symantecTM

symantec security response

ISSN 1444-9994

January 2003 Newsletter


These are the most common Viruses, Trojans, Worms and Exploits reported to Symantec Security Response during the last month.



Country Spotlight
Sweden

W32.Klez.H@mm
W32.Opaserv.Worm
W32.Opaserv.E.Worm
W32.Opaserv.G.Worm
Trojan Horse
W32.Yaha.F@mm
W32.Bugbear@mm
JS.Exception.Exploit
Backdoor.Sdbot
W95.CIH



Top Global Threats

W32.Klez.H@mm
Trojan Horse
W32.Bugbear@mm
JS.Exception.Exploit
W32.Yaha.K@mm

W95.Spaces.1445
HTML.Redlof.A
W32.Funlove.4099
W95.Hybris.worm
W32.Nimda.E@mm

Asia Pacific
HTML.Redlof.A
W32.Klez.H@mm
JS.Exception.Exploit
W32.Funlove.4099
W32.Yaha.K@mm
W32.Bugbear@mm
Trojan Horse
W95.Spaces.1445
W32.Nimda.E@mm
W95.Hybris.worm


Europe, Middle East & Africa
W32.Klez.H@mm
Trojan Horse
W32.Bugbear@mm
JS.Exception.Exploit
W95.Spaces.1445
W32.Funlove.4099
W32.Yaha.K@mm
W32.Nimda.E@mm
HTML.Redlof.A
W95.Hybris.worm


Japan
W32.Klez.H@mm
HTML.Redlof.A
W32.Bugbear@mm
W32.Klez.E@mm
Trojan Horse
W95.Hybris.worm
W32.Funlove.4099
W95.Spaces.1445
VBS.LoveLetter.A
IRC Trojan

The Americas
W32.Klez.H@mm
Trojan Horse
W32.Yaha.K@mm
W32.Bugbear@mm
JS.Exception.Exploit
W95.Hybris.worm
W95.Spaces.1445
IRC Trojan
W32.Funlove.4099
W32.Lirva.A@mm




Removal Tools for malicious code are on our web site

A list of Virus Hoaxes
reported to Symantec

A list of Joke Programs
reported to Symantec.

Glossary for definitions of viruses, Trojans and worms and more.

 
Welcome to the first Symantec Security Response Newsletter for 2003. A new virus called W32.Lirva proves again that people just aren't patching their operating systems or email programs quickly enough, this worm exploits a vulnerability that Microsoft fixed in March 2001. If this patch (link below) is applied then worms like W32.Lirva will be unable to auto-execute and this will go a long way towards stopping them from spreading.

Judging by the number of back door Trojans we are listing at the moment it appears that social engineering (the art of tricking people into doing something you want them to do, for example opening an email attachment.) is alive and well and that the average computer user still has trouble controlling their double-click finger. Maybe it's the lure of popstars and celebrities or too good to be true offers for cheap merchandise and goods of dubious origin.

Last month we carried a link to Symantec DeepSight Analyzer and a FREE download page asking people to become a part of the global early-warning system for cyber attacks. More than 75,200 of you visited the page and I hope that we'll all benefit from the increased amount of data from any Security Focus sensors that are setup.

We have an article by senior research fellow Sarah Gordon this month, 'What goes on in the mind of a hacker?'. I've added another new section this month 'Useful Links', there won't be many, just topical links to encourage you to use them. I hope 2003 brings good things to you.:)

Best Regards

David Banes.
Editor, Symantec Security Response Newletter.
Useful Links
Microsoft Security Bulletin (MS01-020)
Incorrect MIME Header Can Cause IE to Execute E-mail Attachment
http://www.microsoft.com/technet/security/bulletin/MS01-020.asp 

Viruses, Worms & Trojans

W32.Lirva.A@mm
Aliases:W32/Avril-A [Sophos], W32/Lirva.b@MM [McAfee], WORM_LIRVA.A [Trend], Win32.Lirva.A [CA]
Risk: Moderate    
Date: 7th January 2003    
Platforms Affected
Windows 95, Windows 98, Windows NT, Windows 2000, Windows XP, Windows Me
 
Overview
W32.Lirva.A is a mass-mailing worm that also spreads by IRC, ICQ, KaZaA, and open network shares. This worm attempts to terminate antivirus and firewall products. It also emails the cached Windows 95/98/Me dial-up networking passwords to the virus writer.

When Microsoft Outlook receives the worm, the worm takes advantage of a vulnerability that allows the attachment to auto-execute when you read or preview the email. Information on this vulnerability and a patch can be found at http://www.microsoft.com/technet/security/bulletin/MS01-020.asp.

If the day of the month is the 7th, 11th, or 24th, the worm will launch your Web browser to www.avril-lavigne.com and display a graphic animation on the Windows desktop.

Symantec has provided a tool to remove infections of W32.Lirva.A@mm. This is the easiest way to remove this threat and should be tried first.
http://securityresponse.symantec.com/avcenter/venc/data/w32.lirva.removal.tool.html
       
References
http://www.symantec.com/avcenter/venc/data/w32.lirva.a@mm.html
Credit
Atli Gudmundsson, Security Response, EMEA
 
W32.ExploreZip.L.Worm    
Aliases:
W32/ExploreZip.worm@M [McAfee], I-Worm.ZippedFiles.h [KAV], WORM_EXPLORZIP.M [Trend], Win32/ExploreZip.Worm [CA], W32/ExploreZip.E [F-Prot], W32/ExploreZip.worm.210432 [F-Prot]
Risk: Medium    
Date: 10th January 2003    
Platforms Affected
Windows 95, Windows 98, Windows NT, Windows 2000, Windows XP, Windows Me
Overview
W32.ExploreZip.L.Worm is a variant of Worm.ExploreZip, a worm that contains a malicious payload. The file has been repacked to make it more difficult to detect with older, existing antivirus software. This worm is packed with the UPX file format, version 0.76.1-1.24.

The worm uses Microsoft Outlook, Outlook Express, or Exchange to mail itself, by replying to unread messages in the Inbox. The email attachment is titled Zipped_files.exe.

W32.ExploreZip.L.Worm also searches the mapped drives and network computers for Windows installations. If they are found, the worm copies itself to the \Windows folder of the remote computer, and then modifies the Win.ini file of the infected computer.

W32.ExploreZip.L.Worm has a different file size than that of the original variant. However, the worm exhibits the same characteristics as the original Worm.ExploreZip worm. See the writeup, Worm.ExploreZip, for information on what this worm does.
       
Recommendations
Definitions dated from January 8, 2003 to January 10, 2003 will detect this worm as Worm.ExploreZip.
 
Credit
Jari Kytojoki, Symantec Security Response, EMEA
References
http://www.symantec.com/avcenter/venc/data/w32.explorezip.l.worm.html

Security Advisories

Perl-HTTPd File Disclosure Vulnerability
Risk:High
Date:31th December 2002
Components Affected
Perl-HTTPd Perl-HTTPd 1.0
Perl-HTTPd Perl-HTTPd 1.0.1
 
Description
It has been reported that Perl-HTTPd fails to properly sanitize some web requests. By exploiting this issue, an attacker is able to traverse outside of the established web root by using dot-dot-slash (../) directory traversal sequences. An attacker may be able to obtain any web server readable files from outside of the web root directory.
 

Recommendations
Block external access at the network boundary, unless service is required by external parties.
Allow access to Web services for trusted hosts and networks only.

Webservers should ignore or modify requests that contain '../' or other suspicious and most likely malicious strings.
If possible, configure Perl-HTTPd to ignore requests that contain suspicious strings.

Fixes available:

Perl-HTTPd Perl-HTTPd 1.0:
Perl-HTTPd Upgrade perl-httpd-1.0.2.tar.gz
http://citrustech.net/~chrisj/perl-httpd/perl-httpd-1.0.2.tar.gz

Perl-HTTPd Perl-HTTPd 1.0.1:
Perl-HTTPd Upgrade perl-httpd-1.0.2.tar.gz
http://citrustech.net/~chrisj/perl-httpd/perl-httpd-1.0.2.tar.gz

References 
Source: Perl-HTTPd Home Page
URL: http://citrustech.net/~chrisj/perl-httpd/
Credits
This vulnerability was reported in the product changelog.
 

Microsoft Internet Explorer PNG Deflate Heap Corruption Vulnerability
Risk:High
Date:12th December 2002
Platforms Affected
See list here; http://www.symantec.com/avcenter/security/Content/6366.html
Components Affected
Microsoft Internet Explorer 5.0.1 SP2
Microsoft Internet Explorer 5.0.1 SP1
Microsoft Internet Explorer 5.0.1
Microsoft Internet Explorer 5.5 SP2
Microsoft Internet Explorer 5.5 SP1
Microsoft Internet Explorer 5.5
Microsoft Internet Explorer 6.0
Description
A heap corruption vulnerability has been reported for Microsoft Internet Explorer.

The vulnerability is related to the way that Microsoft Internet Explorer interprets PNG image data. The function that handles the deflation of PNG images does not properly handle some invalid data within PNG image files.

An attacker can exploit this vulnerability by tricking a user into viewing a maliciously constructed PNG image file. When the image file is rendered it will trigger the heap corruption condition and overwrite critical areas in memory. Any malicious attacker-supplied code will be executed with elevated privileges.

It should be noted that applications which depend on MSIE to render PNG files are also affected.  
Recommendations
Run all client software as a non-privileged user with minimal access rights. Browsing the web as a low-privileged user will limit the consequences of malicious code being executed.

Do not follow links provided by unknown or untrusted sources. Be extremely careful when following links sent by unknown individuals. If possible, always ensure that any email that has been received is solicited before reading the contents.

This vulnerability has been resolved in MSIE 6.0 SP 1. Users are advised to obtain the latest version of MSIE.
References
Source: PNG (Portable Network Graphics) Deflate Heap Corruption Vulnerability
URL:msg://bugtraq/MKEAIJIPCGAHEFEJGDOCCEDMIBAA.marc@eeye.com

Source: Microsoft Security Bulletin MS02-066
URL: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS02-066.asp
Credits
Vulnerability discovery credited to Eeye Digital Security.
 

Security News

What goes on in the mind of a hacker?
By Sarah Gordon, Senior Research Fellow, Symantec

What is hacking?
By some definitions, hacking is breaking into computer systems without consent of the system owner. This activity once required a genuine knowledge of systems: it was once the domain of the computer geek, who pushed software to the limits and beyond. These days, however, it doesn't take a computer expert to become a hacker.

There are tools available to help the wanna-be hacker break into systems. These tools give people unprecedented access to networks. For the more advanced hackers, tools aren't necessary, they exploit configuration errors made by users when they configure their software, or they take advantage of system vulnerabilities. One of the most commonly exploited vulnerabilities is the buffer overflow - an event that occurs when more data is placed into a storage buffer or holding area in computer memory than the buffer can handle. This, in turn, can crash the system or leave it in an unplanned state that can be exploited.

For example, a program is waiting for input and may expect a small string like '123'. Instead the hacker puts in a long string like 'irespectyourskillzandyourkungfu,' overflowing the space allocated for the string in the memory. The result? The system crashes, potentially allowing a hacker access that extends far beyond that of the original program.

Contrary to popular myth, hackers aren't necessarily underground loners and nerds - they're not even necessarily all that smart - although there are exceptions. In many cases, they simply don't extend their ethical and moral codes from the real world to the virtual world.

Who is hacking?
The popular hacking demographic of young, middleclass and male reflects those people who tend to be most technologically savvy in our society. However, hackers come in all ages, sizes, nationalities and genders. The average hacker is not necessarily some Goth-type teenaged male, dressed entirely in black and sporting the latest in piercing fashion - he may very well be the guy next door or a 50-year-old female.

In fact, anecdotal evidence does suggest that hacking by females is on the rise. As more and more young women are exposed to the technology and the subculture that glamorizes the activity, we should expect to see more females taking part in these types of activities.

A visual check shows that there are more females at hacker conferences than there were in the early days; and while some are young girls who are part of the technically savvy counterculture, some are certainly hackers.

Why do they do it?
Hacking is done for a variety of reasons - technical challenge, power, fun, excitement, peer pressure, profit, and in some cases to do damage. For some it's simply a mental challenge, for others it's money, for some it's the thrill - there are many different motives and many different targets. For many, though, it's the challenge and the exhilarating feeling of power and control that comes from accessing and controlling a machine. It feels good.

Historically, society has tended to uplift hackers to the heights of technical genius when in reality most of these break-ins are done using simple tools that exploit known vulnerabilities, yet many people almost admire them as techno-heroes in some ways. That is a much more serious problem and one that can't be overcome by just technical solutions. Recently public perception has shifted away from hacking being acceptable.

Catching hackers is of variable success - as in many ways, the Internet knows no borders, a careful hacker can cover his or her tracks extremely well, and so catching the skilled hacker can be very difficult. In other words, it is possible, though time consuming, to catch hackers, but if the hacker is well prepared it can be a long slow process, and one that might bear little fruit in the long run.

What can I do?
One of the best defences against hacking is good computer security practices. Install good antivirus software that combats the gamut of blended threats. Buy a firewall, implement it and maintain it. Consider intrusion detection software to provide an additional layer of security by automatically blocking malicious attacks that spread quickly through Internet traffic that a firewall alone cannot stop. Keep your systems up to date, keep your data backed up, have a plan so that when something does go wrong you know how to react. Security should be an ongoing practice - as threats evolve so should your defences against them.
 
 
Contacts and Subscriptions:
Correspondence by email to: securitynews@symantec.com, no unsubscribe or support emails please. Follow this link to subscribe or unsubscribe http://securityresponse.symantec.com/avcenter/newsletter_regions/en.html Send virus samples to: avsubmit@symantec.com
Disclaimer- THIS DOCUMENT IS PROVIDED FOR INFORMATIONAL PURPOSES ONLY.

This message contains Symantec Corporation's current view of the topics discussed as of the date of this document. The information contained in this message is provided "as is" without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability, fitness for a particular purpose, and freedom from infringement. The user assumes the entire risk as to the accuracy and the use of this document. This document may not be distributed for profit.

Symantec and the Symantec logo are U.S. registered trademarks of Symantec Corporation. Other brands and products are trademarks of their respective holder(s). (c) Copyright 2002 Symantec Corporation. All rights reserved. Materials may not be published in other documents without the express, written permission of Symantec Corporation.