symantecTM

symantec security response

ISSN 1444-9994

March 2003 Newsletter



These are the most common Viruses, Trojans, Worms and Exploits reported to Symantec Security Response during the last month.


Country Spotlight
Switzerland

W95.Hybris.worm
W32.Klez.H@mm
Trojan Horse
IRC Trojan
W32.Kwbot.C.Worm

W95.Spaces.1445
W32.Funlove.4099
W32.Nimda.E@mm
Swporta.Trojan
Backdoor.IRC.Zcrew



Top Global Threats

W32.Klez.H@mm
Trojan Horse
JS.Exception.Exploit
HTML.Redlof.A
IRC Trojan
W95.Hybris.worm
W32.Nimda.E@mm
W32.Funlove.4099
W95.Spaces.1445

W32.Bugbear@mm


Asia Pacific
HTML.Redlof.A
W32.Klez.H@mm
JS.Exception.Exploit

Trojan Horse

W32.Nimda.E@mm
W95.Hybris.worm
W95.Spaces.1445
W32.Bugbear@mm
W32.Funlove.4099
W32.Opaserv.Worm



Europe, Middle
East & Africa
W32.Klez.H@mm
Trojan Horse
JS.Exception.Exploit

HTML.Redlof.A
IRC Trojan

W32.Nimda.E@mm
W95.Hybris.worm

W32.Funlove.4099
W95.Spaces.1445

W32.Bugbear@mm

Japan
W32.Klez.H@mm
HTML.Redlof.A
Trojan Horse
W95.Hybris.worm
IRC Trojan
W32.Klez.E@mm
W32.Bugbear@mm
W95.Spaces.1445
W32.Sobig.A@mm
W32.Nimda.E@mm

The Americas
W32.Klez.H@mm
Trojan Horse

IRC Trojan

JS.Exception.Exploit

W95.Hybris.worm
W32.HLLP.Handy
W95.Spaces.1445

W32.Bugbear@mm
Backdoor.IRC.Zcrew
W32.Sobig.A@mm



Removal Tools for malicious code are on our web site

A list of Virus Hoaxes
reported to Symantec

A list of Joke Programs
reported to Symantec.

Glossary for definitions of viruses, Trojans and worms and more.

 

 

CodeRed F will probably be working it's way through the Internet for a while as unlike CodeRed II it does not have a built in self termination date. This is bad news, because someone has to pay for the bandwidth it's using, engineers need to patch systems and it creates security systems management issues.

The sendmail viulnerability is fairly serious as it is obvious that many organizations use sendmail as their MTA (Message Transfer Agent). We can't stress enough how important it is to have a program in place to ensure all of you software programs are patched up to the latest level.

There are two IT Security related conferences running in May this year, one in the the northern and one in the southern hemisphere, they are;

AusCERT Asia Pacific - Information Technology Security Conference 2003

May 11 - 15 2003 - Brisbane, Australia

EICAR - Annual Conference on IT Security:

May 10 - 13. 2003 - Copenhagen, Denmark

There are details of these events at the end of the newsletters.

Best Regards

David Banes.
Editor, Symantec Security Response Newletter.

Useful Links

Microsoft Security Bulletin MS02-061
Elevation of Privilege in SQL Server Web Tasks (Q316333)

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS02-061.asp

Viruses, Worms & Trojans

CodeRed.F

Aliases: CodeRed.v3, CodeRed.C, CodeRed III, W32.Bady.C, W32/CodeRed.a.worm [McAfee]
Risk: Medium [3]    
Date: March 11th 2003    
Platforms Affected:
Microsoft IIS
 
Overview
As of March 11, 2003, Symantec Security Response has confirmed that a new minor variant of CodeRed II has been found in the wild.

CodeRed.F differs in only two bytes than the original CodeRed II. CodeRed II will restart the system if the year is greater than 2001. This is no longer the case for this variant.

Symantec antivirus products detect CodeRed.F as CodeRed Worm if it is saved to a file. The worm also drops a Trojan, which will be detected as Trojan.VirtualRoot . The existing CodeRed Removal Tool will correctly detect and remove this new variant.

Please click here for information on how to best leverage Symantec technologies to combat the CodeRed threat.

CodeRed.F scans IP addresses for vulnerable Microsoft IIS 4.0 and 5.0 Web servers and uses a buffer overflow vulnerability to infect the remote computers. The worm injects itself directly into memory, rather than copying itself as a file on the system. In addition, CodeRed.F creates a file detected as Trojan.VirtualRoot . Trojan.VirtualRoot gives the hacker full remote access to the Web server.

If you are running the Microsoft IIS Server, we recommend that you apply the latest Microsoft patch to protect yourself from this worm. The patch can be found at http://www.microsoft.com/technet/security/bulletin/MS01-033.asp .

A cumulative patch for IIS, including the four patches released to date, is available at http://www.microsoft.com/technet/security/bulletin/MS01-044.asp .

In addition, Trojan.VirtualRoot takes advantage of a vulnerability in Windows 2000. Download and install the following Microsoft security patch to address this problem and stop the Trojan from re-infecting the computer: http://www.microsoft.com/technet/security/bulletin/MS00-052.asp .

       
References
http://www.sarc.com/avcenter/venc/data/codered.f.html
 

W32.HLLW.Oror.AI@mm

   
Aliases: W32.HLLW.Oror.AD@mm, W32/Roro.AD@mm [F-Prot], I-Worm.Roron.gen [KAV]
Risk:Low [2]    
Date: March 14th 2003    
Platforms Affected
Windows 95, Windows 98, Windows NT, Windows 2000, Windows XP, Windows Me
 
Overview

W32.HLLW.Oror.AI@mm is a variant of the W32.HLLW.Oror@mm mass-mailing worm. This worm attempts to spread using email, mIRC, KaZaA, network shares, and mapped drives. The email attachment arrives with a .exe or .scr file extension. W32.HLLW.Oror.AI@mm also attempts to terminate and remove various security products from the infected computer.

This threat is written in the C++ language. Some of the files are compressed with UPX.

       
References
http://www.sarc.com/avcenter/venc/data/w32.hllw.oror.ai@mm.html
 
Credit
Jari Kytojoki, Symantec Security Response EMEA

Security Advisories

Sendmail Header Processing Buffer Overflow Vulnerability
Risk:High
Date:3rd March 2003
Components Affected
Many, listed here; http://www.sarc.com/avcenter/security/Content/3.3.2003.html
 
Description
Sendmail is a widely used MTA for Unix and Microsoft Windows systems.

A remotely exploitable vulnerability has been discovered in Sendmail. The vulnerability is due to a buffer overflow condition in the SMTP header parsing component. Remote attackers may exploit this vulnerability by connecting to target SMTP servers and transmitting to them malformed SMTP data.

The overflow condition occurs when Sendmail processes incoming e-mail messages with multiple addresses in a field such as "From:" or "CC:". One of the checks to ensure that the addresses are valid is flawed, resulting in a buffer overflow condition. Successful attackers may exploit this vulnerability to gain root privileges on affected servers remotely.

Versions 5.2 to 8.12.7 are affected. Administrators are advised to upgrade to 8.12.8 or apply available patches to prior versions of the 8.x tree.
 
References 
http://www.sarc.com/avcenter/security/Content/3.3.2003.html
Credits
Discovered by Mark Dowd of ISS X-Force.
 

Microsoft Windows 2000 WebDAV Buffer Overflow Vulnerability
Risk:High
Date:17th March 2003
Components Affected
IIS 5.0 on Microsoft Windows 2000
 
Description
Microsoft has released Security Bulletin MS03-007, outlining a previously unreported vulnerability present in the Microsoft Windows 2000 IIS WebDAV component. The vulnerability is a buffer overflow condition, which requires Microsoft IIS to be enabled in order to be exploitable.

WebDAV (World Wide Web Distributed Authoring and Versioning) is implemented by IIS, if installed, in the Microsoft Windows 2000 operating system. IIS is installed by default on Windows 2000 Server and Advanced Server, but is not installed by default on Windows 2000 Professional.

The WebDAV protocol is documented in RFC 2518 ( ftp://ftp.rfc-editor.org/in-notes/rfc2518.txt , and provides a standard for Web-based editing and file management. A buffer overflow vulnerability is present in a Microsoft Windows 2000 component used by WebDAV. WebDAV does not perform sufficient bounds checking on data passed to a particular system component.

When unusually long data is supplied to the vulnerable WebDAV component, it is in turn passed to the ntdll.dll system component. WebDAV fails to perform sufficient bounds checking on this data, allowing a buffer to be overrun. This could result in the execution of arbitrary code in the context of the IIS service, which is by LocalSystem default.
 
Recommendations

Administrators are highly encouraged to apply the vendor-specific supplied fixes provided below. Patches may be installed on Windows 2000 systems, running either Service Pack 2 or Service Pack 3.

All versions of Windows 2000 except Japanese NEC Patch
http://microsoft.com/downloads/details.aspx?FamilyId=C9A38D45-5145-4844-B62E-C69D32AC929B&displaylang=en

Windows 2000 Japanese NECE version Patch
http://microsoft.com/downloads/details.aspx?FamilyId=FBCF9847-D3D6-4493-8DCF-9BA29263C49F&displaylang=ja

References
http://www.microsoft.com/
Credits
Microsoft
 

Security News

EICAR - Annual Conference on IT Security:
May 10 - 13. 2003 - Copenhagen, Denmark

The 12th annual EICAR conference promises again to be an exciting event welcoming vendors, researchers, users from business, government and universities to discuss new develpments in:

- Pervasive computing
- Forensics
- Intrustion detection
- Cybercrime, privacy and security
- Anti-virus and malware
- IT law

More information can be found here:

http://conference.EICAR.org

Take advantage of the online registration at:

http://conference.eicar.org/frame/registration/other/registration.html

There are Student Awards for best research proposal, paper, etc. and the Graduate workshop promises a lot of excitement:

http://conference.eicar.org/frame/students/students.html

As well as these events, a professional clinic allows attendees to acquire new or
freshen their IT Security skills.


(Please quote reference AU2003 if enquiring about this conference via this publication)

AusCERT Asia Pacific - Information Technology Security Conference 2003

May 11 - 15 2003 - Brisbane, Australia

An international conference focussing on IT security for CFOs, CIOs, CTOs and technical staff from government agencies, universities and industry.

At AusCERT 2003, you will learn from world class experts about the latest strategies to make your information systems secure and how to address computer security breaches:

  • Discover the key security issues your organization should be addressing.
  • Understand the strategic and tactical implications of IT security for your organization.
  • Get up-to-date on the latest threats and mitigation strategies.
  • Understand computer security threats and trends.

This is an IT security conference with a difference: it includes business and technical streams and a day and a half of tutorials. World class IT security speakers will be present from Asia, Australia, Europe and the USA.

Over 400 delegates attended AusCERT2002. On their feedback form, 90% of respondees said the content was excellent or very good. Delegates said this was the best IT Security conference they had ever been to!

(Please quote reference AU2003 if enquiring about this conference via this publication)

 
 

Contacts and Subscriptions:
Follow this link to subscribe or unsubscribe
http://securityresponse.symantec.com/avcenter/newsletter_regions/en.html

Send virus samples to: avsubmit@symantec.com

Symantec, the Symantec logo, [registered trademarks in alphabetical order] are U.S. registered trademarks of Symantec Corporation. [Common law trademarks in alphabetical order] are trademarks of Symantec Corporation.

Windows, Windows NT, and the Windows logo are registered trademarks of Microsoft Corporation in the United States and other countries. All other brand and product names are trademarks of their respective holder(s). 

Copyright © 2003 Symantec Corporation. All rights reserved. Printed in Australia.March 2003.