symantecTM

symantec security response

ISSN 1444-9994

March 2002 Newsletter


These are the most common Viruses, Trojans and Worms reported to Symantec Security Response during the last month.



Country Spotlight
Canada

JS.Exception.Exploit
W32.Magistr.39921@mm
W95.Hybris.worm
W32.Nimda.enc
W32.Sircam.Worm@mm
W32.Badtrans.B@mm
W32.Myparty@mm
W32.Klez.E@mm
Trojan Horse
Backdoor.Trojan


Top Global Threats

JS.Exception.Exploit
W95.Hybris.worm
W32.Magistr.39921@mm
W32.Klez.E@mm
W32.Badtrans.B@mm
Trojan Horse
W32.Sircam.Worm@mm
VBS.Haptime.A@mm
Backdoor.Trojan
VBS.LoveLetter.AS

Asia Pacific
JS.Exception.Exploit
W95.Hybris.worm
W32.Badtrans.B@mm
W32.Klez.E@mm
W32.Magistr.39921@mm
W32.Nimda.enc
W32.Sircam.Worm@mm
VBS.Haptime.A@mm
Trojan Horse
W32.HLLW.Bymer


Europe, Middle East & Africa
JS.Exception.Exploit
W32.Klez.E@mm
W32.Badtrans.B@mm
W95.Hybris.worm
W32.Magistr.39921@mm
Trojan Horse
W32.Sircam.Worm@mm
VBS.Haptime.A@mm
Backdoor.Trojan
W32.HLLW.Bymer

Japan
JS.Exception.Exploit
W32.Badtrans.B@mm
W95.Hybris.worm
W32.Klez.E@mm
W32.HLLW.Bymer
W32.Sircam.Worm@mm
W32.Nimda.enc
W32.Aliz.Worm
W32.Magistr.24876@mm
Trojan Horse

The Americas
JS.Exception.Exploit
W95.Hybris.worm
W32.Magistr.39921@mm
W32.Klez.E@mm
W32.Badtrans.B@mm
W32.Sircam.Worm@mm
W32.Nimda.enc
Trojan Horse
W32.Myparty@mm
VBS.LoveLetter.AS



Removal Tools for malicious code are on our web site

A list of Virus Hoaxes
reported to Symantec

A list of Joke Programs
reported to Symantec.

Glossary for definitions of viruses, Trojans and worms and more.




Use this form to unsubscribe

First name:

Last name:

Email address:

It's the 7th March (while I'm writing this) and W32.Klez.E@mm triggered yesterday. The fact that our corporate support team saw no significant increase in the number of calls speaks volumes for corporate anti-virus strategies and IT Security management. There really is no longer an excuse for being caught out by a virus with a damaging payload when your vendor has a solution well in advance.

This month we have several interesting items, W32.Simile a very complex virus that uses entry-point obscuring, metamorphism, and polymorphic decryption and JS.Menger.Worm that exploits a now patched vulnerability in Microsoft's MSN Messenger. Most of you working in corporate IT departments will, or should, be aware that instant messaging is an area that virus writers are starting to target. Our third listing this month is a virus that targets Microsoft's new .Net framework, W32.HLLP.Sharpei@mm.

To round this month off we have an article on Spyware by André Post from Symantec Security Response, EMEA.

David Banes.
Editor, securitynews@symantec.com
Viruses, Worms & Trojans

JS.Menger.Worm

Low [2] Threat

Script

Global Infection breakdown by geographic region

% of Total

 
America (North & South)

45.5%

EMEA (Europe, Middle East, Africa)

44.0%

Japan

5.1%

Asia Pacific

5.4%

Date
% Reports

13 Feb

14 Feb

15 Feb

16 Feb

17 Feb

19 Feb

22 Feb

26 Feb

1 Mar

4 Mar

1.4%

33.4%

19.4%

7.5%

4.3%

2.0%

6.3%

1.0%

1.4%

1.0%


This is an Internet worm that is coded in JavaScript. The worm appears as a message in MSN Messenger that directs you to a Website which contained the code. This worm was hosted on a number of different sites.

This script uses instructions specifically designed to manipulate the MSN Messenger program using a known vulnerability. Microsoft has released a patch for this vulnerability. The patch is available at:

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS02-005.asp.

The script contains instructions referencing the class object identification for creating a Messenger "object" and referencing the Messenger application. The script attempts to send a link to the worm code to other contacts within Messenger. There is no any additional damaging code in the script. The script makes use of code first introduced in a tech forum on February 9, 2002.

http://securityresponse.symantec.com/avcenter/venc/data/js.menger.worm.html

Patrick Nolan
Symantec Security Response, USA
 W32.HLLP.Sharpei@mm

Low [2] Threat

Win32


W32.HLLP.Sharpei@mm is a virus that targets .exe files under the Microsoft .NET Framework. The replication code of the virus is written in C# and compiled to MSIL. The virus also mass emails itself to all contacts in the Microsoft Outlook address book by using a VBS component. The name of the attachment is MS02-010.exe.

The virus arrives as an email message that has the following characteristics:

Subject : Important: Windows update

Message: Hey, at work we are applying this update because it makes Windows over 50% faster and more secure. I thought I should forward it as you may like it.

Attachment: Ms02-010.exe

http://securityresponse.symantec.com/avcenter/venc/data/w32.hllp.sharpei@mm.html

Peter Szor and Yana Liu
Symantec Security Response, USA
 W32.Simile

Very Low [1] Threat

Win32

W32.Simile is a very complex virus that uses entry-point obscuring, metamorphism, and polymorphic decryption. It infects files in folders on all fixed and remote drives that are mapped at the time that the virus is executed. The virus contains no destructive payload, but infected files may display messages on certain dates.

http://www.sarc.com/avcenter/venc/data/w32.simile.html

Peter Ferrie
Symantec Security Response, Asia Pacific
Security Advisories
Multiple SNMP vulnerabilities in multiple products

High [4]

All



Reference
CERT Advisory CA-2002-03, 12 February 2002
Multiple Vulnerabilities in Many Implementations of the Simple Network Management Protocol (SNMP)

Affected Components
Simple Network Management Protocol version 1 (SNMPv1) contains multiple vulnerabilities that potentially affect many well- and lesser-known products. According to CERT, the products of well over 100 vendors may be at risk. Symantec recommends that you review the associated affected vendor vulnerability notes from CERT for additional information on products in your network environment:

Vulnerability Note VU#854306
Vulnerability Note VU#107186

Overview
Symantec Corporation advises its customers to be aware of the public disclosure of numerous vulnerabilities in the Simple Network Management Protocol version 1 implementation for multiple vendors' products. Successful exploitation of these vulnerabilities range from Denial of Service (DoS) to unauthorized access with elevated privileges, coupled with general instability issues.

Additionally, the SNMP test suite, developed by the Oulu University Secure Programming Group (OUSPG) at Oulu University in Finland to stress test for SMNPv1 weaknesses, may be in use by the computer underground to launch attacks against vulnerable products.

Multiple Buffer Overflows in PHP allow remote access to server

High [4]

PHP


Reference

eMatters Security Advisory 01/2002, PHP remote vulnerabilities

Affected Components: PHP 3.0.10-3.0.18, PHP 4.0.1-4.0.3pl1, PHP 4.0.2-4.0.5, PHP 4.0.6-4.0.7RC2, PHP 4.0.7RC3-4.1.1

Not Affected: PHP 4.1.2, PHP 4.2.0-dev

Overview
Symantec Corporation advises its customers to be aware of the public disclosure of and exploit scripts for numerous remote access buffer overflow vulnerabilities in the way PHP handles multipart POST requests (form uploads). Successful exploitation of these vulnerabilities could result in unauthorized access with the privileges of the targeted web server.
Enterprise Security News Clips

Visit the Symantec Enterprise Security Web Site - http://enterprisesecurity.symantec.com/

Recent Enterprise Security News headlines include:

Facing Up to the Viral Cyber Terror;
The Australian
http://enterprisesecurity.symantec.com/content.cfm?articleid=1219

Microsoft Uncovers Critical Java Hole;
InfoWorld Daily News
http://enterprisesecurity.symantec.com/content.cfm?articleid=1220

S.F. Hacker Cracks New York Times' Internal Network;
The San Francisco Chronicle
http://enterprisesecurity.symantec.com/content.cfm?articleid=1212

Get the latest Enterprise Security News delivered straight to your inbox.
Register for Symantec's free Enterprise Security newsletters.
https://enterprisesecurity.symantec.com/Content/Subscribe.cfm

Get the latest Enterprise Security News delivered straight to your inbox.Register for Symantec's free Enterprise Security newsletters.
https://enterprisesecurity.symantec.com/Content/Subscribe.cfm
Vulnerability & Exploit News
 The Dangers of Spyware    

Spyware programs are applications that send information via the Internet to the creator of the spyware, or the publisher. Spyware usually consists of core functionality and functionality for information gathering. The core functionality appeals to users and entices them to install and use the spyware. The End-User License Agreement informs users of the information-gathering actions, but most users overlook this information. Information that is sent to the publisher is normally used for improved direct marketing purposes. The type of information that is sent differs depending on the spyware program. In order for the publisher to properly digest the gathered data, some spyware programs send a unique identifier along with the gathered information.

This article defines spyware and discusses its functionality and its possible dangers. The information-gathering functionality of spyware is often overlooked by users, leaving them unaware that the spyware publisher is gathering data from their computers.

Spyware programs are defined as applications that send information via the Internet to the publishers for marketing purposes without obvious notification to users. In this paper, spyware does not refer to backdoor Trojan horses that allow hackers to secretly gain information from the computer. The type of information that is gathered differs depending on the spyware. Some spyware sends only system-specific information; other spyware sends personal information including browsing habits.

Most spyware programs are free programs that are available on the Internet that in some cases are very useful tools. Some examples are:

Download utilities
Games
Media players
Accounting software

Technically, spyware can be considered as two separate pieces of software that are shipped in one package. There is the core functionality that is visible and useful to the user, and there is the information-gathering functionality that gathers, maintains, monitors, and sends user and/or computer information in the background.

Spyware is generally distributed in one of two ways. The developers of the core functionality license the information-gathering functionality to merge with their product, or they incorporate their own information-gathering software. After the spyware product has been produced, it is marketed.

The question arises as to why users would want to use spyware. Most, if not all, users are unaware of the information-gathering functionality of spyware programs. Spyware is generally freeware, and the information-gathering functionality is not mentioned before users install the software, making it very attractive to users.

The full article is posted here;
http://securityresponse.symantec.com/avcenter/reference/danger.of.spyware.pdf

André Post
Symantec Security Response, EMEA
 
Contacts and Subscriptions:
Correspondence by email to: securitynews@symantec.com, no unsubscribe or support emails please. Follow this link to subscribe or unsubscribe http://securityresponse.symantec.com/avcenter/newsletter.html Send virus samples to: avsubmit@symantec.com
Disclaimer- THIS DOCUMENT IS PROVIDED FOR INFORMATIONAL PURPOSES ONLY.

This message contains Symantec Corporation's current view of the topics discussed as of the date of this document. The information contained in this message is provided "as is" without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability, fitness for a particular purpose, and freedom from infringement. The user assumes the entire risk as to the accuracy and the use of this document. This document may not be distributed for profit.

Symantec and the Symantec logo are U.S. registered trademarks of Symantec Corporation. Other brands and products are trademarks of their respective holder(s). (c) Copyright 2002 Symantec Corporation. All rights reserved. Materials may not be published in other documents without the express, written permission of Symantec Corporation.