card numbers. Once you have an idea of the security needs of your small business, consider the following security issues and how you'd like to address them with your employees:

Password Usage. The issue of passwords is one that should definitely be included in your security policy. It can be one of the biggest holes in your network security caused by employees. Establish rules about password choice and recommend safe ways of creating them, such as:

Don't use information easily obtained about you, including license plate numbers, telephone numbers, social security numbers, the brand of your automobile, the name of the street you live on, etc.
- Use a combination of upper and lowercase letters, punctuation and numbers.
- Never write your password down.
- Change your password regularly.


To make it easier to remember to change your password, associate it with an event. For example, change your password the first of each month or every other payday.

Instant Messaging. Unless your employees need instant-messaging clients such as IRC, ICQ or Netscape Instant Messenger as business-related tools, you might consider disabling them in order to protect the safety of your network. Chat programs use public networks that make it relatively easy for hackers to intercept information or files during transfer. Security holes in chat-client software can be easily used by hackers to gain access to networks and steal sensitive data and files. Users of chat programs might also be manipulated into communicating sensitive information or downloading files containing malicious code. Trickery of this kind is facilitated by the theft of instant messenger identities. Hackers may steal usernames and passwords and pose as a coworker or other trusted source fooling victims into sending them files and information.

Remote Connections. If you have remote workers logging onto your network, let them know the security policy still applies at home or on the road. Connecting to a network from an insecure workstation weakens your carefully constructed in-house security. Protect remote workers with anti-virus software and a firewall so their computers don't become a weak spot for hackers and malicious code. Norton Internet Security, which includes Norton Personal Firewall and Norton AntiVirus, can protect your employees at home or on the road against viruses and malicious code while keeping the connection to your server secure.

Workstation Security. Your security policy should emphasize workstation security among employees. Passwords and sensitive information should never be written down. Many workers tend to write their passwords on sticky notes on computer monitors this should be banned. It also might be a good idea to recommend employees "lock" their desktop workstations when leaving them, using "control+alt+delete," which requires a password to unlock the system.

Anti-virus Software. An important part of your small business security policy is to take a stand on attachments, downloads and other risky behavior that can set your system up for a virus invasion. Make sure your employees know the importance of scanning all attachments before opening them, and have them avoid downloading files from unfamiliar or insecure sites.

Norton Internet Security. Norton Internet Security is your total small business security solution. Norton Internet Security includes the award-winning Norton AntiVirus to protect your server and workstations against viruses, Trojan horses, worms and malicious code. Norton Personal Firewall blocks out intruders and hackers and keeps your sensative data safe.

If you establish a written security policy, the guidelines for safe computing behavior in the workpace will be clear to your employees. You may want to consider posting consequences for violating the security policy if you feel that would help employees adhere to it. Examining the security needs of your business, organizing them into a concise and easily understood security policy, and distributing this policy among your employees is a sure way to bolster network security, protect proprietary information and reduce liability exposure -- soundly protecting the future of your small business.
 
Contacts and Subscriptions:
Correspondence by email to: securitynews@symantec.com, no unsubscribe or support emails please. Follow this link to subscribe or unsubscribe http://securityresponse.symantec.com/avcenter/newsletter.html Send virus samples to: avsubmit@symantec.com
Disclaimer- THIS DOCUMENT IS PROVIDED FOR INFORMATIONAL PURPOSES ONLY.

This message contains Symantec Corporation's current view of the topics discussed as of the date of this document. The information contained in this message is provided "as is" without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability, fitness for a particular purpose, and freedom from infringement. The user assumes the entire risk as to the accuracy and the use of this document. This document may not be distributed for profit.

Symantec and the Symantec logo are U.S. registered trademarks of Symantec Corporation. Other brands and products are trademarks of their respective holder(s). (c) Copyright 2002 Symantec Corporation. All rights reserved. Materials may not be published in other documents without the express, written permission of Symantec Corporation.