symantecTM

symantec security response

ISSN 1444-9994

June 2002 Newsletter


These are the most common Viruses, Trojans, Worms and Exploits reported to Symantec Security Response during the last month.




Country Spotlight
Netherlands

W32.Klez.gen@mm
W32.Benjamin.Worm
W32.Klez.E@mm
JS.Exception.Exploit
JS.Seeker
VBS.LoveLetter.AS
W32.Badtrans.B@mm
W95.Hybris.worm
Backdoor.Trojan
W32.DSS.Trojan


Top Global Threats

W32.Klez.H@mm
JS.Exception.Exploit
W32.Klez.E@mm
JS.Seeker
W95.Hybris.worm
W32.Benjamin.Worm
Trojan Horse
W32.Magistr.39921@mm
Backdoor.Trojan
Backdoor.Autoupder

Asia Pacific
W32.Klez.H@mm
JS.Exception.Exploit
W95.CIH.1049
JS.Seeker
Backdoor.Trojan
VBS.Haptime.A@mm
W32.Nimda.enc
W32.Magistr.39921@mm
Trojan Horse

Europe, Middle East & Africa
W32.Klez.H@mm
W32.Klez.E@mm
JS.Exception.Exploit
JS.Seeker
W32.Benjamin.Worm
W95.Hybris.worm
Trojan Horse
Backdoor.Trojan
W32.Badtrans.B@mm
W32.Magistr.39921@mm

Japan
W32.Klez.H@mm
W32.Klez.E@mm
JS.Exception.Exploit
W32.Badtrans.B@mm
W95.Hybris.worm
Backdoor.Trojan
Bloodhound.W32.EP
W32.Klez.gen@mm
W32.FunLove.4099
JS.Seeker

The Americas
W32.Klez.H@mm
JS.Exception.Exploit
JS.Seeker
W95.Hybris.worm
Backdoor.Autoupder
Trojan Horse
W32.Klez.E@mm
W32.Benjamin.Worm

W32.Magistr.39921@mm
VBS.LoveLetter.AS



Removal Tools for malicious code are on our web site

A list of Virus Hoaxes
reported to Symantec

A list of Joke Programs
reported to Symantec.

Glossary for definitions of viruses, Trojans and worms and more.




Peer-to-peer (P2P) networks look like the next target for worms, we've already seen worms exploit this type of architecture and we had more than 900 samples of W32.Benjamin.Worm in 7 days. This is a lot for a worm that does not replicate itself but requires users to manually retrieve it. Does this tell us that the average user of a consumer based P2P network will grab any file they can, with little consideration for security and privacy?

Oddly W32.Benjamin.Worm is number two in the Netherlands this month, just when we feature this country. Whilst Benjamin doesn't show up at all in the Asias top ten.

An SQL worm (Digispid.B.Worm) has reminded us all to change standard, 'out of the box' passwords as soon as we install software that use user account and passwords. This is one of the easiest expoits for a cracker or automated worm to use.

I just got back from the AusCERT 2002 Conference at the Gold Coast in Australia, I highly recommend this conference, take a look at the web site (http://conference.auscert.org.au/) and if you can schedule it in for next year. The quality of speakers, attendees and topics covered was excellent.


David Banes.
Editor, securitynews@symantec.com
Viruses, Worms & Trojans
W32.Benjamin.Worm

Low Threat [2]

Win32

Global Infection breakdown by geographic region

% of Total

 
America (North & South)

45.5%

EMEA (Europe, Middle East, Africa)

52.7%

Japan

0.0%

Asia Pacific

1.8%

Date
% reports
 

19 May

20 May

21 May

22 May

23 May

24 May

25 May

26 may

 
 

 0.1%

3.0%

11.6%

 31.3%

18.3%

21.2%

10.3%

4.2%

 

W32.Benjamin.Worm comes disguised as popular music, movie, or software files. It spreads across KaZaA file-sharing networks by tricking KaZaA users into downloading the program and opening it.

The size of the worm can vary because the worm pads copies of itself with garbage bytes. The worm creates the C:\%Windows%\Temp\Sys32 folder. It then changes the KaZaA download folder settings so that this new folder is accessible to other KazaA network users. This allows other KaZaA users to download files from that location.

The worm then copies itself into this folder using many different names that are chosen randomly from a list that the worm carries. Here are some examples:

Chterbahn Designer -full-downloader
Acrobat Capture 3.0 -full-downloader
Age of Empires-Games-full-downloader
American Pie 2 -divx-full-downloader
Baseball 2001-Games-full-downloader
Metallica - Blackened
ac dc - Fight For Your Right

The worm then displays a fake error message, finally, it waits in the background for other KaZaA users to download the worm file.

http://www.symantec.com/avcenter/venc/data/w32.benjamin.worm.html


Yana Liu and Douglas Knowles
Symantec Security Response, USA.
Digispid.B.Worm

Low Threat [2]

Script


Digispid.B.Worm is a worm which spreads to computers that are running Microsoft SQL Server and which have a blank SQL administrator password. It copies files to the infected computer and changes the SQL administrator password to a string of four random characters.

The worm is unlikely to propagate in a production environment using SQL server because it relies upon the following assumptions to spread:

"sa" SQL server account has no password
SQL is running with Administrative access. By default, the SQL Server runs in the security context of a domain user.

An infected computer can be identified by the presence following characteristics:

The presence of some or all of these files:
%System32%\Drivers\Services.exe
%System32%\Sqlexec.js
%System32%\Clemail.exe
%System32%\Sqlprocess.js
%System32%\Sqlinstall.bat
%System32%\Sqldir.js
%System32%\Run.js
%System32%\Timer.dll
%System32%\Samdump.dll
%System32%\Pwdump2.exe
Many outgoing port 1433 requests

For a more detailed description, please see the Technical Description

Users can protect themselves by doing the following:

Firewall filtering of incoming/outgoing port 1433 requests.
Filter outgoing email messages to "ixltd@postone.com"
Filter outgoing email messages that have subjects beginning with "SystemData-"
Verify that all SQL server "sa" accounts have passwords

For systems that have been infected, you will notice the following symptoms:

Increased internet traffic
Many outgoing port 1433 requests
Emails the Operating System user password and SQL server data information to "ixltd@postone.com"
SQL server "sa" password will be changed

When systems have been infected, you should do the following:

Update Norton AntiVirus definitions and perform a full system scan. Reset all operating system and SQL Server passwords.

http://www.symantec.com/avcenter/venc/data/digispid.b.worm.html

Douglas Knowles
Symantec Security Response, USA.
Security Advisories
RedHat sharutils package uudecode flaw allows elevated privileges

Medium [3]

Linux


The uudecode utility included with the Red Hat Linux sharutils package creates files in an insecure fashion that could lead to files being overwritten or exploited to elevate local user privileges.

The sharutils package provides utilities to encode and decode files to and from various formats. The uuencode utility converts binary files to ASCII (text) format, which can be sent safely through email. The uudecode utility converts these files back to their binary format.

The Red Hat sharutils flaw occurs because uudecode creates an output file without verifying if it is about to write to a symbolic link (a file pointer that links to another file) or a pipe (a technique for passing information from one process to another). If the output file is created in an open share directory (for example, /tmp), a local attacker could exploit this vulnerability to overwrite existing files or elevate user privileges. Depending on the permissions of the program using uudecode, the attack could, potentially, result in root access.

Recommendations
Redhat sharutils patch

Install the appropriate version and platform RPM of the Red Hat sharutils update package, which contains a version of uudecode patched to check for an existing symbolic link or pipe.

Before applying this update, ensure that all previously released updates relevant to your system have been applied. To update all RPMs for your particular version, run the following command:

rpm -Fvh [filenames]

where [filenames] is a list of the RPMs you want to update. Only currently installed RPMs in the list will be updated. You can also use wildcards (*.rpm) if your current directory contains only the desired RPMs.

The sharutils update is available also on the Red Hat Network. To use Red Hat Network, launch the Red Hat Update Agent with the following command:

up2date

The up2date command starts an interactive process to upgrade appropriate RPMs on your system.

References
Source: CVE CAN-2002-0178
URL: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2002-0178

Source: Red Hat RHSA-2002-065
URL: http://rhn.redhat.com/errata/RHSA-2002-065.html

Source: Security Focus.com
URL: http://online.securityfocus.com/advisories/4120

 

Various

 Various



AltaVista Traversal
The AltaVista search engine includes a CGI that accepts "../" in standard queries. This allows an attacker to access sensitive files in the HTTP directory which is one level above the search engine. Sensitive files in this directory include the trivially encrypted password for the remote administration utility. The CGI in question also processes additional "../" strings if they are encoded in Hex (%2e%2e%2f). This would allow an attacker to access files throughout the host system. This signature detects an attempt to exploit this vulnerability.
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2000-0039

Login Buffer Overflow
On some System V versions of /bin/login. The exploit attempts to overflow a register and bind to a shell in order to allow an attacker to place a new user account in the /etc/passwd or /etc/shadow file. The attack occurs via a telnet or rlogin session. The filter looks at the connection and alerts when an attempt to overflow the buffer occurs.
http://www.cert.org/advisories/CA-2001-34.html


MStream
This signature provides an early warning to the administrator that traffic resembling MStream control communication has been detected. Specifically, the following;

a) MStream Client Login signature watches for TCP packets of a particular length that contain character strings that are unique to MStream.

b) MStream Flood signature watches for a TCP ACK packet that has both a particular total size and a particular window size.


c) MStream Master Login signature watches for TCP packets of specific lengths that contain character strings unique to MStream.

http://cve.mitre.org/cgi-bin/cvename.cgi?name=2000-0138
Security News
Wireless LAN Security: Enabling and Protecting the Enterprise    

Motivated by the need to reduce IT costs while increasing employee productivity, enterprise-wide wireless local area network (LAN) solutions are becoming increasingly viable. Proliferation of mobile computing devices has boosted employee demand for access to their organizationís network beyond the tether of their office workstation. Meanwhile, accelerated wireless transmission rates and increasing vendor adherence to standards-based interoperability are enhancing the practicality of wireless LANs.

Yet the same wireless technologies that can erase the physical limitations of wired communications to increase user flexibility, boost employee productivity, and lower cost of network ownership also expose network-based assets to considerable risks.
The security embedded in wireless LAN technologies falls short of providing adequate protection. Early-adopting organizations have found that evaluating, and where possible, mitigating these risks before deploying a wireless LAN is beneficial.
This white paper summarizes wireless network security planning by providing an
overview of the security risks and technical challenges in this area, as well as summarizing key recommendations for secure wireless LANs.

http://www.symantec.com/avcenter/reference/symantec.wlan.security.pdf
 
 
Contacts and Subscriptions:
Correspondence by email to: securitynews@symantec.com, no unsubscribe or support emails please. Follow this link to subscribe or unsubscribe http://securityresponse.symantec.com/avcenter/newsletter_regions/en.html Send virus samples to: avsubmit@symantec.com
Disclaimer- THIS DOCUMENT IS PROVIDED FOR INFORMATIONAL PURPOSES ONLY.

This message contains Symantec Corporation's current view of the topics discussed as of the date of this document. The information contained in this message is provided "as is" without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability, fitness for a particular purpose, and freedom from infringement. The user assumes the entire risk as to the accuracy and the use of this document. This document may not be distributed for profit.

Symantec and the Symantec logo are U.S. registered trademarks of Symantec Corporation. Other brands and products are trademarks of their respective holder(s). (c) Copyright 2002 Symantec Corporation. All rights reserved. Materials may not be published in other documents without the express, written permission of Symantec Corporation.