|
|
It's the 7th
March (while I'm writing this) and W32.Klez.E@mm triggered yesterday. The fact that our corporate support team
saw no significant increase in the number of calls speaks volumes for corporate anti-virus strategies and IT Security
management. There really is no longer an excuse for being caught out by a virus with a damaging payload when your
vendor has a solution well in advance.
This month we have several interesting items, W32.Simile a very complex virus that uses entry-point obscuring,
metamorphism, and polymorphic decryption and JS.Menger.Worm that exploits a now patched vulnerability in Microsoft's
MSN Messenger. Most of you working in corporate IT departments will, or should, be aware that instant messaging
is an area that virus writers are starting to target. Our third listing this month is a virus that targets Microsoft's
new .Net framework, W32.HLLP.Sharpei@mm.
To round this month off we have an article on Spyware by André Post from Symantec Security Response, EMEA.
David Banes.
Editor, securitynews@symantec.com |
| Viruses, Worms & Trojans |
|
| JS.Menger.Worm |
Low [2] Threat
|
Script
|
| Global Infection breakdown by geographic region |
% of Total
|
|
| America (North & South) |
45.5%
|
| EMEA (Europe, Middle East, Africa) |
44.0%
|
| Japan |
5.1%
|
| Asia Pacific |
5.4%
|
Date
% Reports |
13 Feb
|
14 Feb
|
15 Feb
|
16 Feb
|
17 Feb
|
19 Feb
|
22 Feb
|
26 Feb
|
1 Mar
|
4 Mar
|
|
1.4%
|
33.4%
|
19.4%
|
7.5%
|
4.3%
|
2.0%
|
6.3%
|
1.0%
|
1.4%
|
1.0%
|
|
|
This is an Internet worm that is coded in JavaScript. The worm appears as a message in MSN Messenger that directs
you to a Website which contained the code. This worm was hosted on a number of different sites.
This script uses instructions specifically designed to manipulate the MSN Messenger program using a known vulnerability.
Microsoft has released a patch for this vulnerability. The patch is available at:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS02-005.asp.
The script contains instructions referencing the class object identification for creating a Messenger "object"
and referencing the Messenger application. The script attempts to send a link to the worm code to other contacts
within Messenger. There is no any additional damaging code in the script. The script makes use of code first introduced
in a tech forum on February 9, 2002.
http://securityresponse.symantec.com/avcenter/venc/data/js.menger.worm.html
Patrick Nolan
Symantec Security Response, USA |
| W32.HLLP.Sharpei@mm |
Low [2] Threat
|
Win32
|
|
W32.HLLP.Sharpei@mm is a virus that targets .exe files under the Microsoft .NET Framework. The replication code
of the virus is written in C# and compiled to MSIL. The virus also mass emails itself to all contacts in the Microsoft
Outlook address book by using a VBS component. The name of the attachment is MS02-010.exe.
The virus arrives as an email message that has the following characteristics:
Subject : Important: Windows update
Message: Hey, at work we are applying this update because it makes Windows over 50% faster and more secure.
I thought I should forward it as you may like it.
Attachment: Ms02-010.exe
http://securityresponse.symantec.com/avcenter/venc/data/w32.hllp.sharpei@mm.html
Peter Szor and Yana Liu
Symantec Security Response, USA |
| W32.Simile |
Very Low [1] Threat
|
Win32
|
|
W32.Simile is a very complex virus that uses entry-point obscuring, metamorphism, and polymorphic
decryption. It infects files in folders on all fixed and remote drives that are mapped at the time that the virus
is executed. The virus contains no destructive payload, but infected files may display messages on certain dates.
http://www.sarc.com/avcenter/venc/data/w32.simile.html
Peter Ferrie
Symantec Security Response, Asia Pacific |
|
| Security
Advisories |
| Multiple SNMP vulnerabilities in multiple products |
High [4]
|
All
|
|
Reference
CERT Advisory CA-2002-03, 12 February 2002
Multiple Vulnerabilities in Many Implementations of the Simple Network Management Protocol (SNMP)
Affected Components
Simple Network Management Protocol version 1 (SNMPv1) contains multiple vulnerabilities that potentially affect
many well- and lesser-known products. According to CERT, the products of well over 100 vendors may be at risk.
Symantec recommends that you review the associated affected vendor vulnerability notes from CERT for additional
information on products in your network environment:
Vulnerability Note VU#854306
Vulnerability Note VU#107186
Overview
Symantec Corporation advises its customers to be aware of the public disclosure of numerous vulnerabilities in
the Simple Network Management Protocol version 1 implementation for multiple vendors' products. Successful exploitation
of these vulnerabilities range from Denial of Service (DoS) to unauthorized access with elevated privileges, coupled
with general instability issues.
Additionally, the SNMP test suite, developed by the Oulu University Secure Programming Group (OUSPG) at Oulu University
in Finland to stress test for SMNPv1 weaknesses, may be in use by the computer underground to launch attacks against
vulnerable products.
| Multiple Buffer Overflows in PHP allow remote access to server |
High [4]
|
PHP
|
|
Reference
eMatters Security Advisory 01/2002, PHP remote
vulnerabilities
Affected Components: PHP 3.0.10-3.0.18, PHP 4.0.1-4.0.3pl1, PHP 4.0.2-4.0.5, PHP 4.0.6-4.0.7RC2, PHP 4.0.7RC3-4.1.1
Not Affected: PHP 4.1.2, PHP 4.2.0-dev
Overview
Symantec Corporation advises its customers to be aware of the public disclosure of and exploit scripts for numerous
remote access buffer overflow vulnerabilities in the way PHP handles multipart POST requests (form uploads). Successful
exploitation of these vulnerabilities could result in unauthorized access with the privileges of the targeted web
server. |
|
| Enterprise Security News Clips |
|
|
| Vulnerability
& Exploit News |
Spyware programs are applications that send information via the Internet to the creator of the spyware, or the
publisher. Spyware usually consists of core functionality and functionality for information gathering. The core
functionality appeals to users and entices them to install and use the spyware. The End-User License Agreement
informs users of the information-gathering actions, but most users overlook this information. Information that
is sent to the publisher is normally used for improved direct marketing purposes. The type of information that
is sent differs depending on the spyware program. In order for the publisher to properly digest the gathered data,
some spyware programs send a unique identifier along with the gathered information.
This article defines spyware and discusses its functionality and its possible dangers. The information-gathering
functionality of spyware is often overlooked by users, leaving them unaware that the spyware publisher is gathering
data from their computers.
Spyware programs are defined as applications that send information via the Internet to the publishers for marketing
purposes without obvious notification to users. In this paper, spyware does not refer to backdoor Trojan horses
that allow hackers to secretly gain information from the computer. The type of information that is gathered differs
depending on the spyware. Some spyware sends only system-specific information; other spyware sends personal information
including browsing habits.
Most spyware programs are free programs that are available on the Internet that in some cases are very useful tools.
Some examples are:
• Download utilities
• Games
• Media players
• Accounting software
Technically, spyware can be considered as two separate pieces of software that are shipped in one package. There
is the core functionality that is visible and useful to the user, and there is the information-gathering functionality
that gathers, maintains, monitors, and sends user and/or computer information in the background.
Spyware is generally distributed in one of two ways. The developers of the core functionality license the information-gathering
functionality to merge with their product, or they incorporate their own information-gathering software. After
the spyware product has been produced, it is marketed.
The question arises as to why users would want to use spyware. Most, if not all, users are unaware of the information-gathering
functionality of spyware programs. Spyware is generally freeware, and the information-gathering functionality is
not mentioned before users install the software, making it very attractive to users.
The full article is posted here;
http://securityresponse.symantec.com/avcenter/reference/danger.of.spyware.pdf
André Post
Symantec Security Response, EMEA |
|
| |
Contacts and Subscriptions:
Correspondence by email to: securitynews@symantec.com, no unsubscribe or support
emails please. Follow this link to subscribe or unsubscribe http://securityresponse.symantec.com/avcenter/newsletter.html Send virus samples to: avsubmit@symantec.com |
Disclaimer- THIS DOCUMENT IS PROVIDED FOR INFORMATIONAL
PURPOSES ONLY.
This message contains Symantec Corporation's current view of the topics discussed as of the date of this document.
The information contained in this message is provided "as is" without warranty of any kind, either expressed
or implied, including but not limited to the implied warranties of merchantability, fitness for a particular purpose,
and freedom from infringement. The user assumes the entire risk as to the accuracy and the use of this document.
This document may not be distributed for profit.
Symantec and the Symantec logo are U.S. registered trademarks of Symantec Corporation. Other brands and products
are trademarks of their respective holder(s). (c) Copyright 2002 Symantec Corporation. All rights reserved. Materials
may not be published in other documents without the express, written permission of Symantec Corporation. |
|