symantecTM

symantec security response

ISSN 1444-9994

February 2003 Newsletter



These are the most common Viruses, Trojans, Worms and Exploits reported to Symantec Security Response during the last month.


Country Spotlight
South Africa

W95.Spaces.1445
W32.Funlove.4099

W32.Opaserv.G.Worm
W95.Dupator.1503
W32.Opaserv.Worm
W32.Lirva.C@mm
W32.Opaserv.H.Worm

W32.Klez.H@mm
Trojan Horse
W32.Datom.Worm



Top Global Threats

W32.Klez.H@mm
Trojan Horse
W32.Sobig.A@mm
JS.Exception.Exploit
IRC Trojan
HTML.Redlof.A
W95.Hybris.worm
W32.Lirva.A@mm
W32.Bugbear@mm
W32.Lirva.C@mm


Asia Pacific
HTML.Redlof.A
W32.Klez.H@mm
JS.Exception.Exploit

Trojan Horse
W32.Sobig.A@mm

W32.Lirva.A@mm
W32.Bugbear@mm
W95.Hybris.worm
W32.Nimda.E@mm
IRC Trojan

Europe, Middle
East & Africa
W32.Klez.H@mm
Trojan Horse
W32.Sobig.A@mm
JS.Exception.Exploit
W32.Lirva.C@mm
W32.Lirva.A@mm
HTML.Redlof.A
W32.Nimda.E@mm
W32.Bugbear@mm
IRC Trojan

Japan
W32.Klez.H@mm
HTML.Redlof.A
Trojan Horse
W95.Hybris.worm
IRC Trojan
W32.Klez.E@mm
W32.Bugbear@mm
W95.Spaces.1445
W32.Sobig.A@mm
W32.Nimda.E@mm

The Americas
W32.Klez.H@mm
Trojan Horse
W32.Sobig.A@mm
IRC Trojan
W95.Hybris.worm
JS.Exception.Exploit
W32.Bugbear@mm
W32.Lirva.A@mm
W32.Yaha.K@mm
W95.Spaces.1445




Removal Tools for malicious code are on our web site

A list of Virus Hoaxes
reported to Symantec

A list of Joke Programs
reported to Symantec.

Glossary for definitions of viruses, Trojans and worms and more.

 

February has been a busy month for Security Response, so I must apologize for publishing this edition later than usual. W32.SQLExp.Worm was a major event and is documented below in our Virus, Worms and Trojans summaries and a more detailed look in our monthly Security News article.

W32.HLLW.Lovgate.C@mm started out as a high profile risk but it soon became apparent that the levels of submission had dropped of so we downgraded it to a Low threat (level 2) to match other Lovgate variants.

Symantec's latest Internet Security Threat Report was released in February, I have included the abstract and a link to this and prior reports;

--

'The February 2003 edition of the Symantec Internet Security Threat Report provides the most comprehensive analysis of evolving Internet threats. Drawing empirical data and expert analysis from several of Symantec's vast security resources, the Report identifies critical trends related to cyber attack activity, new vulnerabilities, and new forms of malicious code. By combining analysis of several different sources of threat data, the February 2003 edition provides the world's most comprehensive analysis of current Internet threats and how they are evolving over time.'

http://enterprisesecurity.symantec.com/content.cfm?articleid=1539&EID=0

--

Best Regards

David Banes.
Editor, Symantec Security Response Newletter.

Useful Links

Microsoft Security Bulletin MS02-061
Elevation of Privilege in SQL Server Web Tasks (Q316333)

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS02-061.asp

Viruses, Worms & Trojans

W32.SQLExp.Worm
Aliases: SQL Slammer Worm [ISS], DDOS.SQLP1434.A [Trend], W32/SQLSlammer [McAfee], Slammer [F-Secure], Sapphire [eEye], W32/SQLSlam-A [Sophos]
Risk: Moderate [3]    
Date: 25th January 2003    
Platforms Affected
Windows 95, Windows 98, Windows NT, Windows 2000, Windows XP, Windows Me
 
Overview

W32.SQLExp.Worm is a worm that targets the systems running Microsoft SQL Server 2000, as well as Microsoft Desktop Engine (MSDE) 2000. The worm sends 376 bytes to UDP port 1434, the SQL Server Resolution Service Port.

The worm has the unintended payload of performing a Denial of Service attack due to the large number of packets it sends.

Symantec Security Response strongly recommends that all the users of either Microsoft SQL Server 2000 or MSDE 2000 audit their computers for the vulnerabilities that are referred to in Microsoft Security Bulletin MS02-039 and Microsoft Security Bulletin MS02-061 .

Symantec Security Response also recommends that you:

  • Configure perimeter devices to block the ingress UDP traffic to port 1434 from untrusted hosts.
  • Block the egress UDP traffic from your network to the destination port 1434.

For more information on the SQL outbreak, refer to the Web cast at: https://enterprisesecurity.symantec.com/Content/webcastarchive.cfm?SSL=YES&EID=0&webcastID=45

Information on removal and how to configure Symantec products to detect this threat is available in the document linked below.

       
References
http://www.symantec.com/avcenter/venc/data/w32.sqlexp.worm.html
Credit
Douglas Knowles, Symantec Security Response, USA
 
W32.HLLW.Lovgate.C@mm    
Aliases: WORM_LOVGATE.C [Trend], Win32/Lovgate.C@mm [RAV], W32/Lovgate.c@M [McAfee], I-Worm.Supnot.c [KAV], W32/Lovgate-B [Sophos], Win32.Lovgate.C [CA]
Risk: Low [2]    
Date: 24th February 2003    
Platforms Affected
Windows 95, Windows 98, Windows NT, Windows 2000, Windows XP, Windows Me
 
Overview
W32.HLLW.Lovgate.C@mm is a variant of W32.HLLW.Lovgate@mm . This worm contains mass-mailing and backdoor functionality.

To spread itself, the worm attempts to reply to incoming messages when they arrive in the mailbox of certain MAPI-compliant email clients, which include Microsoft Outlook. W32.HLLW.Lovgate.C@mm does this in an effort to emulate the auto-reply function of the email client, as well as to lure those who sent the original messages to the infected computer into opening the returned messages.

There are no major functionality differences between this variant and W32.HLLW.Lovgate@mm. This particular variant appears to have been recompiled with a different compiler, and then packed with the same run-time compression utility as W32.HLLW.Lovgate@mm.

NOTE: Definitions dated February 23, 2003 detect this threat as W32.HLLW.Lovgate@mm. Definitions dated February 24, 2003 or later will detect this threat as W32.HLLW.Lovgate.C@mm.
       
Recommendations
Removal using the W32.HLLW.Lovgate Removal Tool
This is the easiest way to remove this threat. Symantec Security Response has created a W32.HLLW.Lovgate Removal Tool . Click here to obtain the tool.
 
Credit
Tony Conneff and Neal Hindocha,
Symantec Security Response, EMEA
References
http://securityresponse.symantec.com/avcenter/venc/data/w32.hllw.lovgate.c@mm.html

Security Advisories

Opera Cross Domain Scripting Vulnerability
Risk:High
Date:4th February2003
Components Affected
Opera Software Opera Web Browser 7.0 win32
 
Description
A vulnerability has been reported reported for Opera 7 browsers for Microsoft Windows operating systems.

Due to flaws in Opera, it is possible for functions in different domains to be accessed and executed by an attacker with the credentials of the victim user. This vulnerability is also exacerbated by the fact that an attacker may also be able to override properties and methods in other windows to create malicious methods that will be accessed by a victim user.

Exploitation of this vulnerability will allow an attacker to obtain access to local resources on a vulnerable system.
 

Recommendations

Run all client software as a non-privileged user with minimal access rights. Perform trivial tasks, such as browsing the Web, as a user with minimal privileges. This may reduce the consequences of successful exploitation.

Do not follow links provided by unknown or untrusted sources. Some links may be obfuscated to redirect a user to a malicious site; be extremely cautious before following links provided by unknown sources.

Set web browser security to disable the execution of script code or active content. Configure Opera to disable JavaScript as this will prevent exploitation of this vulnerability.

Opera Software has reportedly addressed this issue in Opera 7.01 for Windows.

Opera Software Opera Web Browser 7.0 win32:
Opera Software Upgrade Opera Web Browser 7.01 Win32
http://www.opera.com/download/index.dml?opsys=Windows&lng=en&platform=Windows

References 
Source: GreyMagic Security Advisory GM#002-OP
URL: http://security.greymagic.com/adv/gm002-op/

Source: Opera Browser
URL: http://www.opera.com
Credits
Discovery of these vulnerabilities credited to GreyMagic Software.
 

IBM Lotus Domino HTTP Redirect Buffer Overflow Vulnerability
Risk:High
Date:17th February 2002
Components Affected
Lotus Domino 6.0
 
Description
It has been reported that Lotus Domino 6 is affected by a buffer overflow vulnerability. The condition occurs when the server constructs a HTTP redirect response. This may be exploited by malicious clients to gain control of affected servers. This vulnerability is reportedly fixed in Notes/Domino release 6.0.1.
 
Recommendations

Block external access at the network boundary, unless service is required by external parties.
External access to internal or sensitive servers should be blocked at the network border. This may prevent attack attempts from external, untrusted hosts.

Administrators are advised to upgrade to Domino 6.0.1. The upgrades for various platforms are available at the following location:

Lotus Domino 6.0: Lotus
Upgrade Lotus Domino 6.0.1 Upgrade
http://www14.software.ibm.com/webapp/download/search.jsp?q=&cat=&pf=&k=&dt=&go=y&rs=ESD-DMNTSRVRi&S_TACT=&S_CMP=&sb=r


References
http://securityresponse.symantec.com/avcenter/security/Content/6870.html
Credits
Discovered by Mark Litchfield of Next Generation Security Software.
 

Security News

SQLExp SQL Server Worm Analysis

Executive Summary

On January 25, 2003, the DeepSight Threat Management System registered a sudden and extremely large increase in UDP traffic targeted at port 1434; this port is commonly associated with the Microsoft SQL Server Monitor. This significant rise in attack activity was later confirmed to be the result of a memory-resident worm named W32.SQLExp.Worm.

W32.SQLExp.Worm exploits a stack overflow vulnerability in the Microsoft SQL Server Monitor in order to distribute itself. As a result of SQLExp’s propagation process and generation of copious amounts of network traffic, degradation of network performance was observed throughout the Internet during the outbreak.

Action Items

The DeepSight Threat Analyst Team strongly encourages all system administrators of Microsoft SQL Servers and Microsoft Data Engine applications to audit their machines for known security vulnerabilities. If necessary, the patches given in the Patches section should be applied. Additionally, perimeter devices should be configured to block UDP port 1434 traffic from untrusted hosts. The Snort IDS signature found in the IDS Updates section should also be deployed.

Overview

Initial traffic related to the SQLExp worm was seen by the DeepSight Threat Management System on Saturday, January 25, at approximately 05:00 GMT. Over the following hours, the worm proceeded to infect vulnerable systems at a rate not seen before by previous threats. Many simultaneous reports of network outages were being received. Reports of ATM and Voice over IP networks becoming infected were also received early that day. Networks all over the world experienced severe performance degradation and packet loss due to excessive traffic. The worm is believed to have infected internal enterprise hosts, which would normally have been segregated, through dial-up and VPN users, in addition to unknown gateways. In total, over 200,000 individual systems were reportedly affected by this threat.

The primary affected parties were small to medium sized businesses and above. Some user-level applications also were affected through use of the Microsoft Data Engine. Consumers may have seen degradation in network performance during this time. This would have resulted in difficulty accessing common Web sites, or using other Internet services such as email.


There is no evidence at this moment, that this worm was an act of terrorism. The worm did not carry a malicious payload, its primary goal being to propagate as quickly as possible. This worm could have been significantly more malicious, and could have contained code to damage infected systems. The primary impact of this worm was a consumption of network bandwidth, in some cases, causing 100% packet loss on networks. This trait also initially led it to be mistaken as a denial of service attack.


While this worm does possess some similarities with Code Red, in that both were completely memory resident viruses, the overall impact was not as significant. This is largely due to the smaller number of vulnerable systems. The number of exposed systems running Microsoft SQL Server or MSDE components are fewer than the number of Microsoft IIS Web servers that were vulnerable to Code Red. As result, there are fewer systems to infect, and a lesser overall impact than that of Code Red. Additionally, the spread of this worm could be controlled through filtering at network perimeters and indications are that numerous Internet Service Providers performed this filtering which also would help control the spread of the worm.


The SQLExp worm uses the UDP protocol, and as a result, did not have the overhead of the associated connection setup time and connection management that is required by TCP-based threats. Previous threats, including Code Red and Nimda, had used flaws in TCP-based services, and required a three way handshake before exchanging data. As a result, the SQLExp worm had a much quicker propagation rate, and the time to reach saturation was short.


Corporations and Internet Service Providers reacted quickly to this threat. Many reacted by blocking the associated UDP port at their perimeter. This resulted in both limiting the number of new incoming attacks, and preventing infected systems on internal networks from spreading to the outside. A significant drop in traffic was observed early the following morning by DeepSight Threat Management System sensors. At this time, the worm was still, however, affecting corporate internal networks.

A full technical description of the worm, vulnerabilities and data about the attack are available in the full document available here;

http://securityresponse.symantec.com/avcenter/Analysis-SQLExp.pdf

 
 
Contacts and Subscriptions:
Correspondence by email to: securitynews@symantec.com, no unsubscribe or support emails please. Follow this link to subscribe or unsubscribe http://securityresponse.symantec.com/avcenter/newsletter_regions/en.html Send virus samples to: avsubmit@symantec.com
Disclaimer- THIS DOCUMENT IS PROVIDED FOR INFORMATIONAL PURPOSES ONLY.

This message contains Symantec Corporation's current view of the topics discussed as of the date of this document. The information contained in this message is provided "as is" without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability, fitness for a particular purpose, and freedom from infringement. The user assumes the entire risk as to the accuracy and the use of this document. This document may not be distributed for profit.

Symantec and the Symantec logo are U.S. registered trademarks of Symantec Corporation. Other brands and products are trademarks of their respective holder(s). (c) Copyright 2002 Symantec Corporation. All rights reserved. Materials may not be published in other documents without the express, written permission of Symantec Corporation.