symantecTM

symantec security response

ISSN 1444-9994

May 2002 Newsletter


These are the most common Viruses, Trojans, Worms and Exploits reported to Symantec Security Response during the last month.



Country Spotlight
Germany

W32.Klez.gen@mm
JS.Exception.Exploit
Trojan Horse
W32.Klez.H@mm
W32.Klez.E@mm
W32.DSS.Trojan
W95.Hybris.worm
Backdoor.Trojan
W32.Badtrans.B@mm
W95.MTX



Top Global Threats
W32.Klez.gen@mm
W32.Klez.H@mm
W32.Klez.E@mm
JS.Exception.Exploit
Trojan Horse
W95.Hybris.worm
W32.Magistr.39921@mm
Backdoor.Trojan
Backdoor.Autoupder
W32.Badtrans.B@mm

Asia Pacific
W32.Klez.gen@mm
JS.Exception.Exploit
W32.Klez.H@mm
W32.Klez.E@mm
Backdoor.Trojan
W95.Hybris.worm
Trojan Horse
W32.Magistr.39921@mm
IFrame.Exploit
W32.Nimda.enc

Europe, Middle East & Africa
W32.Klez.gen@mm
W32.Klez.E@mm
W32.Klez.H@mm
JS.Exception.Exploit
Trojan Horse
W95.Hybris.worm
W32.Badtrans.B@mm
W32.Magistr.39921@mm
Backdoor.Trojan
W32.Sircam.Worm@mm

Japan
W32.Klez.gen@mm
W32.Klez.E@mm
W32.Klez.H@mm
IFrame.Exploit
JS.Exception.Exploit
W95.Hybris.worm
W32.Badtrans.B@mm
W32.Badtrans@mm.enc
W32.Nimda.enc
Backdoor.Trojan

The Americas
W32.Klez.gen@mm
W32.Klez.H@mm
JS.Exception.Exploit
W32.Klez.E@mm
W95.Hybris.worm
Trojan Horse
Backdoor.Autoupder
W32.Magistr.39921@mm
Backdoor.Trojan
VBS.LoveLetter.AS



Removal Tools for malicious code are on our web site

A list of Virus Hoaxes
reported to Symantec

A list of Joke Programs
reported to Symantec.

Glossary for definitions of viruses, Trojans and worms and more.



It appears that everyone has received Klez infected email during the last few weeks. Many of us who know how Klez works would have spent a while explaining why we are not infected. Because of the way Klez spoofs (impersonates) the sender by modifying the From: address of email the average user is led to believe that their best friends and work colleagues are sending them infected emails.

Klez has however spread very widely and here at Symantec we are still seeing a large number of reports from customers, mainly of Klez.H. Interestingly we are still discovering new 'features' in Elkern, the virus that Klez drops, some of which make it very difficult to clean up. It does appear however that we have passed the peak and Klez is now fading into the background noise of other malicious code running around the net.

Anti-virus researchers, security engineers and savvy corporate support staff will have come across piggy back or multiple infections many times in the past but this is a topic we don't often cover and needs some clarification. Often a program file (.exe, .dll etc) will become infected with a virus. If the virus is well written and the file is still functional it will appear to the Operating System and any other process as a normal executable file.

Now imagine that another file infector finds it's way onto the infected PC and starts infecting your programs. It's easy to see how we may end up with a program file, for example notepad.exe infected with W32.Klez and then re-infected with this second virus. This is exactly what we are seeing now, a new CIH variant, W95.CIH.1049, infecting files that are already infected with Klez. This is not a new scenario, Magistr and Funlove spring to mind (Peter Ferries mind that is:) and Trojans (BackOrifice) infected with CIH.

One other interesting comparison we made was to look at the number of submissions of Love Letter and Melissa, we had to double check, as they appeared very low compared to Sircam, Badtrans and Klez. I think this tells us that we are all (the anti-virus industry) getting much better at handling high volume virus and worm breakouts through a combination of experience and systems automation.

Think about this, LoveLetter and Melissa would probably rate as level three's now and then only for a short period of time. As the net grows, bandwidth utilization and speed increases and the level of malicious code and rate of infection increase but the security vendors products and support services do keep pace. We will never have a 'clean' internet, if we can relegate the levels of malicious code and network intrusions to mere background noise and create an environment where businesses can operate safely and securely then we have done our job.

David Banes.
Editor, securitynews@symantec.com
Viruses, Worms & Trojans
W32.Klez

Moderate Threat [3]

Win32

Global Infection breakdown by geographic region

% of Total

 
America (North & South)

39.5%

EMEA (Europe, Middle East, Africa)

46.5%

Japan

5.7%

Asia Pacific

8.6%

Date
% reports

8 Mar

9 Mar

10 Mar

11 Mar

12 Mar

13 Mar

14 Mar

15 Mar

16 Mar

17 Mar

     

25.2%

           

W32.Klez.gen@mm is a mass-mailing worm that searches the Windows address book for email addresses and sends messages to all recipients that it finds. The worm uses its own SMTP engine to send the messages.

The subject and attachment name of incoming emails is randomly chosen. The attachment will have one of the following extensions: .bat, .exe, .pif or .scr.

The worm exploits a vulnerability in Microsoft Outlook and Outlook Express in an attempt to execute itself when you open or even preview the message. Information and a patch for the vulnerability can be found at
http://www.microsoft.com/technet/security/bulletin/MS01-020.asp.
W32.Klez.gen@mm attempts to copy itself to all network shared drives that it finds.

Depending on which variant of the worm, the worm will drop one of the following viruses:

W32.Elkern.3326
W32.Elkern.3587
W32.Elkern.4926

which will then infect the system.

Email spoofing
Some variants of this worm use a technique known as "spoofing." If it does this, it chooses at random an address that it finds on an infected computer as the "From:" address that it uses when it performs its mass-mailing routine. Numerous cases have been reported in which users of uninfected computers receive complaints that they have sent an infected message to someone else.

For example, Linda Anderson is using a computer that is infected with W32.Klez.E@mm; Linda is not using a antivirus program or does not have current virus definitions. When W32.Klez.gen@mm performs its emailing routine, it finds the email address of Harold Logan. It inserts Harold's email address into the "From:" line of an infected email that it then sends to Janet Bishop. Janet then contacts Harold and complains that he sent her infected email, but when Harold scans his computer, Norton AntiVirus does not find anything--as would be expected--because his computer is not infected.

If you are using a current version of Norton AntiVirus, have the most recent virus definitions, and a full system scan with Norton AntiVirus set to scan all files does not find anything, you can be confident that your computer is not infected with this worm.
W95.CIH.1049

Low Threat [2]

Win95


CIH is a virus that infects 32-bit Windows 95/98/NT executable files, but it can function only under Windows 95/98/Me. It does not function under Windows NT/2000/XP. When an infected program is run under Windows 95/98/Me, the virus becomes resident in memory.

Although Windows NT system files can be infected, the virus cannot become resident or infect files on a computer running Windows NT/2000/XP. The virus does not function under DOS, Windows 3.1, or on Macintosh computers. Once the virus is resident, CIH virus infects other files when they are accessed.

Files infected by CIH may have the same size as the original files because of CIH's unique mode of infection. The virus searches for empty, unused spaces in the file. Next it breaks itself up into smaller pieces and inserts its code into these unused spaces. When Norton AntiVirus repairs a file that is infected by CIH, it looks for these small viral pieces and removes them from the file.

Payload
The payload for W95.CIH.1049 executes on August 2nd.

The first payload overwrites the hard disk with random data, starting at the beginning of the disk (sector 0). The overwriting of the sectors does not stop until the system has crashed. As a result, the computer will not boot from the hard disk or a floppy disk. Also, the data that has been overwritten on the hard disk will be very difficult or impossible to recover. You must restore the data from backups.

The second payload tries to cause permanent damage to the computer. This payload attacks the Flash BIOS (a part of your computer that initializes and manages the relationships and data flow between the system devices, including the hard drive, serial and parallel ports, and the keyboard) and tries to corrupt the data that is stored there. As a result, nothing may be displayed when you start the computer. To fix this requires the services of a computer technician.

W95.CIH.1049 has been known to infect the worm W32.Klez.gen@mm.

http://securityresponse.symantec.com/avcenter/venc/data/w95.cih.1049.html

Douglas Knowles
Symantec Security Response, USA
Security Advisories
Sun Solaris admintool buffer overflow in PRODVERS argument allows root access

High Risk [4]

 Various


The Sun Solaris admintool is vulnerable to a buffer overflow that allows a local attacker to gain root privileges.

Using the Sun Solaris admintool, system administrators add users, create and manage user accounts, as well as view, add, and remove software packages.

The admintool vulnerability results from insufficient bounds checking of the PRODVERS argument in a .cdtoc file, which specifies variables for software distribution media. To exploit the vulnerability, a local attacker can specify a directory that contains a .cdtoc file through the admintool add or modify software feature. If this .cdtoc file includes a specially crafted string for the PRODVERS argument, a crash may result or the attacker may gain root privileges.

Although this admintool vulnerability was originally detected in 2000, it has only been publicized recently.

Platforms Affected
Sun Microsystems Solaris 2.5, 2.6, 7, and 8 SPARC and x86

Recommendations
Sun Solaris admintool buffer overflow patches
Sun Solaris admintool buffer overflow - workaround

As a temporary solution to the buffer overflow vulnerabilities associated with the admintool -d command line option as well as the PRODVERS argument in the .cdtoc file, system administrators should remove the setuid permissions with the following:

As root: Chmod -s /usr/bin/admintool

See the following document for more complete information;
http://securityresponse.symantec.com/avcenter/security/Content/1920.html
----
References
Source: eSecurity Online
URL: http://www.esecurityonline.com/advisories/eSO2397.asp

Source: CAN 2002-0089
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0089

Source: Security Focus.com
URL: http://www.securityfocus.com/bid/4624


Various Buffer Overflows and vulnerabilities.

Various

 Various


wu-ftpd format string debug set allows remote command execution
NetRecon can discover versions of wu-ftp running on network resources, which allow unauthorized users to create and run unauthorized commands on those resources.

Sendmail mail.local allows unauthorized LMTP commands to be executed
NetRecon can discover a Sendmail service that could allow unauthorized execution of LMTP (local mail transfer protocol) commands. This vulnerability is the result of a problem with mail.local, a program included with Sendmail, which was intended as a delivery agent for local mail using LMTP. In LMTP mode, mail.local checks user input for an end of message indicator. Should an unauthorized user synthesize a false end of message indicator, mail.local would treat any text after the synthesized indicator as LMTP commands.


OpenSSH UseLogin directive can allow remote access as root
NetRecon can discover any network resource with an OpenSSH server vulnerability that allows an intruder to execute arbitrary code. If an intruder can authenticate to the system using public key authentication, and the UseLogin directive is enabled, the intruder can set environment variables that are used by login. Anyone exploiting this vulnerability can execute commands with the privileges of OpenSSH, which is usually root. UseLogin is not enabled by default; however, it is a common configuration


Lotus Domino Password Bypass
Vulnerabilities exist in Lotus Domino Server allowing malicious users to bypass administrative authentication resulting in complete administrative control of the server. Lotus Domino Server versions 5.0.9 and prior are vulnerable.
http://online.securityfocus.com/bid/4022


mIRC Nickname Buffer Overflow
Khaled Mardam-Bay mIRC, a popular Internet Relay Chat client, conducts improper bounds checking of nicknames sent by the server. A malicious user can exploit this unchecked buffer with a long nickname and overwrite stack variables ultimately allowing the user to gain control of the host computer running the client software. This bug is corrected in version 6.0.
http://online.securityfocus.com/bid/4027


Quicktime Content Type Overflow
Vulnerabilities exist in Apple QuickTime Player 5.01 and 5.02 for Windows. When an HTTP response containing a long "Content-Type" is received from a malicious web server, a local buffer is overwritten and then executed on the client host. If exploited, this vulnerability allows a web server to execute malicious code on the client computer.
http://online.securityfocus.com/bid/4064


SNMP Community Name Root Access
Vulnerabilities exist in many vendors' implementations of Simple Network Management Protocol, Version 1. If exploited, this vulnerability could lead to a denial of service for managed network devices using SNMP, or in extreme cases, administrator-level remote access by unauthorized users. This signature identifies an exploit that includes malicious shell code that is designed to permit the malicious user to gain privileged remote access to the system under attack.
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2002-0013


SNMP Set Sysname Overflow
Vulnerabilities exist in many vendors' implementations of Simple Network Management Protocol, Version 1. The system name of the managed device may be overflowed, as the protocol does improper bounds checking on the sysname buffer to limit the number of characters it will accept. If exploited, this vulnerability could lead to a denial of service for managed network devices using SNMP. In extreme cases, this vulnerability may lead to unauthorized users gaining administrator-level remote access.
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2002-0013
Enterprise Security News Clips

Visit the Symantec Enterprise Security Web Site - http://enterprisesecurity.symantec.com/
Recent Enterprise Security News headlines include:



This section may be removed this month.


Get the latest Enterprise Security News delivered straight to your inbox.Register for Symantec's free Enterprise Security newsletters.
https://enterprisesecurity.symantec.com/Content/Subscribe.cfm
Security News
Striking Similarities    

Win32.Simile is the latest 'product' of the developments in metamorphic virus code. The virus was released in the most recent 29A #6 issue in early March 2002. It was written by the virus writer who calls himself 'The Mental Driller'. Some of his previous viruses, such as Win95/Drill (which used the Tuareg polymorphic engine), have proved very challenging to detect.

Win32/Simile moves yet another step up the scale of complexity. The source code of the virus is approximately 14,000 lines of assembly code. About 90% of the virus code is taken up by the metamorphic engine itself, which is extremely powerful.

The virus was named 'MetaPHOR' by its author, which stands for 'Metamorphic Permutating High-Obfuscating Reassembler'.

The first generation virus code is about 32KB and there are three known variants of the virus in circulation. Samples of the original variant which was released in the 29A issue have been received by certain AV companies from some major corporations in Spain, indicating a minor outbreak.

Win32/Simile is highly obfuscated and challenging to understand. The virus attacks disassembling, debugging and emulation techniques, as well as standard evaluation-based techniques for virus analysis. As with many other complex viruses, Simile uses EPO techniques.

The full article is posted on the Symantec Security Response web site at;
http://securityresponse.symantec.com/avcenter/reference/simile.pdf

Frédéric Perriot and Péter Ször, Symantec Security Response, USA
Peter Ferrie, Symantec Security Response, APAC
 
 
Contacts and Subscriptions:
Correspondence by email to: securitynews@symantec.com, no unsubscribe or support emails please. Follow this link to subscribe or unsubscribe http://securityresponse.symantec.com/avcenter/newsletter_regions/en.html Send virus samples to: avsubmit@symantec.com
Disclaimer- THIS DOCUMENT IS PROVIDED FOR INFORMATIONAL PURPOSES ONLY.

This message contains Symantec Corporation's current view of the topics discussed as of the date of this document. The information contained in this message is provided "as is" without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability, fitness for a particular purpose, and freedom from infringement. The user assumes the entire risk as to the accuracy and the use of this document. This document may not be distributed for profit.

Symantec and the Symantec logo are U.S. registered trademarks of Symantec Corporation. Other brands and products are trademarks of their respective holder(s). (c) Copyright 2002 Symantec Corporation. All rights reserved. Materials may not be published in other documents without the express, written permission of Symantec Corporation.