symantecTM

symantec security response

ISSN 1444-9994

January 2002 Newsletter

These are the most common Viruses, Trojans and Worms reported to Symantec Security Response during the last month.

Top Global Threats
W32.Badtrans.B@mm
JS.Exception.Exploit
Backdoor.Trojan
W32.Magistr.39921@mm
W95.Hybris.worm
W32.Sircam.Worm@mm
Trojan Horse
VBS.Haptime.A@mm
W32.Goner.A@mm
W32.Magistr.24876@mm


Asia Pacific
W32.Badtrans.B@mm
JS.Exception.Exploit
W32.Magistr.39921@mm
W95.Hybris.worm
Backdoor.Trojan
W32.Sircam.Worm@mm
VBS.Haptime.A@mm
Trojan Horse
W32.Nimda.A@mm
W32.Magistr.24876@mm


Europe, Middle East
& Africa
W32.Badtrans.B@mm
JS.Exception.Exploit
W95.Hybris
W32.Magistr.39921@mm
Backdoor.Trojan
W32.Badtrans.B@mm
W32.Sircam.Worm@mm
Trojan Horse
VBS.Haptime.A@mm
W32.Aliz.Worm


Japan
W32.Badtrans.B@mm
W32.Aliz.Worm
W95.Hybris
JS.Exception.Exploit
Backdoor.Trojan
W32.Nimda.A@mm
W32.Sircam.Worm@mm
W95.MTX
W32.HLLW.Bymer
W32.Zoher@mm

The Americas
W32.Badtrans.B@mm
Backdoor.Trojan
JS.Exception.Exploit
W95.Hybris
W32.Magistr.39921@mm
W32.Sircam.Worm@mm
W32.Goner.A@mm
VBS.Haptime.A@mm
W32.Magistr.24876@mm
Trojan Horse



Removal Tools for malicious code are on our web site


A list of Virus Hoaxes
reported to Symantec


A list of Joke Programs
reported to Symantec.


Glossary for definitions of viruses, Trojans and worms and more.





Use this form to unsubscribe

First name:

Last name:

Email address:

I hope you all had a restful holiday season, my first job in 2002 is to apologize for sending out a draft copy of the Newsletter in December which was full of spelling and grammatical errors. As there are now more than a quarter of a million subscribers I thought it best not to resend the correct version. It's posted on our web site if anyone would like a copy.

We have the usual rash of Win32 viruses and worms this month but there's nothing of significance to report, overall it was a quiet holiday season for anti-virus researchers. We do have a great article that explains what
denial of service (DoS) attacks are, how to protect your PC from them and how to avoid being an unwilling participant in an attack. There is a summary of the Plug and Play buffer overflow and a list of the latest vulnerabilities all with links to more detailed information.

David Banes.
Editor,
securitynews@symantec.com
 
Viruses, Worms & Trojans
W32.Maldal.D@mm

Medium [3]

Win32


W32.Maldal.D@mm is an extremely damaging worm. It was written and distributed on December 28, 2001. The virus code is in Visual Basic. It is about 27 KB in size and is packed using Aspack. The worm uses Microsoft Outlook to send itself to all contacts in your Microsoft Outlook address book.

It attempts to delete anti-virus software and files with the following extensions: .ini, .php, .exe, .com, .mpeg, .dat, .zip, .txt, .exe, .xls, .doc, and .jpg.

http://securityresponse.symantec.com/avcenter/venc/data/w32.maldal.d@mm.html
 
W32.Zoher@mm

Low [2]

Win32


W32.Zoher@mm is a worm that comes in an email message with a subject of "Fw: Scherzo!" and an attachment named Javascript.exe. The body of the email message contains a message in Italian.

The worm exploits a vulnerability in Microsoft Outlook and Outlook Express in an attempt to execute itself when you open or preview the message. Further information and a patch to remove the vulnerability can be found at http://www.microsoft.com/technet/security/bulletin/MS01-020.asp

http://securityresponse.symantec.com/avcenter/venc/data/w32.zoher@mm.html
JP Duan, Symantec Security Response, USA
 
W32.Shoho@mm

Low [2]

Win32


 W32.Shoho@MM is a mass mailing worm that is written in Visual Basic. It sends itself as the attachment "Readme.txt (many blank spaces) .pif".

This worm also uses the IFRAME vulnerability that allows Microsoft Outlook to execute the attachment automatically. There are three variants of this worm. All are detected as W32.Shoho@mm.

http://securityresponse.symantec.com/avcenter/venc/data/w32.shoho@mm.html

JP Duan and Gor Nazaryan
Symantec Security Response, USA
 
JS.Coolsite@mm

Low [2]

Script


JS.Coolsite@mm is a Java Script worm. If you are using Norton AntiVirus with definitions dated August 16, 2001 or later, you are already protected from this worm, which will be detected by those definitions as JS.Exception.Exploit.

Symantec Security Response has created a separate detection for this variant, and definitions dated December 19, 2001 or later will detect it as Coolsite@mm.

The worm arrives as an email with the subject "Hi!!" and the message "Hi. I found cool site!..."

http://securityresponse.symantec.com/avcenter/venc/data/js.coolsite@mm.html

JP Duan, Symantec Security Response, USA
 
Security Advisories
Microsoft UPnP Buffer Overflow and DoS vulnerabilities.

Medium [3]

Win32


Reference
:
Microsoft Security Bulletin MS01-059, 20 December 2001
Unchecked Buffer in Universal Plug and Play can lead to System Compromise

EEye Digital Security Advisory, AD20011220, 20 December 2001
Multiple Remote Windows XP/ME/98 Vulnerabilities

Symantec Corporation advises its customers to be aware of multiple vulnerabilities in the Universal Plug and Play (UPNP) service that have recently been discovered in Microsoft Windows XP and ME and in Microsoft Windows 98 and 98SE running the XP Internet Connection Sharing Client. The more critical of the vulnerabilities is a buffer overflow existing in the UPnP protocol that can allow an attacker to run arbitrary code on the targeted system with SYSTEM-level privileges, potentially gaining complete control over the targeted system. Additional vulnerabilities can result in either a Denial of Service (DoS) against the targeted system or a possible Distributed Denial of Service (DDoS) attack against a network. These vulnerabilities were initially discovered by the eEye Digital Security Team and acknowledged by Microsoft.
http://securityresponse.symantec.com/avcenter/security/Content/2001.12.20a.html
 
Buffer Overflow in System V Derived Login

Medium [3]

Unix


Reference
:
Symantec Security Response
This vulnerability can be remotely exploited to gain privileges of the invoker of login. In the case of a program such as telnetd, rlogind, or other suid root programs, root access is gained. An exploit may exist. However, Symantec has had no notification that it is in the wild, nor actively being exploited.

Affected:
IBM AIX versions 4.3 and 5.1
Hewlett-Packard's HP-UX
SCO OpenServer 5.0.6 and earlier
SGI IRIX 3.x
Sun Solaris 8 and earlier

Several applications use login for authentication to the system. A remotely exploitable buffer overflow exists in the login derived from System V. Attackers can exploit this vulnerability to gain root access to the server.
http:/securityresponse.symantec..com/avcenter/security/Content/2001.12.14b.html
 
Various Buffer Overflow and DoS vulnerabilities.

Various

 Various


This month we have 6 other new vunerabilities. The SSH CRC32 attack, a PHPNuke attack, a new version of the Whisker CGI Scanner, and 3 other Buffer Overflow and Denial Of Service attacks.

HTTP ActivePerl Overflow

Some older versions of ActivePerl for Windows web servers may allow an attacker to execute arbitrary code at the privilege level of the web server process.
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2001-0815

ISA Fragmented UDP
By sending a flood of malformed and fragmented UDP packets to the Microsoft Internet Security and Acceleration (ISA) Server, an attacker can cause a denial of service by consuming all CPU cycles on the server.

Media Player Nsc Unchecked Buffer
Some versions of Microsoft Media Player contain an unchecked buffer in the code that processes NetShow Channel descriptors. A sufficiently long string in the IP Address field can overflow the buffer.
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2001-0541

Php Nuke Remote File Copy
Older versions of PHP-Nuke fail to check the credentials of the connecting user before performing file manipulation operations.

SSH1 CRC32 Boundary Overflow
Some older versions of SSH and OpenSSH contain an integer-overflow bug in the CRC32 compensation attack detection code. This may allow remote attackers to write values to arbitrary locations in memory.
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2001-0144

Whisker2
Whisker is an automated CGI Scanner with sophisticated hiding techniques. A CGI Scanner makes several queries to a Web Server to try and determine if certain vulnerable CGI programs are available for attack.
 
Enterprise Security News Clips

VISIT THE SYMANTEC ENTERPRISE SECURITY WEB SITE
http://enterprisesecurity.symantec.com/

Recent Enterprise Security News headlines include:

AOL Quickly Patches Software Glitch;
San Jose Mercury News
http://enterprisesecurity.symantec.com/content.cfm?articleid=1115

U.S. and Canada to Meet on Cross-Border Cybercrime;
Washington Internet Daily
http://enterprisesecurity.symantec.com/content.cfm?articleid=1110

Get the latest Enterprise Security News delivered straight to your inbox.Register for Symantec's free Enterprise Security newsletters.
https://enterprisesecurity.symantec.com/Content/Subscribe.cfm
 
Vulnerability & Exploit News
Don't Be in Denial    

Denial of Service (DoS) attacks have been widely publicized in the news lately. These network assaults are staged by hackers who hijack other people's computers in order to overwhelm a network or Web server with requests. The network or server becomes overloaded, denying anyone else access to the system. The most publicized attacks involve Internet giants like Yahoo and Microsoft. But businesses of all sizes are vulnerable to attack. The hackers who took down the major corporations had to practice somewhere.

How DoS Attacks Work
Attackers usually hide the identity of machines used to carry out an attack by "spoofing" -- creating a fake origination address. This make the hacker difficult to trace, so the innocent appear guilty.

A common way for hackers to launch a DoS attack is using authentication requests. This was the case in the Yahoo! attack, as the hackers had computers from all over assaulting the Web site with fake sign-in attempts. False logons and passwords were generated, and the Web server was bombarded by the requests until there was no room for legitimate users to logon.

Another way hackers wreak havoc is by using "back door" remote administration software. Installing this software on a computer without the user's knowledge allows the hacker to send data packets from that computer to the target of attack. These packets can clog the target computer enough to block traffic in both directions Hackers can coordinate whole fleets of computers to attack a common target, rarely getting caught because the attack is traced back to the exploited machines, no the hacker's own.

How to Protect Yourself Against a DoS Attack
DoS attacks can be difficult to protect against, but taking these steps to secure your network can help you defend yourself against malicious hacking.

- Secure mobile workers. While your network may be well protected against hackers, the connections used by remote workers may not be. Make sure that anyone connecting to your network from the road adheres to strict security standards.

- Check the source. Internet service providers can ensure that the source address of incoming or outgoing Web site traffic matches the set of addresses for that site. This allows the tracing of attack traffic to its originating site.

-Use a firewall and intrusion detection software. A firewall monitors traffic traveling in and out of your network, scanning for suspicious activity. Intrusion detection software constantly monitors the network for attacks. Together, these powerful tools protect well against DoS attacks. Symantec Personal Firewall offers protection against hackers and port scanning, while also monitoring for suspicious activity on your network that could signal a DoS attack.

How to Avoid Becoming Part of a DoS Attack
In addition to securing your machines against a possible denial of service attack, you want to prevent your own systems from being used in an attack. It can be difficult to prevent an attack on your system, but it's easy to stop your own site from being used by a hacker to stage one.

- Assess your risk. Symantec's Security Analyzer, which can be accessed free of charge, assesses a PC's Internet security in four key areas -- susceptibility to hackers, risk of infection by a computer virus, loss of personal information and inadvertent access to inappropriate materials. Running a security assessment tool on a computer can help you determine if you are at risk for a variety of potential computer threats, including contributing to malicious hacking.

- Prevent spoofing. Filtering email with your router can help prevent such DoS attacks by prohibiting outgoing forged messages, or spoofing. Packets, or bundles of data, have return addresses on them. But hackers use fake return addresses to remain anonymous during a DoS attack. You can apply filters to routers, stopping packets with fake addresses from being sent out onto the Net.

- Use a firewall. The firewall works both on incoming and outgoing information, making it useful to defend your computer against DoS attack and also against unwittingly participating in one.

Denial of service attacks can cause serious damage and cripple your business, whether they target you or use your computer to target another system. Protect yourself against a DoS attack and you will also prevent your network from becoming a helping hand to hackers.
 
 
Contacts and Subscriptions:
Correspondence by email to: securitynews@symantec.com, no unsubscribe or support emails please. Follow this link to subscribe or unsubscribe http://securityresponse.symantec.com/avcenter/newsletter.html Send virus samples to: avsubmit@symantec.com
Disclaimer- THIS DOCUMENT IS PROVIDED FOR INFORMATIONAL PURPOSES ONLY.

This message contains Symantec Corporation's current view of the topics discussed as of the date of this document. The information contained in this message is provided "as is" without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability, fitness for a particular purpose, and freedom from infringement. The user assumes the entire risk as to the accuracy and the use of this document. This document may not be distributed for profit.

Symantec and the Symantec logo are U.S. registered trademarks of Symantec Corporation. Other brands and products are trademarks of their respective holder(s). (c) Copyright 2002 Symantec Corporation. All rights reserved. Materials may not be published in other documents without the express, written permission of Symantec Corporation.