symantecTM

symantec security response

ISSN 1444-9994

October 2002 Newsletter


These are the most common Viruses, Trojans, Worms and Exploits reported to Symantec Security Response during the last month.



Country Spotlight
New Zealand

W32.Bugbear@mm
W32.Klez.H@mm
W32.Opaserv.Worm
W32.HLLW.Qaz(gen)
Trojan Horse
JS.Trojan.WindowBomb
JS.Exception.Exploit
Backdoor.Trojan
W32.Yaha.F@mm
W95.Hybris.worm


Top Global Threats
W32.Klez.H@mm
W32.Bugbear@mm
W32.Opaserv.Worm

JS.Exception.Exploit
Trojan Horse
W32.Datom.Worm
W95.Hybris.worm
W32.Yaha.F@mm
W32.Klez.E@mm
W95.CIH

Asia Pacific
W32.Bugbear@mm
W32.Klez.H@mm
W32.Opaserv.Worm
JS.Exception.Exploit
HTML.Redlof.A
W32.Datom.Worm
W95.Hybris.worm
Trojan Horse
W32.Nimda.enc
Backdoor.Trojan

Europe, Middle East & Africa
W32.Klez.H@mm
W32.Bugbear@mm
W32.Opaserv.Worm
JS.Exception.Exploit
W32.Klez.E@mm
W32.Yaha.F@mm
W32.Datom.Worm
Trojan Horse
W95.Hybris.worm
W95.CIH

Japan
W32.Klez.H@mm
W32.Bugbear@mm
W32.Opaserv.Worm
Trojan Horse
W32.Klez.E@mm
VBS.LoveLetter.A
W95.Hybris.worm
JS.Exception.Exploit
W95.CIH
VBS.LoveLetter.Var

The Americas
W32.Klez.H@mm
W32.Bugbear@mm
W32.Opaserv.Worm
JS.Exception.Exploit
Trojan Horse
W95.Hybris.worm
W32.Datom.Worm
W32.Nimda.enc
W32.Yaha.F@mm
Backdoor.Trojan



Removal Tools for malicious code are on our web site

A list of Virus Hoaxes
reported to Symantec

A list of Joke Programs
reported to Symantec.

Glossary for definitions of viruses, Trojans and worms and more.



 
Well just when we all though 2002 was going to be one of the slowest years for a long time two worms where discovered in a matter of days, both W32.Bugbear@mm and W32.Opaserv.Worm surprised erveryone by spreading very quickly. Yet again the quickest spreading worm used a known exploit that Microsoft patched a while ago, details are here if you still have not installed this update I suggest you do;

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS01-020.asp

We have multiple OpenVMS vulnerabilities and an article on Mac OSX security from Kaoru Hayashi in Japan.

David Banes.
Editor, securitynews@symantec.com
To unsubscribe to this newsletter please go to;
http://securityresponse.symantec.com/avcenter/newsletter.html

Viruses, Worms & Trojans

W32.Bugbear@mm  

Date:

30th Sep 2002   

Risk:

High
Platforms Affected
Windows 95, Windows 98, Windows NT, Windows 2000, Windows XP, Windows Me
Components Affected
Email programs, network shares(Windows Networking), anti-virus and firewall programs..
       
Overview
W32.Bugbear@mm is a mass-mailing worm. It can also spread through network shares. It has keystroke-logging and backdoor capabilities. The worm also attempts to terminate the processes of various antivirus and firewall programs.

Because the worm does not properly handle the network resource types, it may flood shared printer resources, which causes them to print garbage or disrupt their normal functionality. It is written in the Microsoft Visual C++ 6 programming language and is compressed with UPX v0.76.1-1.22.
       
Recommendations
The easiest way to remove this threat is to use the Symantec W32.Bugbear@mm Removal Tool. Symantec Security Response has created a W32.Bugbear@mm Removal Tool.
http://securityresponse.symantec.com/avcenter/venc/data/w32.bugbear@mm.removal.tool.html
 Threat Metrics
Global Infection breakdown by geographic region and timeline. % of Total
The America's 24.4%
Europe, Middle East, Africa 67.7%
Japan 0.5%
Asia Pacific 7.4%
Date
% reports

29 Sep

30 Sep

1 Oct

2 Oct

3 Oct

5 Oct

7 Oct

9 Oct

11 Oct

13 Oct

0.01%

0.5%

3.3%

8.0%

10.6%

7.4%

12.0%

8.4%

6.0%

4.1%

       
Credit
Serghei Sevcenco, Symantec Security Response, APAC
Yana Liu, Symantec Security Response, USA
       
References
http://securityresponse.symantec.com/avcenter/venc/data/w32.bugbear@mm.html
http://securityresponse.symantec.com/avcenter/venc/data/w32.bugbear@mm.removal.tool.html

W95.Opaserv.Worm  

Date:

30th Sep 2002   

Risk:

Medium
Platforms Affected
Windows 95, Windows 98, Windows NT, Windows 2000, Windows XP, Windows Me
Components Affected
Network shares (Windows Networking)
       

Overview
W32.Opaserv.Worm is a network-aware worm that attempts to replicate across open network shares. It copies itself to the remote computer as a file named Scrsvr.exe. This worm also attempts to download updates from www.opasoft.com, although the site may have already been shut down. Indicators of infection include:

  • The existence of the files Scrsin.dat and Scrsout.dat in the root of drive C. This indicates a local infection (that is, the worm was executed on the local computer).
  • The existence of the Tmp.ini file in the root of drive C. This indicates a remote infection (that is, the computer was infected by a remote host).
  • The registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Current Version\Run contains the string value ScrSvr or ScrSvrOld, which is set to c:\tmp.ini.
       
Recommendations
The easiest way to remove this threat is to use the Symantec W32.Opaserv.Worm Removal Tool.
http://securityresponse.symantec.com/avcenter/venc/data/w32.opaserv.worm.removal.tool.html
       
Threat Metrics
Global Infection breakdown by geographic region and timeline. % of Total
The America's 25.3%
Europe, Middle East, Africa 67.6%
Japan 1.3%
Asia Pacific 5.8%
Date
% reports

27 Oct

29 Sep

30 Sep

1 Oct

2 Oct

4 Oct

5 Oct

10 Oct

12 Sep

13 Sep

0.03

0.2%

3.0%

13.1%

11.9%

8.7%

5.0%

6.9%

3.2%

2.7%

       
Credit
Douglas Knowles, Symantec Security Response, USA
Peter Ferrie, Symantec Security Response, APAC
References
http://securityresponse.symantec.com/avcenter/venc/data/w32.opaserv.worm.html
http://securityresponse.symantec.com/avcenter/venc/data/w32.opaserv.worm.removal.tool.html

Security Advisories

Multiple Microsoft SQL Server Vulnerabilities  

Date:

2nd Oct 2002   

Risk:

High

Platforms Affected
Microsoft Access 2000,
Microsoft BackOffice 4.5,
Microsoft Project Central Server,
Microsoft SQL Server 7.0,
Microsoft SQL Server 2000,
Microsoft Visual Studio 6.0,
Microsoft Windows 2000 Workstation to SP2
Microsoft Windows NT 4.0 to SP6a
   
Components Affected
Microsoft Data Engine 1.0 and 2000
Microsoft SQL Server 7.0 to 7.0 SP4
Microsoft SQL Server 2000 to 2000 SP2
Overview
Microsoft has released a security bulletin reporting multiple vulnerabilities in Microsoft SQL Server.
Description
The first of these issues is a buffer overflow in SQL Server user authentication. It is possible to corrupt memory with a malformed login request. This may enable an attacker to execute arbitrary code with the privileges of the SQL Server process. Malformed login requests may also cause a denial of service. It is possible to trigger this condition prior to authenticating with the server. This issue affects Microsoft SQL Server 2000 and Microsoft Desktop Engine (MSDE) 2000.

The second issue is a buffer overflow in one of the Database Console Commands (DBCCs) that ship with the vulnerable products. This issue may be exploited to execute arbitrary code with the privileges of the SQL Server process. Authentication is required to exploit this vulnerability. The issue affects Microsoft SQL Server 7.0/2000 and Microsoft Data Engine (MSDE) 1.0/2000.

The third issue is related to how the affected products handle scheduled jobs. The SQL Server Agent may be instructed to create an output file during a job step. The output file will be created with the privileges of the SQL Server Agent, instead of the privileges of the user who scheduled the job. As a result, a malicious authenticated user could schedule a job step which creates a malicious output file in an attacker-specified directory. This may potentially be exploited to allow for execution of operating system commands with elevated privileges. An attacker will also be able to cause sensitive files to be corrupted. This issue affects Microsoft SQL Server 7.0/2000 and Microsoft Data Engine (MSDE) 1.0/2000.
Recommendations
Block external access at the network boundary, unless service is required by external parties.
Blocking access to the SQL Server port (1433) at the network boundary may prevent exploitation of some of these issues.

Permit privileged access for trusted inividuals only.
Ensure database access controls are in place. Permit access for trusted individuals only.

Microsoft has released fixes:
Microsoft Patch Q327068
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q327068&sd=tech
Microsoft Patch Q316333
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q316333&sd=tech
References 
Source: Microsoft Security Bulletin MS02-056
URL: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS02-056.asp
   
Credit
Discovery of these issues is credited to <sk@scan-associates.net>, <pokleyzz@scan-associates.net> and Martin Rakhmanoff <jimmers@yandex.ru>.
 

Multiple OpenVMS WASD HTTP Server Vulnerabilities

Risk:

High 
Platforms Affected
OpenVMS

Date:

26th Sep 2002 
Components Affected
WASD WASD HTTP Server 7.1 to 7.2.3 and 8.0
       
Description
Multiple vulnerabilities have been reported in WASD HTTP Server for OpenVMS. The consequences of successful exploitation of these issues may range from information disclosure to varying degrees of remote compromise.
       
Recommendations
Symantec's recommendations are to upgrade to at least 7.2 and then apply the relevant fixes listed here;
http://www.sarc.com/avcenter/security/Content/5811.html
       
Credit
Discovery of these issues is credited to Jean-loup Gailly.
References
Source: remote SYSTEM compromise in WASD OpenVMS http server
URL: msg://bugtraq/15763.29826.824331.958784@home.gailly.net
Source: WASD Package Security Advisory
URL: http://wasd.vsm.com.au/ht_root/doc/misc/wasd_advisory_020925.txt

Security News

UNIX malwares on Mac OS X
Kaoru Hayashi,
Symantec Security Response, Japan,

Introduction

On March 24, 2001, Apple Computer released their next generation operating system, Mac OS X. In stark contrast to their previous OS (Mac OS 9 or earlier), Mac OS X is a UNIX based operating system. Consequently, customers and editors asked us how many malwares work on Mac OS X We know that one of the most famous backdoor trojans in Windows, Sub7, is ported on the OS (and NAV for Mac OS X can detect it). In this paper I will explain other existing UNIX malwares.

Introducing Mac OS X
The core of the system is called Darwin and it is based on an open source project. Darwin integrates Mach 3.0 kernel and an operating system service based on BSD UNIX. This document does not explain the Mac OS X system in detail. Please see the following site for more information.

http://developer.apple.com/macosx/architecture/index.html
I investigated Mac OS 10.2 + Developer CD. This is a brief introduction of the environment.

Mach 3.0 kernel
BSD 4.4 Lite
Java 2 Standard Edition 1.3.1
gcc 3.1
several BSD UNIX commands/development tools

UNIX malware overview
Symantec has currently detected over 100 malicious programs that work on UNIX. Almost all malwares are Zoo (that is not reported from customers/end users).

I have classified them into three categories: binary, script, and Java. In this document I will only explain binary and script malwares, because Java is "write once, run anywhere", even on Mac OS X :).

Binary malwares
In contrast to the Windows platform, not that many binary malwares work on UNIX. Most binary malwares only work on Linux on an Intel platform. Fortunately, they cannot work on Mac OS X for the following reasons:

First, the CPU for Macintosh is not the same as the Intel platform. Currently, Mac OS X only runs on Macintosh computers that use a Motorola/IBM PowerPC G3 or G4 processor. For the same reason, binary malwares do not work on Linux for PowerPC.

The second reason binary malwares do not work on Mac OS X is the executable format. Commonly, the "Executable and Linking Format (ELF)" is used on UNIX. Of course Linux for PowerPC uses it too, but Mac OS X kernel can only understand the "Mach-O" binary format and does not support ELF. Mach-O is completely different from ELF. Its structure can be found by using "otool" from the command line.

Possibilities of binary malwares
Malwares may work properly on Mac OS X if they are re-compiled for the OS. Apple has released a GNU C++ compiler and linker, GCC, for Mac OS X. If a user installs developer tools from Apple, the user can compile numerous source codes such as GNU software. So, only three commands are required:

configure
make
make install

This is the same as on other UNIX and, therefore, provides another possibility for binary malwares to work on Mac OS X. If someone inserts a malicious code into the source and the user downloads and compiles it on Mac OS X, it is likely to work
properly on the OS. We can remember the case when a trojan code was inserted into OpenSSH (for more information on this, see http://www.cert.org/advisories/CA-2002-24.html).

Script
There are three types of script malwares: shell, perl, and PHP script.

Shell script
The default shell on Mac OS X is tcsh and it is based on C shell. As other common UNIX tools, B shell is ported as /bin/sh. Therefore, common shell script can run on Mac OS X. As I mentioned above, many common UNIX tools are ported, even the "shutdown" command, but not all. If the shell script uses a command that is not ported on the OS, the script cannot run properly.

Perl script
Perl is also installed as /usr/bin/perl or /usr/bin/perl5.6.0. Perl script can work properly with the correct path and permission.

PHP script
PHP is a widely used server side script and it is not enabled by default on the OS. However the component is installed and only requires modifying a /etc/httpd.conf file.

Script malwares
Viruses
Simple viruses, such as UNIX.Gobleen and UNIX.Gift, work easily.

  1. search target
  2. open target
  3. insert virus or overwrite by virus
  4. write target
  5. close target
  6. search again

No special techniques or approaches are applied that are of interest to us.

The "mail" command
Some malwares use the "mail" command to spread or to send information from an infected system to a hacker, such as UNIX.Penguin, UNIX.LoveLetter, and UNIX.Psite. However, these do not work properly on Mac OS X. The "mail" command exists but it cannot be run by default. To use the mail command on Terminal, the Sendmail configuration needs to be modified (you know it is very difficult!). Therefore, we do not need to consider these malware types.

Malware for specific environments

  • UNIX.Abuser is an exploit of game on Linux.
  • UNIX.Bash drops ELF for Linux.
  • UNIX.Capdrop drops the C source code and compiles it on an infected system. The source code needs to be compiled on Linux.
  • Many PHP malwares (but not all) contain fixed strings like "C:\Windows". Of course they only affect Windows.
  • UNIX.Psite needs X Window System but Mac OS X does not have it by default.

These malwares do all not work on Mac OS X.

Trojans
Mac OS X uses NetInfo for managing user and group accounts, email configurations, NFS, printers, computers, and other resources. This is almost the same concept as Active Directory or NIS and it is the one significant difference from other UNIX. Using some of these resources requires using NetInfo manager or NetInfo tools from the command line.

Some trojans attempt to add new services for hackers. Some files require being modified the same as other UNIX instead of using NetInfo.

/etc/inetd.conf
/etc/services
/etc/hosts

Conclusion
Fortunately, almost all malwares for UNIX are Zoo and are rarely found, even if we want to. In addition, not many UNIX malwares can work on Mac OS X. The OS has inherited "Stability and Power" from UNIX, as Apple has said themselves.

On the other hand, the OS has also taken over negative characteristics from UNIX. They are;

-Securities are difficult to manage for the user
-The same malwares may work as on other UNIX

Obviously, we need to be more wary in terms of security issues on this OS than on Mac OS 9 or earlier.

 
 
Contacts and Subscriptions:
Correspondence by email to: securitynews@symantec.com, no unsubscribe or support emails please. Follow this link to subscribe or unsubscribe http://securityresponse.symantec.com/avcenter/newsletter_regions/en.html Send virus samples to: avsubmit@symantec.com
Disclaimer- THIS DOCUMENT IS PROVIDED FOR INFORMATIONAL PURPOSES ONLY.

This message contains Symantec Corporation's current view of the topics discussed as of the date of this document. The information contained in this message is provided "as is" without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability, fitness for a particular purpose, and freedom from infringement. The user assumes the entire risk as to the accuracy and the use of this document. This document may not be distributed for profit.

Symantec and the Symantec logo are U.S. registered trademarks of Symantec Corporation. Other brands and products are trademarks of their respective holder(s). (c) Copyright 2002 Symantec Corporation. All rights reserved. Materials may not be published in other documents without the express, written permission of Symantec Corporation.