symantecTM

symantec security response

ISSN 1444-9994

November 2001 Newsletter

These are the most common Viruses, Trojans and Worms reported to Symantec Security Response during the last month.

Top Global Threats

JS.Exception.Exploit
W95.Hybris.worm
W32.Sircam.Worm@mm
W32.Magistr.39921@mm
VBS.Haptime.A@mm
Backdoor.Trojan
W32.Nimda.A@mm
W32.Magistr.24876@mm
PWSteal.Trojan
W32.Annoying.Worm


Asia Pacific
JS.Exception.Exploit
W95.Hybris.worm
W32.Sircam.Worm@mm
W32.Magistr.39921@mm
VBS.Haptime.A@mm
W32.Nimda.A@mm
PWSteal.Trojan
W95.MTX
W32.Annoying.Worm
W32.Magistr.24876@mm


Europe, Middle East
& Africa

JS.Exception.Exploit
W95.Hybris
W32.Sircam.Worm@mm
W32.Magistr.39921@mm
VBS.Haptime.A@mm
PWSteal.Trojan
Backdoor.Trojan
W32.Magistr.24876@mm
W32.Nimda.A@mm
W95.MTX


Japan
W95.Hybris
JS.Exception.Exploit
W32.Sircam.Worm@mm
W32.Nimda.A@mm
W95.MTX
W32.HLLW.Bymer
W32.Magistr.39921@mm
W32.Magistr.24876@mm
PWSteal.Trojan
VBS.Haptime.A@mm


The Americas
W95.Hybris
JS.Exception.Exploit
W32.Sircam.Worm@mm
W32.Magistr.39921@mm
Backdoor.Trojan
W32.Magistr.24876@mm
VBS.Haptime.A@mm
W32.Annoying.Worm
W32.HLLW.Hai
W32.Nimda.A@mm



Removal Tools for malicious code are on our web site


A list of Virus Hoaxes
reported to Symantec


A list of Joke Programs
reported to Symantec.


Glossary for definitions of viruses, Trojans and worms and more.





Use this form to unsubscribe

First name:

Last name:

Email address:

This month we return to the regular format newsletter covering theats for all platforms, although as usual they are mostly Windows threats. W32.Nimda is covered in detail as this worm appeared after we posted last months newsletter and is still on a high threat rating. W32.Klez has a payload that 'empties' files by setting their size to zero bytes and we are seeing an increase in the number of reports of Klez in the US and EMEA.

We have a great article on firewalls from Andy Norton, a Symantec Senior Regional Product Manager and finally a reminder that AVAR (Association of anti Virus Asia Researchers ) has their anti-virus conference on 4th-5th December in Hong Kong. There are speakers from many well known anti-virus vendors as well as private and government sectors. Details are available on the AVAR web site at
http://www.aavar.org/. As a Vice President of AVAR I'll be there and welcome the opportunity to have a chat about current and emerging IT threats with you.

David Banes.
Editor,
securitynews@symantec.com
 
Viruses, Worms & Trojans
W32.Nimda.A

High [4]

Win32

W32.Nimda.A@mm is a mass-mailing worm that utilizes multiple methods to spread itself. The name of the virus came from the reversed spelling of "admin". The worm sends itself out by email, searches for open network shares, attempts to copy itself to unpatched or already vulnerable Microsoft IIS web servers, and is a virus infecting both local files and files on remote network shares.

The worm uses the Unicode Web Traversal exploit. A patch for computers running Windows NT 4.0 Service Packs 5 and 6a or Windows 2000 Gold or Service Pack 1 and information regarding this exploit can be found at http://www.microsoft.com/technet/security/bulletin/ms00-078.asp.

When the worm arrives by email, the worm uses a MIME exploit allowing the virus to be executed just by reading or previewing the file. Information and a patch for this exploit can be found at http://www.microsoft.com/technet/security/bulletin/MS01-020.asp

If you visit a compromised Web server, you will be prompted to download an .eml (Outlook Express) email file, which contains the worm as an attachment. You can disable "File Download" in your Internet Explorer internet security zones to prevent this compromise.

Also, the worm will create open network shares on the infected computer, allowing access to the system. During this process the worm creates the guest account with Administrator privileges. Symantec Security Response has posted a tool to remove infections caused by W32.Nimda.A@mm. Please go here to download the tool.

NOTE: Microsoft has released a cumulative roll up for IIS 4.0 on NT 4.0 SP5 and later as well as all security patches released to date for IIS 5.0. This can be found at http://www.microsoft.com/technet/security/bulletin/MS01-044.asp. Microsoft has provided information regarding this virus at the following website: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/topics/nimda.asp

http://securityresponse.symantec.com/avcenter/venc/data/w32.nimda.a@mm.html

Eric Chien
Symantec Security Response, EMEA
 
W32.Nimda.E

Medium [3]

Win32

 W32.Nimda.E@mm is an new version of W32.Nimda.A@mm that contains bug-fixes and other modifications, which are designed to prevent detection of this variant by antivirus programs.

This worm is similar in functionality to W32.Nimda.A@mm. Differences include the modification of file names used by the worm.

The attachment received has been changed to: Sample.exe
The dropped .dll file is now: Httpodbc.dll
The worm now copies itself to the Windows folder as Csrss.exe instead of Mmc.exe

In addition, the author has introduced new bugs in the code. Specifically, the worm may reinfect files causing multiply infected files. Such files can become corrupted and may need to be deleted instead of repaired.

NOTE: Norton AntiVirus already detects Infected HTML files as W32.Nimda.A@mm (html).

http://securityresponse.symantec.com/avcenter/venc/data/w32.nimda.e@mm.html

Eric Chien
Symantec Security Response, EMEA
 
W32.Klez.A@mm and W32.Klez.D@mm

Low [2]

Win32

W32.Klez.A@mm is a mass-mailing email worm. It attempts to copy itself into folders on both local and network drives.

The worm exploits a vulnerability in Microsoft Outlook and Outlook Express in an attempt to execute itself when you open or even preview the message. Information and a patch for the vulnerability can be found at

http://www.microsoft.com/technet/security/bulletin/MS01-020.asp.

The worm also inserts the virus W32.ElKern.3326. W32.ElKern.3326 can also infect W32.Klez.A@mm.

Every other month starting in January (January, March, May, and so on), if the date is the 13th of the month, the payload is executed. This causes files on local and mapped drives to become zero bytes in length

http://securityresponse.symantec.com/avcenter/venc/data/w32.klez.a@mm.html

W32.Klez.D@mm is a modified variant of W32.Klez.A@mm. Most of the functionality remains the same. The virus that W32.Klez.A@mm carried, W32.Elkern.3326, is also carried and inserted on the system by this variant. The payload of the D variant is by far more destructive than of the A variant. After 5 hours there is almost a 100% chance that it will be activated.

http://securityresponse.symantec.com/avcenter/venc/data/w32.klez.d@mm.html

Atli Gudmundsson, Eric Chien and Neal Hindocha (.D variant)
Symantec Security Response, EMEA
 
W32.Finaldo.B@mm

Low [2]

Win32

W32.Finaldo.B@mm is a simple Win32 polymorphic virus that infects Portable Executable (PE) files. It searches for files that have the extensions .scr, .ocx, or .exe, and it inserts itself at the end of the file.

It drops a file into the Windows temporary files folder named Finaldoom.exe or Finaldoom.dll. This file is compressed using the UPX compression utility.

This virus is written in C++. Because the virus is polymorphic, each file that it infects creates a different file, which it attempts to send using MAPI. The virus waits 30 minutes before it sends itself. The file is encoded within a MIME email message that will have an attachment named ".exe". This email message makes use of the preview feature to allow it to run the executable when the email message is viewed.

http://securityresponse.symantec.com/avcenter/venc/data/w32.finaldo.b@mm.html


Douglas Knowles
Symantec Security Response, USA
 
Security Advisories

Here is a list of new and updated buffer overflow and denial of service attacks, including attacks on various CGI programs. Symantecs NetProwler has been updated with these signatures.

 
Enterprise Security News Clips
VISIT THE SYMANTEC ENTERPRISE SECURITY WEB SITE
http://enterprisesecurity.symantec.com/

Recent Enterprise Security News headlines include:

Cyberterrorism Danger Lurking;
The Atlanta Journal and Constitution
http://enterprisesecurity.symantec.com/content.cfm?articleid=932

Thou Shalt Not Abuse Email;
The Guardian (London)
http://enterprisesecurity.symantec.com/content.cfm?articleid=931

CERT: DOS Attacks Possible Via Printer Networks;
Newsbytes
http://enterprisesecurity.symantec.com/content.cfm?articleid=936

Get the latest Enterprise Security News delivered straight to your inbox.Register for Symantec's free Enterprise Security newsletters.
https://enterprisesecurity.symantec.com/Content/Subscribe.cfm
 
Vulnerability & Exploit News
The Failure of Firewalls    
Whenever the subject of Internet security arises, one word is sure to come up - 'firewall'. Just mentioning a firewall can make a computer network sound like a fortress, as if there was an impregnable barrier to every kind of threat. The truth is, most firewalls are not foolproof. In fact, firewalls need to be permeable to enable organizations to conduct business so how can organizations allow this access and still remain secure? It's a complex problem but thankfully the solutions are relatively straightforward. There are four key point for organizations to consider:

1. Organizations mistakenly believe firewalls protect them from ALL security threats which they do not. Ten years ago a firewall was the only solution for managing risk for many organizations. This has created an inaccurate perception that firewalls are the answer to internet based security risks which is not in-line with reality. The type of threats are now more sophisticated and integrated beyond the scope of firewall security. Technology has also moved on making other forms of security a wise investment.

2. Often firewall configuration does not reflect the business requirements of an organization. If little thought has gone into how a
firewall will act, then rules can be added to the firewall which may allow unsafe services and traffic to pass through, creating unnecessary security risks for the organization.

3. Older, circuit level firewalls lack the power to enable organizations to protect networks from some of the newer security threats.
The primary function of a circuit level firewall is to police the type of traffic travelling from one network to another and decide whether to pass or deny the traffic based on the rules it has as a reference point. For example, if a firewall was a traffic policeman it would pullover and stop (deny) a car travelling above a certain speed or in the wrong direction. It wont however, natively look for and stop (deny) a car filled with illegal weapons if the vehicle is obeying the speed limit and travelling in the right direction as the car would be complying with the rules (i.e. allowed). Executives should look closely at their current security technologies in the light of the latest integrated threats which pose more of an 'illegal weapons' style of threat that would not be stopped by these older style firewalls.

4. Many companies are so confident about their firewalls that they ignore other weak points within their network. This is a symptom of
building security based on trust. Semi-trusted or trusted networks by definition have less or no security measures. Executives need to consider an element of accountability as well as trust when reviewing their security policies in order to prevent an attack on their system through a back door exploitation or social engineering. Unfortunately, new vulnerabilities in software applications and operating systems are discovered every day. The new hacking techniques and integrated viruses such as Nimda and Code Red, not only evade a network's front door - the firewall - but also the back door, window and catflap.

There are six common problems organizations face today when deploying firewalls:

a· They don't analyse enough data. Although firewalls mostly use circuit level routing state information that comes over the network, it is far more effective to use a technology called an Application Proxy Firewall, which checks the actual payload contained within each packet of data. As per the earlier car example, it will look inside the car to see if it is carrying illegal weapons. Products that are built from the ground up to be an Application Proxy Firewall are proven to be far more secure, faster, and easier to manage and integrate with a company's network.

b· They don't monitor the operating system closely enough. An effective firewall must keep a continuous scheduled check on the operating system and any application software. This would include a mechanism to turn off services that are running on the machine and/or are started up by an unauthorized person. Most operating systems have a variety of protocol ports open which are not necessarily needed for communications from a firewall perspective, these in turn would also be disabled by this mechanism.

c· They don't enable remote management. Any security manager with more than a handful of firewalls installed in remote offices knows that centralized management is almost essential. This is an important shift in the current generation of firewall technology, giving administrators a bird's eye view of outlying security barriers.

d· They don't scale smoothly. Because older firewalls were often developed for smaller networks, they may not be appropriate for complex systems. It's vital that firewall infrastructure scales well, allowing remote offices to use smaller firewall appliances while head office uses a large server. It should also be integrated together and managed from a single console.

e· Some are simply too slow. The addition of greater processing power in the latest firewalls makes a big contribution to security. This is partly because Application Proxy Firewall technology requires more processing power, and also because security is more thorough when firewalls use 'best fit' rules to monitor data packets rather than the older approach of using 'first fit' rules which may not be as accurate or secure.

f. They don't integrate with other security technologies. Advanced Application Gateways like Symantec Enterprise Firewall, offer the ability to integrate, content management, strong authentication, command filtering, application payload defences, intrusion detection, mail scanning, virus protection, active content scanning, vulnerability management, and virtual private networks. A firewall can bring powerful benefits as the control point for all of these complimentary technologies.

Even if all these issues were addressed, a firewall would still not be enough on its own. It's important for managers to be aware of the weak points in their system by using security management software and 'reconnaissance' programs to check the network for vulnerabilities. Symantec provides these solutions through products such as: Enterprise Security Manager, NetRecon, Intruder Alert, Netprowler, Vulnerability Assessment and Intrusion Detection.

Perhaps most important of all, and often the most neglected, is the simple challenge of risk management. Senior executives - preferably those at the very top - need to appoint one of their own to take charge of security issues and lead a vulnerability assessment of the organization's systems. This supports the next step - a clear information technology security policy that defines the responsibilities of each employee. This should also include policies and processes, which evaluate the entire network, including assets and vulnerabilities. The plan should be reconsidered as the network and business changes - whether to take advantage of e-or m-commerce (m-commerce using mobile, hand-held computers) or simply to enhance the use of the network for sales, service and marketing. Companies that offer comprehensive Internet Security Services such as Symantec's can also provide valuable assistance in these areas.

Although it all seems a little daunting, internet security can be simplified to four important steps:

Assess. Secure your infrastructure through vulnerability assessment and a good security policy.

Protect. Keep unauthorized users and hackers out by using firewalls effectively plus keep malicious code out with up-to-date anti-virus on all levels of the network (gateway, server and client).

Enable. Make sure you have secure Internet communications with mobile employees, remote operations, suppliers, customers and other businesses.

Manage. Manage and administer security easily and effectively for users by implementing file encryption, server administration tools and single sign-on solutions.

Andy Norton
Senior Product Manager, Symantec APAC
 
 
Contacts and Subscriptions:
Correspondence by email to: securitynews@symantec.com, no unsubscribe or support emails please. Follow this link to subscribe or unsubscribe http://securityresponse.symantec.com/avcenter/newsletter.html Send virus samples to: avsubmit@symantec.com
This is a Symantec Corporation publication, use of requires permission in advance from Symantec. All information contained in this newsletter is accurate and valid as of the date of issue. Copyright © 1996-2001 Symantec Corporation. All rights reserved.