symantecTM

symantec security response

ISSN 1444-9994

November 2002 Newsletter


These are the most common Viruses, Trojans, Worms and Exploits reported to Symantec Security Response during the last month.



Country Spotlight
France

W32.Bugbear@mm
W32.Opaserv.Worm
W32.Klez.H@mm
W32.Klez.E@mm
W95.Spaces.1445
W32.Yaha.F@mm
W32.Opaserv.E.Worm
W95.Hybris.worm
W32.Funlove.4099
JS.Exception.Exploit



Top Global Threats

W32.Bugbear@mm
W32.Klez.H@mm
W32.Opaserv.Worm

JS.Exception.Exploit
W95.Spaces.1445
W32.Opaserv.E.Worm
W95.Hybris.worm
W32.Funlove.4099
Trojan Horse
W32.Nimda.E@mm

Asia Pacific
W32.Bugbear@mm
W32.Klez.H@mm
W32.Opaserv.Worm
HTML.Redlof.A
JS.Exception.Exploit
W95.Spaces.1445
W32.Opaserv.E.Worm
W32.Funlove.4099
W32.Datom.Worm
W95.Hybris.worm


Europe, Middle East & Africa
W32.Bugbear@mm
W32.Klez.H@mm
W32.Opaserv.Worm
W95.Spaces.1445
JS.Exception.Exploit
W32.Opaserv.E.Worm
W32.Funlove.4099
W32.Nimda.E@mm
Trojan Horse
W95.Hybris.worm


Japan
W32.Klez.H@mm
W32.Bugbear@mm
W32.Opaserv.Worm
W32.Klez.E@mm
Trojan Horse
JS.Exception.Exploit
W32.Nimda.E@mm
W95.Spaces.1445
W95.Hybris.worm
HTML.Redlof.A

The Americas
W32.Klez.H@mm
W32.Bugbear@mm
W32.Opaserv.Worm
JS.Exception.Exploit
W95.Spaces.1445
W32.Opaserv.E.Worm
W95.Hybris.worm
Trojan Horse
IRC Trojan
W32.Aplore@mm



Removal Tools for malicious code are on our web site

A list of Virus Hoaxes
reported to Symantec

A list of Joke Programs
reported to Symantec.

Glossary for definitions of viruses, Trojans and worms and more.

 
This month the Friendgreet 'worm' caused many anti-virus vendors to scratch their heads and wonder if they should add detection for an application that asks the user who is installing it if it can Spam their address book. Could users be this stupid, yes of course we can, who really reads end user licence agreements when installing software?

Most of us just hit the 'Next' button to get through the pain of installing software as fast as we can and it's this impatience that triggers mass mailings to everyone in you address book. If you have an email program configured to automatically add new email addresses to the address book then you'll have a lot of addresses.

Most vendors have added detection of this program to their anti-virus products at the request of customers; they want to be able to block this behaviour before a mass mail out occurs. No doubt we'll see more of this type of activity in the future, I'll be reading these agreements before installing.

W95.Spaces was first discovered at the end of 1999 but seems to have re-appeared, this may be because it has piggy backed another fast spreading worm in a similar way to that which I described in the editorial of the May issue of the newsletter, you can find that issue here; http://sarc-au.symantec.com/published/english/may02inews-en.html.

A common topic for discussion at the moment is instant messaging (IM) and the security issues around it, this month we have an introduction to Neal Hindocha's article titled 'Threats to Instant Messaging' and a link to an article on the Symantec web site titled 'Secure Instant Messaging '. Both are very informative and paint a clear picture of the security issues around many instant messaging platforms in use today. There are secure IM products which also encrypt the messages they send, as with any software selection process they should be considered if security is a concern. Norton AntiVirus 2003 now includes virus scanning for some of the common IM products.

David Banes.
Editor, securitynews@symantec.com
 

Viruses, Worms & Trojans

W32.Friendgreet.Worm
Aliases:
Friendgreetings, WORM_FRIENDGRT.A [Trend], WORM_FRIENDGRT.B [Trend], Friend Greeting application [McAfee], Friend Greeting application (II) [McAfee]
Risk: Very Low    
Date: 25th October 2002    
Platforms Affected
Windows 95
Windows 98
Windows NT
Windows 2000
Windows XP
Windows Me
 
Overview
Symantec Security Response is aware of a widespread e-card (electronic greeting card) that appears to have the characteristics of a worm. Based on a number of requests from Symantec's corporate customers, Security Response has provided definitions that detect and block this program.

The installation of software that is associated with the e-card requires your permission for it to perform its mass-mailing functions. If you cancel the installation of the software, no worm-like activities are performed.

NOTE: At this time, the Web site to which the e-card is linked appears to be unavailable. This means that the software can no longer be downloaded and installed from the site www.friendgreetings.com.


Symantec Security Response now provides detection for an updated version of W32.Friendgreet.worm. The new installer is approximately 300 KB in size. It was discovered that this new installer modifies the taskbar in such a way that during installation you cannot switch to another program. This also results in icons disappearing from the taskbar. This does not result in any permanent loss of information. Upon rebooting the system the taskbar will function normally.

Additionally, the following URLs may host the installation package for W32.Friendgreet.worm. This has not been confirmed by Security Response at this time.

www.friend-card.com
www.friend-card.net
www.friend-cards.com
       
Recommendations
Symantec Security Response offers the suggestions detailed on the page linked here on how to configure Symantec products in order to minimize your exposure to this threat.
http://www.sarc.com/avcenter/venc/data/w32.friendgreet.worm.html#recommendations
       
References
Symantec URL:http://www.sarc.com/avcenter/venc/data/w32.friendgreet.worm.html

W95.Spaces.1445    
Aliases:
W95.Spaces.1633, W95.Spaces.1245, W95.Spaces.1445, W95/Busm.1445, W95/Busm99.1445
Risk:Low    
Date: 28th December 1999    
Platforms Affected
Windows 95, Windows 98
 
Overview
W95.Spaces is a dangerous Windows 9x virus. On June 1 of every year, the virus manipulates the Master Boot Record (MBR) of an AT hard disk by using port commands. The virus modifies the MBR data area so that the first partition will point to itself. This prevents the system from booting, if running certain MS-DOS versions that contain a bug and are unable to boot the system correctly.
       
Recommendations
To remove this virus:

1. If you have a current Rescue disk set that you created prior to the infection, skip to the next step. Otherwise, on another, uninfected computer on which NAV is installed, run LiveUpdate and create a Rescue disk set. For instructions on how to do this, see the document How to create or update a Norton AntiVirus rescue disk set when Norton AntiVirus is already installed.
2. Insert Rescue disk 1 into the floppy disk drive of the infected computer, and restart the computer.
3. Follow the prompts to run a virus scan.
4. Remove the Rescue disk, and then restart the computer.

Norton AntiVirus will not remove the 0x2020 ID from the Reserved1 field of the PE header. As a benefit, this acts as inoculation from the virus since the W95.Spaces virus will assume the file is already infected.
       
Threat Metrics
Global Infection breakdown by geographic region and timeline. % of Total
The America's 21.1%
Europe, Middle East, Africa 72.8%
Japan 5.2%
Asia Pacific 1.0%
Date
% reports

13 Oct

15 Oct

18 Oct

21 Oct

24 Oct

29 Oct

4 Nov

6 Nov

9 Nov

11 Nov

0.7%

1.2%

1.15

1.3%

7.2%

5.5%

4.9%

5.0%

3.3%

2.7%

 
Credit
Peter Szor, Symantec Security Response, USA
References
Symantec URL:http://securityresponse.symantec.com/avcenter/venc/data/w95.spaces.html

Security Advisories

Linux-HA Heartbeat remote buffer overflow vulnerability
Risk:High
Date:14th October 2002
Platforms Affected
Linux-HA
   
Components Affected
Linux-HA heartbeat 0.4.9 a, b, c, d and 0.4.9 .1
 
Description
The Linux-HA heartbeat utility is vulnerable to a remotely exploitable buffer overflow condition. Attackers may exploit the vulnerability to execute arbitrary code. It has been reported that the condition is related to the handling of TCP packets.
 
Recommendations
Block external access at the network boundary, unless service is required by external parties.
Access to interfaces/ports used by heartbeat should be blocked.

The vulnerability is eliminated in versions 0.4.9.2 and 0.4.9e.

Debian has released patches which linked to here;
http://www.sarc.com/avcenter/security/Content/5955.html
References 
Source: Debian DSA 174-1 New heartbeat packages fix buffer overflows
URL: http://online.securityfocus.com/advisories/4552
Symantec URL:http://www.sarc.com/avcenter/security/Content/5955.html
Credits
Discovered by Nathan Wallwork
 

Macromedia JRun Oversized URI buffer overflow vulnerability
Risk:High
Date:7th November 2002
Platforms Affected
IBM AIX 4.2 and 4.3
Microsoft IIS 4.0, 5.0 and 5.1
Microsoft Windows 2000 Workstation, SP1, SP2
Microsoft Windows 95
Microsoft Windows 98
Microsoft Windows NT 4.0, SP1 through SP6a
RedHat Linux 6.0, alpha and sparc
RedHat Linux 6.1 alpha, i386 ans sparc
SGI IRIX 6.5
Sun Solaris 2.6, 7.0 and 8.0
Components Affected
Macromedia JRun 3.0, 3.1 and 4.0
 
Description
Macromedia JRun is prone to a remotely exploitable buffer overflow condition. This issue is due to insufficient bounds checking of URIs in incoming web requests.

Exploitation may allow a remote attacker to execute arbitrary code with the privileges of the JRun server process. This issue is specific to JRun running on Microsoft Windows platforms.
 
Recommendations
Block external access at the network boundary, unless service is required by external parties. If appropriate, block external access to the server at the network boundary. Filter untrusted or malicious network traffic at border routers and network firewalls.

Deploy network intrusion detection systems to monitor network traffic for malicious activity. Deploy network intrusion detection systems (NIDS). Audit NIDS and webserver logs for signs of malicious network activity.

Run all server processes as non-privileged users with minimal access rights. Running the server with the least privileges required will reduce the consequences of successful exploitation.

Macromedia has released patches which are linked to here;
http://www.symantec.com/avcenter/security/Content/6122.html
References 
Symantec URL:http://www.symantec.com/avcenter/security/Content/6122.html
Credits
This issue was reported in a Macromedia security alert. Discovery of this issue appears to be credited to Marc Maiffret of eEye Digital Security.
 

Security News

Threats to Instant Messaging
Instant messaging is an up and coming threat as a carrier for malware. More and more people are using instant messaging, both for personal and business reasons. Instant messaging networks provide the ability to not only transfer text messages, but also transfer files. Consequently, instant messengers can transfer worms and other malware.

Instant messaging can also provide an access point for backdoor Trojan horses. Hackers can use instant messaging to gain backdoor access to computers without opening a listening port, effectively bypassing desktop and perimeter firewall implementations. Furthermore, finding victims doesn’t require scanning unknown IP addresses, but rather simply selecting from an updated directory of buddy lists. As more functionality is added to instant messaging, such as peer-to-peer file sharing, instant messaging will also
become more prone to carrying malware.

Furthermore, instant messaging is very difficult to block in a company using conventional security methods such as firewalls. In addition, there are generally no antivirus applications monitoring instant messaging network communications on the server level. This means an instant messaging worm can be caught only at the desktop level.

Fortunately, antivirus vendors have realized the dangers of instant messaging, and have begun to create plug-ins for the various instant messaging clients in their desktop products. Norton AntiVirus 2003 is an example of an antivirus product that will plug in to the various clients and scan any incoming files.

When email became a part of our daily lives, it also became a large carrier of worms. Even after many email worm outbreaks, people are still not educated about the potential dangers of email usage. Hopefully, the same story will not be repeated with instant messengers.

The full article is here;
http://sarc.com/avcenter/reference/threats.to.instant.messaging.pdf

Neal Hindocha
Symantec Security Response

Editors Note:A second article is also available on the Symantec web site;
http://www.sarc.com/avcenter/reference/secure.instant.messaging.pdf
 
 
Contacts and Subscriptions:
Correspondence by email to: securitynews@symantec.com, no unsubscribe or support emails please. Follow this link to subscribe or unsubscribe http://securityresponse.symantec.com/avcenter/newsletter_regions/en.html Send virus samples to: avsubmit@symantec.com
Disclaimer- THIS DOCUMENT IS PROVIDED FOR INFORMATIONAL PURPOSES ONLY.

This message contains Symantec Corporation's current view of the topics discussed as of the date of this document. The information contained in this message is provided "as is" without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability, fitness for a particular purpose, and freedom from infringement. The user assumes the entire risk as to the accuracy and the use of this document. This document may not be distributed for profit.

Symantec and the Symantec logo are U.S. registered trademarks of Symantec Corporation. Other brands and products are trademarks of their respective holder(s). (c) Copyright 2002 Symantec Corporation. All rights reserved. Materials may not be published in other documents without the express, written permission of Symantec Corporation.