symantecTM

symantec security response

ISSN 1444-9994

July 2002 Newsletter


These are the most common Viruses, Trojans, Worms and Exploits reported to Symantec Security Response during the last month.




Country Spotlight
Italy

W32.Klez.H@mm
W32.Higuy@mm
W32.Klez.E@mm
JS.Exception.Exploit
W95.Hybris.worm
Trojan Horse
W32.Magistr.39921@mm
W32.Atram@mm
JS.Seeker
Backdoor.Trojan


Top Global Threats

W32.Klez.H@mm
JS.Exception.Exploit
W32.Klez.E@mm
Trojan Horse
W95.Hybris.worm
W32.Yaha.F@mm
Backdoor.Trojan
W32.Magistr.39921@mm
W32.Higuy@mm
JS.Seeker

Asia Pacific
W32.Klez.H@mm
JS.Exception.Exploit
W95.CIH.1049
JS.Seeker
Backdoor.Trojan
VBS.Haptime.A@mm
W32.Nimda.enc
W32.Magistr.39921@mm
Trojan Horse

Europe, Middle East & Africa
W32.Klez.H@mm
JS.Exception.Exploit
W32.Klez.E@mm
W32.Yaha.F@mm
W32.Higuy@mm
W95.Hybris.worm
Trojan Horse
Backdoor.Trojan
W32.Magistr.39921@mm
W95.CIH.1049

Japan
W32.Klez.H@mm
W32.Klez.E@mm
VBS.LoveLetter.A
W32.Badtrans.B@mm
W95.Hybris.worm
JS.Exception.Exploit
W32.Klez.gen@mm
W95.Tecata.1761
VBS.Network.E
VBS.Internal

The Americas
W32.Klez.H@mm
JS.Exception.Exploit
Trojan Horse
W95.Hybris.worm
VBS.LoveLetter.AS
W32.Klez.E@mm
W32.Magistr.39921@mm
JS.Seeker
Backdoor.Trojan
Backdoor.Autoupder



Removal Tools for malicious code are on our web site

A list of Virus Hoaxes
reported to Symantec

A list of Joke Programs
reported to Symantec.

Glossary for definitions of viruses, Trojans and worms and more.




I seem to be getting more and more spam, or junk mail, in my personal inbox, so much in fact that I may have to stop using my favourite email address that I setup when I first arrived in Australia, This is a shame, because it's very hard to get 'real' email addresses now, my name seems to have been used on all the free services and at my local major ISP's. I did manage to get my own domain name so I suppose I'll have to resort to 'me@my domain name dot com'. (this is an anti-spam technique, never use the actual email address in public communications, just describe it) Symantec's Enterprise Firewall has some anti-spam features built in, there's a list here.

I've been asked to give our Enterprise customers one last reminder that virus definition file names have changed/are changing and to check the Symantec Support website for details. Consumer products and LiveUpdate are not effected.

David Banes.
Editor, securitynews@symantec.com
 
Viruses, Worms & Trojans
W32.Frethem@mm

Moderate Threat [3]

Win32

Global Infection breakdown by geographic region

% of Total

 
America (North & South)

16.6%

EMEA (Europe, Middle East, Africa)

73.6%

Japan

7.9%

Asia Pacific

1.9%

Date
% reports

 13 Jul

14 Jul

14 Jul

15 Jul

16 Jul

17 Jul

18 Jul

19 Jul

20 Jul

 21 Jul

 0.1%

 0.1%

0.5%

28.0%

37.2%

13.2%

9.3%

6.0%

2.8%

 2.0%


W32.Frethem.K@mm is a worm, and is a variant of W32.Frethem.B@mm. It uses its own SMTP engine to send itself to email addresses that it finds in the Microsoft Windows Address Book and in .dbx, .wab, .mbx, .eml, and .mdb files. The email message arrives with the following characteristics:

Subject: Re: Your password!
Attachments: Decrypt-password.exe and Password.txt

There are many variants of this worm, please check the SYmantec web site for more details.

Removal tool
Symantec has provided a tool to remove infections of W32.Frethem@mm. Click here to obtain the tool.
This is the easiest way to remove these threats and should be tried first.

http://www.sarc.com/avcenter/venc/data/w32.frethem.k@mm.html
Douglas Knowles
Symantec Security Response,USA
W32.Yaha.F@mm

Low Threat [2]

Win32

Global Infection breakdown by geographic region

% of Total

 
America (North & South)

8.8%

EMEA (Europe, Middle East, Africa)

89.4%

Japan

0.6%

Asia Pacific

1.2%

Date
% reports

1 Jun

13 Jun

20 Jun

23 Jun

24 Jun

25 Jun

26 Jun

27 Jun

28 Jun

 29 Jun

0.3% 

1.2%

3.4%

8.7%

12.4%

11.8%

12.0%

10.2%

8.3%

6.3%


W32.Yaha.F@mm is a mass-mailing worm that sends itself to all email addresses that exist in the Microsoft Windows Address Book, the MSN Messenger List, the Yahoo Pager list, the ICQ list, and files that have extensions that contain the letters ht. The worm randomly chooses the subject and body of the email message. The attachment will have a .bat, .pif or .scr file extension. Depending upon the name of the Recycled folder, the worm either copies itself to that folder or to the %Windows% folder.

The name of the file that the worm creates consists of four randomly generated characters between the letters c and y.

It also attempts to terminate antivirus and firewall processes
http://www.symantec.com/avcenter/venc/data/w32.yaha.f@mm.html

Douglas Knowles
Symantec Security Response, USA

VBS.Bajar.B@mm

Low Threat [2]

Script


VBS.Bajar.B@mm is the VBS script that is dropped by W32.Bajar.B@mm. The script will attempt to send the W32.Bajar.B@mm executable to all recipients in the Outlook Address Book. The e-mail message will have the following characteristics:

Subject: Nuevo programa para bajar musica gratis (Translation: New program to download music for free.)
Attachment: [W32.Bajar.B@mm File Name]

The script also deletes certain system files.

C:\Windows\System\Wsock32.dll
C:\Windows\Rundll32.exe
C:\Windows\Rundll.exe

http://www.symantec.com/avcenter/venc/data/vbs.bajar.b@mm.html
Maryl Magee
Symantec Security Response, USA

FreeBSD.Scalper.Worm

Low Threat [2]

FreeBSD


This worm uses the Apache HTTP Server chunk encoding stack overflow vulnerability to spread itself. Currently it has only been confirmed that this worm works on the FreeBSD platform. FreeBSD is an advanced operating system for Intel ia32 compatible, DEC Alpha, and PC-98 architectures. It is derived from BSD UNIX, the version of UNIX developed at the University of California, Berkeley. It is developed and maintained by a large team of individuals.

This worm has received some media coverage but we believe it is currently not prevalent in the wild. So far, we have not received any customer reports of this worm. For information regarding the vulnerability, please click here.

http://www.symantec.com/avcenter/venc/data/freebsd.scalper.worm.html

Peter Szor and Douglas Knowles
Symantec Security Response, USA
Security Advisories
Apache HTTP Server chunk encoding stack overflow

High [4]

Multiple


 Apache HTTP Server contains a vulnerability in the handling of certain chunk-encoded HTTP requests that may allow remote attackers to execute arbitrary code and a denial of service (DoS).

Chunked encoding permits the transfer of fragments of dynamically produced content of varying sizes by including a size indicator as well as information for the recipient to verify receipt of the complete message.

For Apache versions 1.2.2 through 1.3.24, this vulnerability may allow remote attackers to execute arbitrary code on Windows platforms. In addition, Apache has reported that a similar attack may allow the execution of arbitrary code on both 32-bit and 64-bit UNIX-based systems.

For Apache versions 2.0 through 2.0.36, the buffer overflow condition correctly detected however, an attempted exploit may cause the child process to exit depending on a variety of factors, including the threading model supported by the vulnerable system. If multi-threading is used, it may lead to a denial of service attack against the Apache Web server because all concurrent requests currently served by the affected child process will be lost.

Multi-threading is a technique that allows an independent program to perform more than one task at seemingly the same time. For example, a program that loads a data file while also reading user input is said to have two computational units and is therefore multi-threaded.

This vulnerability affects Apache Web server versions that run on many of the various Windows, BSD, Linux, and UNIX releases. Users are encouraged to contact their vendor to determine whether they are affected and acquire appropriate fixes.

References
Source: CERT CA-2002-17
URL: http://www.cert.org//advisories/CA-2002-17.html
Source: Apache 20020617
URL: http://httpd.apache.org/info/security_bulletin_20020617.txt
Source: CVE CAN-2002-0392
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0392
Source: Security Focus.com BID 5033
URL: http://online.securityfocus.com/bid/5033
Source: Red Hat RHSA-2002-103-13
URL: http://rhn.redhat.com/errata/RHSA-2002-103.html


More information and recommendations are available from the following page.
http://www.symantec.com/avcenter/security/Content/2049.html
 
Microsoft IIS HTR Chunked Encoding heap overflow allows arbitrary code

High [4]

Windows


 There is another heap overflow condition in the Chunked Encoding data transfer mechanism of Internet Information Server 4.0 and Internet Information Services 5.0. Although similar to a previous heap overflow MS02-018, this vulnerability is in the Internet Services Application Programming Interface (ISAPI) extension that implements HTR. The previous heap overflow vulnerability lay in the ISAPI extension that implemented Active Server Pages (ASP).

Chunked encoding is a process that allows a client to submit a variable-sized quantity of data to a web server, called a chunk. The web server can then receive and process this data.

An attacker could send a specially chosen request to an affected web server to either disrupt web services or gain the ability to run a program on the server. Such a program would run with full system privileges in IIS 4.0. Exploiting IIS 5.0 would give the attacker fewer but nevertheless significant privileges. In either case, the attacker could overflow the heap with random data to corrupt program code and cause the IIS service to fail, preventing the use by legitimate users, or, he could change the operation of the server. Specifically, he could overflow the heap and then overwrite a section of the heap on the server with new program code, revising the functionality of the server software. The attacker could overwrite static global variables, stored function pointers, process management structures, memory management structures, or any number of data types that will allow him to gain control of the target application in one session.

Mitigating factors that affect the overall impact of successful exploitation of this vulnerability include:

Systems on which HTR is disabled are not at risk from this vulnerability.
Microsoft has released an IIS Lockdown tool that disables HTR by default.
Microsoft has released a URLScan tool that provides a means of blocking chunked encoding transfer requests by default.


References
Source: Microsoft MS02-028
URL: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/ms02-028.asp
Source: CVE CAN-2002-0364
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0364
Source: Security Focus.com BID 4855
URL: http://online.securityfocus.com/bid/4855/info/

More information and recommendations are available from the following page.
http://www.symantec.com/avcenter/security/Content/2033.html
 
MSN Chat Control buffer overflow allows remote code execution

High [4]

Windows


The Microsoft MSN Chat Control input paramenter handling functionality contains an unchecked buffer that can allow remote code execution.

The MSN Chat Control is an ActiveX control that adds real-time chat functionality to Microsoft's Messenger applications.

A buffer overflow condition exists in one of the functions in Chat Control that handles input. Due to a lack of proper parameter checking, a remote attacker may be able to exploit this buffer overflow to run arbitrary code on the targeted system with user-level privileges.

The following factors mitigate this vulnerability:

MSN Chat Control, MSN Messenger, or Microsoft Exchange Instant Messager must be installed on the system for the system to be affected by this vulnerability.
Neither Windows nor Internet Explorer contain MSN Chat Control by default. It must be downloaded and installed on a user's system.
MSN Messenger does come with Windows XP; however, users would only be vulnerable if they choose to install the MSN Chat Control, which does not ship by default.
Exploiting this vulnerability through an HTML email attack is effectively blocked by Outlook 98 and Outlook 2000 with the Outlook Express Security Update applied, Outlook 2002, and Outlook Express 6.0. These products all open HTML email in the Restricted Sites zone, which does not allow scripting of ActiveX controls.

References
Source: Microsoft TechNet
URL: http://www.microsoft.com/technet/security/bulletin/MS02-022.asp
Source: CVE Candidate CAN-2002-0155
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=2002-0155
Source: eEye Digital Security Advisory AD20020508
URL: http://www.eeye.com/html/Research/Advisories/AD20020508.html

More information and recommendations are available from the following page.
http://www.symantec.com/avcenter/security/Content/1943.html
 
Security News
Does creating an "!0000" or other "trick" address book entry prevent the spread of viruses?

Messages that claim that you can prevent the spread of email worms and Trojans by adding a special "trick" entry as the first contact in your email address book appear fairly frequently. Among the "names" that they suggest that you add to your address book are:

!0000
AAAAAA

The usual claim is that this will, in one way or another, stop the threat from spreading. While these are in the strictest definition of the word, not hoaxes (although the AAAAA version, with its recommendation to "Pass this on to all your friends" is close), like hoaxes, they should be ignored and not forwarded.

The following are two versions of these email messages, followed by Symantec Security Response recommendations.

The !0000 letter:
Who among us doesn't know someone who has experienced the embarrassment of unknowingly spreading a computer virus via their email address book? It's time to STOP this from happening by TAKING CONTROL of your email program!

For those who are unaware, many computer viruses spread themselves by sending themselves to everyone in your address book. Imagine how you would feel if you were unknowingly infected with a computer virus, and worse yet, your friends, family, and business contacts were being targeted by your computer! Well, if you want to avoid this sort of thing, here's a great tip:

This tip won't prevent YOU from getting any viruses (you have to scan those attachments yourself before opening them to do that), but it will stop those viruses from latching onto your address book and sending itself out to others.

To avoid spreading computer viruses, create a contact in your email address book with the name :
!0000 with no email address in the details.

This contact will then show up as your first contact. If a virus attempts to do a "send all" on your contact list, your pc will put up an error message saying that: "The Message could not be sent. One or more recipients do not have an e-mail address. Please check your Address Book and make sure
all the recipients have a valid e-mail address."

You click on OK and the offending (virus) message would not have been sent to anyone. Of course no changes have been made to your original contacts list. The offending (virus) message may then be automatically stored in your "Drafts" or "Outbox" folder. Go in there and delete the offending message. Problem is solved and virus is not spread.


The AAAAA letter:
Subj: Protect your address book

<< Some of you might already know about this but I didn't and we were infected with that worm last week.

I learned a computer trick today that's really ingenious in it simplicity. As you may know, when/if a worm virus gets into your computer it heads straight for your email address book, and sends itself to everyone in there, thus infecting all your friends and associates. This trick won't keep the virus from getting into your computer, but it will stop it from using your address book to spread further, and it will alert you to the fact, that the worm has gotten into your system.

Here's what you do: first, open your address book and click on "new contact" just as you would do if you were adding a new friend to your list of email addresses. In the window where you would type your friend's first name, type in AAAAAAA. In the window below where it prompts you to enter the new email
address, type in <A HREF="mailto:WormAlert@somewhere.com"> WormAlert@somewhere.com</A> . Then complete everything by clicking add, enter, ok, etc.

Now, here's what you've done and why it works: The "name" AAAAAAA will be placed at the top of your address book as entry #1. This will be where the worm will start in an effort to send itself to all your friends. But when it tries to send itself to AAAAAAA, it will be undeliverable because of the phony email
address you entered (WormAlert@somewhere.com). If the first attempt fails (which it will because of the phony address), the worm goes no further and your friends will not be infected.

Here's the second great advantage of this method: If an email cannot be delivered, you will be notified of this in your InBox almost immediately. Hence, if you ever get an email telling you that an email addressed to WormAlert@somewhere.com could not be delivered, you know right away that you have the worm virus in your system. You can then take steps to get rid of it! Pretty neat, huh?

If everybody you know does this then you needn't ever worry about opening mail from friends. Pass this on to all your friends.


Symantec Security Response recommendations
Although this is technically not a hoax--in theory, it could work with a few older worms and viruses--Symantec Security Response STRONGLY recommends that you ignore it. You should not rely on such "fixes" to prevent the spread of viruses, worms, and Trojans. Also, a hacker could exploit some variants of this message to make you more susceptible to loss of confidential information. The best defence against such threats is to have a current version of Norton AntiVirus installed, make sure that Auto-Protect is enabled, and update your virus definitions frequently. In addition, if you are on a network, or if you have a full-time connection to the Internet (such as cable or DSL), you should use firewall software.

A list of Symantec Enterprise Firewall anti-spam features is here;
George Koris
Symantec, USA 
 
 
Contacts and Subscriptions:
Correspondence by email to: securitynews@symantec.com, no unsubscribe or support emails please. Follow this link to subscribe or unsubscribe http://securityresponse.symantec.com/avcenter/newsletter_regions/en.html Send virus samples to: avsubmit@symantec.com
Disclaimer- THIS DOCUMENT IS PROVIDED FOR INFORMATIONAL PURPOSES ONLY.

This message contains Symantec Corporation's current view of the topics discussed as of the date of this document. The information contained in this message is provided "as is" without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability, fitness for a particular purpose, and freedom from infringement. The user assumes the entire risk as to the accuracy and the use of this document. This document may not be distributed for profit.

Symantec and the Symantec logo are U.S. registered trademarks of Symantec Corporation. Other brands and products are trademarks of their respective holder(s). (c) Copyright 2002 Symantec Corporation. All rights reserved. Materials may not be published in other documents without the express, written permission of Symantec Corporation.