has been a busy month for Security Response, so I must apologize
for publishing this edition later than usual. W32.SQLExp.Worm
was a major event and is documented below in our Virus, Worms
and Trojans summaries and a more detailed look in our monthly
Security News article.
started out as a high profile risk but it soon became apparent
that the levels of submission had dropped of so we downgraded
it to a Low threat (level 2) to match other Lovgate variants.
latest Internet Security Threat Report was released in February,
I have included the abstract and a link to this and prior reports;
February 2003 edition of the Symantec Internet Security Threat
Report provides the most comprehensive analysis of evolving Internet
threats. Drawing empirical data and expert analysis from several
of Symantec's vast security resources, the Report identifies critical
trends related to cyber attack activity, new vulnerabilities,
and new forms of malicious code. By combining analysis of several
different sources of threat data, the February 2003 edition provides
the world's most comprehensive analysis of current Internet threats
and how they are evolving over time.'
Editor, Symantec Security Response Newletter.
Security Bulletin MS02-061
Elevation of Privilege in SQL Server
Web Tasks (Q316333)
Viruses, Worms & Trojans
SQL Slammer Worm [ISS], DDOS.SQLP1434.A [Trend], W32/SQLSlammer
[McAfee], Slammer [F-Secure], Sapphire [eEye], W32/SQLSlam-A
25th January 2003
Windows 95, Windows 98, Windows
NT, Windows 2000, Windows XP, Windows Me
is a worm that targets the systems running Microsoft
SQL Server 2000, as well as Microsoft Desktop Engine
(MSDE) 2000. The worm sends 376 bytes to UDP port
1434, the SQL Server Resolution Service Port.
worm has the unintended payload of performing a
Denial of Service attack due to the large number
of packets it sends.
Symantec Security Response strongly recommends that
all the users of either Microsoft SQL Server 2000
or MSDE 2000 audit their computers for the vulnerabilities
that are referred to in Microsoft
Security Bulletin MS02-039 and Microsoft
Security Bulletin MS02-061 .
Symantec Security Response also recommends that
- Configure perimeter devices to
block the ingress UDP traffic to port 1434 from
- Block the egress UDP traffic
from your network to the destination port 1434.
information on the SQL outbreak, refer to the Web
cast at: https://enterprisesecurity.symantec.com/Content/webcastarchive.cfm?SSL=YES&EID=0&webcastID=45
on removal and how to configure Symantec products
to detect this threat is available in the document
Douglas Knowles, Symantec Security
WORM_LOVGATE.C [Trend], Win32/Lovgate.C@mm [RAV],
W32/Lovgate.c@M [McAfee], I-Worm.Supnot.c [KAV], W32/Lovgate-B
[Sophos], Win32.Lovgate.C [CA]
Windows 95, Windows 98, Windows
NT, Windows 2000, Windows XP, Windows Me
W32.HLLW.Lovgate.C@mm is a variant
. This worm contains mass-mailing and backdoor
To spread itself, the worm attempts to reply to incoming
messages when they arrive in the mailbox of certain
MAPI-compliant email clients, which include Microsoft
Outlook. W32.HLLW.Lovgate.C@mm does this in an effort
to emulate the auto-reply function of the email client,
as well as to lure those who sent the original messages
to the infected computer into opening the returned
There are no major functionality differences between
this variant and W32.HLLW.Lovgate@mm. This particular
variant appears to have been recompiled with a different
compiler, and then packed with the same run-time compression
utility as W32.HLLW.Lovgate@mm.
NOTE: Definitions dated February 23, 2003 detect this
threat as W32.HLLW.Lovgate@mm. Definitions dated February
24, 2003 or later will detect this threat as W32.HLLW.Lovgate.C@mm.
Removal using the W32.HLLW.Lovgate Removal Tool
This is the easiest way to remove this threat. Symantec
Security Response has created a W32.HLLW.Lovgate
Removal Tool . Click here
to obtain the tool.
Tony Conneff and Neal Hindocha,
Symantec Security Response, EMEA
Cross Domain Scripting Vulnerability
Opera Software Opera
Web Browser 7.0 win32
A vulnerability has been reported reported for
Opera 7 browsers for Microsoft Windows operating systems.
Due to flaws in Opera, it is possible for functions
in different domains to be accessed and executed by
an attacker with the credentials of the victim user.
This vulnerability is also exacerbated by the fact
that an attacker may also be able to override properties
and methods in other windows to create malicious methods
that will be accessed by a victim user.
Exploitation of this vulnerability will allow an attacker
to obtain access to local resources on a vulnerable
all client software as a non-privileged user with
minimal access rights. Perform trivial tasks, such
as browsing the Web, as a user with minimal privileges.
This may reduce the consequences of successful exploitation.
Do not follow links provided by unknown or untrusted
sources. Some links may be obfuscated to redirect
a user to a malicious site; be extremely cautious
before following links provided by unknown sources.
Set web browser security to disable the execution
of script code or active content. Configure Opera
of this vulnerability.
Opera Software has reportedly addressed this issue
in Opera 7.01 for Windows.
Opera Software Opera Web Browser 7.0 win32:
Opera Software Upgrade Opera Web Browser 7.01 Win32
Source: GreyMagic Security Advisory GM#002-OP
Source: Opera Browser
Discovery of these vulnerabilities credited to
Lotus Domino HTTP Redirect Buffer Overflow Vulnerability
Lotus Domino 6.0
It has been reported that Lotus Domino 6 is affected
by a buffer overflow vulnerability. The condition
occurs when the server constructs a HTTP redirect
response. This may be exploited by malicious clients
to gain control of affected servers. This vulnerability
is reportedly fixed in Notes/Domino release 6.0.1.
external access at the network boundary, unless
service is required by external parties.
External access to internal or sensitive servers
should be blocked at the network border. This may
prevent attack attempts from external, untrusted
Administrators are advised to upgrade to Domino
6.0.1. The upgrades for various platforms are available
at the following location:
Lotus Domino 6.0: Lotus
Upgrade Lotus Domino 6.0.1 Upgrade
Discovered by Mark Litchfield of Next Generation
SQL Server Worm Analysis
On January 25,
2003, the DeepSight Threat Management System registered
a sudden and extremely large increase in UDP traffic targeted
at port 1434; this port is commonly associated with the
Microsoft SQL Server Monitor. This significant rise in attack
activity was later confirmed to be the result of a memory-resident
worm named W32.SQLExp.Worm.
W32.SQLExp.Worm exploits a stack overflow vulnerability
in the Microsoft SQL Server Monitor in order to distribute
itself. As a result of SQLExp’s propagation process
and generation of copious amounts of network traffic, degradation
of network performance was observed throughout the Internet
during the outbreak.
The DeepSight Threat Analyst Team strongly encourages all
system administrators of Microsoft SQL Servers and Microsoft
Data Engine applications to audit their machines for known
security vulnerabilities. If necessary, the patches given
in the Patches section should be applied. Additionally,
perimeter devices should be configured to block UDP port
1434 traffic from untrusted hosts. The Snort IDS signature
found in the IDS Updates section should also be deployed.
related to the SQLExp worm was seen by the DeepSight Threat
Management System on Saturday, January 25, at approximately
05:00 GMT. Over the following hours, the worm proceeded
to infect vulnerable systems at a rate not seen before by
previous threats. Many simultaneous reports of network outages
were being received. Reports of ATM and Voice over IP networks
becoming infected were also received early that day. Networks
all over the world experienced severe performance degradation
and packet loss due to excessive traffic. The worm is believed
to have infected internal enterprise hosts, which would
normally have been segregated, through dial-up and VPN users,
in addition to unknown gateways. In total, over 200,000
individual systems were reportedly affected by this threat.
The primary affected parties were small to medium sized
businesses and above. Some user-level applications also
were affected through use of the Microsoft Data Engine.
Consumers may have seen degradation in network performance
during this time. This would have resulted in difficulty
accessing common Web sites, or using other Internet services
such as email.
There is no evidence at this moment, that this worm was
an act of terrorism. The worm did not carry a malicious
payload, its primary goal being to propagate as quickly
as possible. This worm could have been significantly more
malicious, and could have contained code to damage infected
systems. The primary impact of this worm was a consumption
of network bandwidth, in some cases, causing 100% packet
loss on networks. This trait also initially led it to be
mistaken as a denial of service attack.
While this worm does possess some similarities with Code
Red, in that both were completely memory resident viruses,
the overall impact was not as significant. This is largely
due to the smaller number of vulnerable systems. The number
of exposed systems running Microsoft SQL Server or MSDE
components are fewer than the number of Microsoft IIS Web
servers that were vulnerable to Code Red. As result, there
are fewer systems to infect, and a lesser overall impact
than that of Code Red. Additionally, the spread of this
worm could be controlled through filtering at network perimeters
and indications are that numerous Internet Service Providers
performed this filtering which also would help control the
spread of the worm.
The SQLExp worm uses the UDP protocol, and as a result,
did not have the overhead of the associated connection setup
time and connection management that is required by TCP-based
threats. Previous threats, including Code Red and Nimda,
had used flaws in TCP-based services, and required a three
way handshake before exchanging data. As a result, the SQLExp
worm had a much quicker propagation rate, and the time to
reach saturation was short.
Corporations and Internet Service Providers reacted quickly
to this threat. Many reacted by blocking the associated
UDP port at their perimeter. This resulted in both limiting
the number of new incoming attacks, and preventing infected
systems on internal networks from spreading to the outside.
A significant drop in traffic was observed early the following
morning by DeepSight Threat Management System sensors. At
this time, the worm was still, however, affecting corporate
A full technical
description of the worm, vulnerabilities and data about
the attack are available in the full document available
|Contacts and Subscriptions:
Correspondence by email to: email@example.com, no unsubscribe or support
emails please. Follow this link to subscribe or unsubscribe http://securityresponse.symantec.com/avcenter/newsletter_regions/en.html Send virus samples to: firstname.lastname@example.org
|Disclaimer- THIS DOCUMENT IS PROVIDED FOR INFORMATIONAL
This message contains Symantec Corporation's current view of the topics discussed as of the date of this document.
The information contained in this message is provided "as is" without warranty of any kind, either expressed
or implied, including but not limited to the implied warranties of merchantability, fitness for a particular purpose,
and freedom from infringement. The user assumes the entire risk as to the accuracy and the use of this document.
This document may not be distributed for profit.
Symantec and the Symantec logo are U.S. registered trademarks of Symantec Corporation. Other brands and products
are trademarks of their respective holder(s). (c) Copyright 2002 Symantec Corporation. All rights reserved. Materials
may not be published in other documents without the express, written permission of Symantec Corporation.