symantecTM	symantec security response
ISSN 1444-9994	October 2002 Newsletter
These are the most common Viruses, Trojans, Worms and Exploits reported to Symantec Security Response during the last month. Country Spotlight New Zealand W32.Bugbear@mm W32.Klez.H@mm W32.Opaserv.Worm W32.HLLW.Qaz(gen) Trojan Horse JS.Trojan.WindowBomb JS.Exception.Exploit Backdoor.Trojan W32.Yaha.F@mm W95.Hybris.worm Top Global Threats W32.Klez.H@mm W32.Bugbear@mm W32.Opaserv.Worm JS.Exception.Exploit Trojan Horse W32.Datom.Worm W95.Hybris.worm W32.Yaha.F@mm W32.Klez.E@mm W95.CIH Asia Pacific W32.Bugbear@mm W32.Klez.H@mm W32.Opaserv.Worm JS.Exception.Exploit HTML.Redlof.A W32.Datom.Worm W95.Hybris.worm Trojan Horse W32.Nimda.enc Backdoor.Trojan Europe, Middle East & Africa W32.Klez.H@mm W32.Bugbear@mm W32.Opaserv.Worm JS.Exception.Exploit W32.Klez.E@mm W32.Yaha.F@mm W32.Datom.Worm Trojan Horse W95.Hybris.worm W95.CIH Japan W32.Klez.H@mm W32.Bugbear@mm W32.Opaserv.Worm Trojan Horse W32.Klez.E@mm VBS.LoveLetter.A W95.Hybris.worm JS.Exception.Exploit W95.CIH VBS.LoveLetter.Var The Americas W32.Klez.H@mm W32.Bugbear@mm W32.Opaserv.Worm JS.Exception.Exploit Trojan Horse W95.Hybris.worm W32.Datom.Worm W32.Nimda.enc W32.Yaha.F@mm Backdoor.Trojan Removal Tools for malicious code are on our web site A list of Virus Hoaxes reported to Symantec A list of Joke Programs reported to Symantec. Glossary for definitions of viruses, Trojans and worms and more.	Well just when we all though 2002 was going to be one of the slowest years for a long time two worms where discovered in a matter of days, both W32.Bugbear@mm and W32.Opaserv.Worm surprised erveryone by spreading very quickly. Yet again the quickest spreading worm used a known exploit that Microsoft patched a while ago, details are here if you still have not installed this update I suggest you do; http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS01-020.asp We have multiple OpenVMS vulnerabilities and an article on Mac OSX security from Kaoru Hayashi in Japan. David Banes. Editor, securitynews@symantec.com To unsubscribe to this newsletter please go to; http://securityresponse.symantec.com/avcenter/newsletter.html Viruses, Worms & Trojans W32.Bugbear@mm   Date: 30th Sep 2002    Risk: High Platforms Affected Windows 95, Windows 98, Windows NT, Windows 2000, Windows XP, Windows Me Components Affected Email programs, network shares(Windows Networking), anti-virus and firewall programs..         Overview W32.Bugbear@mm is a mass-mailing worm. It can also spread through network shares. It has keystroke-logging and backdoor capabilities. The worm also attempts to terminate the processes of various antivirus and firewall programs. Because the worm does not properly handle the network resource types, it may flood shared printer resources, which causes them to print garbage or disrupt their normal functionality. It is written in the Microsoft Visual C++ 6 programming language and is compressed with UPX v0.76.1-1.22.         Recommendations The easiest way to remove this threat is to use the Symantec W32.Bugbear@mm Removal Tool. Symantec Security Response has created a W32.Bugbear@mm Removal Tool. http://securityresponse.symantec.com/avcenter/venc/data/w32.bugbear@mm.removal.tool.html  Threat Metrics Global Infection breakdown by geographic region and timeline. % of Total The America's 24.4% Europe, Middle East, Africa 67.7% Japan 0.5% Asia Pacific 7.4% Date % reports 29 Sep 30 Sep 1 Oct 2 Oct 3 Oct 5 Oct 7 Oct 9 Oct 11 Oct 13 Oct 0.01% 0.5% 3.3% 8.0% 10.6% 7.4% 12.0% 8.4% 6.0% 4.1%         Credit Serghei Sevcenco, Symantec Security Response, APAC Yana Liu, Symantec Security Response, USA         References http://securityresponse.symantec.com/avcenter/venc/data/w32.bugbear@mm.html http://securityresponse.symantec.com/avcenter/venc/data/w32.bugbear@mm.removal.tool.html W95.Opaserv.Worm   Date: 30th Sep 2002    Risk: Medium Platforms Affected Windows 95, Windows 98, Windows NT, Windows 2000, Windows XP, Windows Me Components Affected Network shares (Windows Networking)         Overview W32.Opaserv.Worm is a network-aware worm that attempts to replicate across open network shares. It copies itself to the remote computer as a file named Scrsvr.exe. This worm also attempts to download updates from www.opasoft.com, although the site may have already been shut down. Indicators of infection include: The existence of the files Scrsin.dat and Scrsout.dat in the root of drive C. This indicates a local infection (that is, the worm was executed on the local computer). The existence of the Tmp.ini file in the root of drive C. This indicates a remote infection (that is, the computer was infected by a remote host). The registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Current Version\Run contains the string value ScrSvr or ScrSvrOld, which is set to c:\tmp.ini.         Recommendations The easiest way to remove this threat is to use the Symantec W32.Opaserv.Worm Removal Tool. http://securityresponse.symantec.com/avcenter/venc/data/w32.opaserv.worm.removal.tool.html         Threat Metrics Global Infection breakdown by geographic region and timeline. % of Total The America's 25.3% Europe, Middle East, Africa 67.6% Japan 1.3% Asia Pacific 5.8% Date % reports 27 Oct 29 Sep 30 Sep 1 Oct 2 Oct 4 Oct 5 Oct 10 Oct 12 Sep 13 Sep 0.03 0.2% 3.0% 13.1% 11.9% 8.7% 5.0% 6.9% 3.2% 2.7%         Credit Douglas Knowles, Symantec Security Response, USA Peter Ferrie, Symantec Security Response, APAC References http://securityresponse.symantec.com/avcenter/venc/data/w32.opaserv.worm.html http://securityresponse.symantec.com/avcenter/venc/data/w32.opaserv.worm.removal.tool.html Security Advisories Multiple Microsoft SQL Server Vulnerabilities   Date: 2nd Oct 2002    Risk: High Platforms Affected Microsoft Access 2000, Microsoft BackOffice 4.5, Microsoft Project Central Server, Microsoft SQL Server 7.0, Microsoft SQL Server 2000, Microsoft Visual Studio 6.0, Microsoft Windows 2000 Workstation to SP2 Microsoft Windows NT 4.0 to SP6a     Components Affected Microsoft Data Engine 1.0 and 2000 Microsoft SQL Server 7.0 to 7.0 SP4 Microsoft SQL Server 2000 to 2000 SP2 Overview Microsoft has released a security bulletin reporting multiple vulnerabilities in Microsoft SQL Server. Description The first of these issues is a buffer overflow in SQL Server user authentication. It is possible to corrupt memory with a malformed login request. This may enable an attacker to execute arbitrary code with the privileges of the SQL Server process. Malformed login requests may also cause a denial of service. It is possible to trigger this condition prior to authenticating with the server. This issue affects Microsoft SQL Server 2000 and Microsoft Desktop Engine (MSDE) 2000. The second issue is a buffer overflow in one of the Database Console Commands (DBCCs) that ship with the vulnerable products. This issue may be exploited to execute arbitrary code with the privileges of the SQL Server process. Authentication is required to exploit this vulnerability. The issue affects Microsoft SQL Server 7.0/2000 and Microsoft Data Engine (MSDE) 1.0/2000. The third issue is related to how the affected products handle scheduled jobs. The SQL Server Agent may be instructed to create an output file during a job step. The output file will be created with the privileges of the SQL Server Agent, instead of the privileges of the user who scheduled the job. As a result, a malicious authenticated user could schedule a job step which creates a malicious output file in an attacker-specified directory. This may potentially be exploited to allow for execution of operating system commands with elevated privileges. An attacker will also be able to cause sensitive files to be corrupted. This issue affects Microsoft SQL Server 7.0/2000 and Microsoft Data Engine (MSDE) 1.0/2000. Recommendations Block external access at the network boundary, unless service is required by external parties. Blocking access to the SQL Server port (1433) at the network boundary may prevent exploitation of some of these issues. Permit privileged access for trusted inividuals only. Ensure database access controls are in place. Permit access for trusted individuals only. Microsoft has released fixes: Microsoft Patch Q327068 http://support.microsoft.com/default.aspx?scid=kb;en-us;Q327068&sd=tech Microsoft Patch Q316333 http://support.microsoft.com/default.aspx?scid=kb;en-us;Q316333&sd=tech References  Source: Microsoft Security Bulletin MS02-056 URL: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS02-056.asp     Credit Discovery of these issues is credited to <sk@scan-associates.net>, <pokleyzz@scan-associates.net> and Martin Rakhmanoff <jimmers@yandex.ru>.   Multiple OpenVMS WASD HTTP Server Vulnerabilities Risk: High  Platforms Affected OpenVMS Date: 26th Sep 2002  Components Affected WASD WASD HTTP Server 7.1 to 7.2.3 and 8.0         Description Multiple vulnerabilities have been reported in WASD HTTP Server for OpenVMS. The consequences of successful exploitation of these issues may range from information disclosure to varying degrees of remote compromise.         Recommendations Symantec's recommendations are to upgrade to at least 7.2 and then apply the relevant fixes listed here; http://www.sarc.com/avcenter/security/Content/5811.html         Credit Discovery of these issues is credited to Jean-loup Gailly. References Source: remote SYSTEM compromise in WASD OpenVMS http server URL: msg://bugtraq/15763.29826.824331.958784@home.gailly.net Source: WASD Package Security Advisory URL: http://wasd.vsm.com.au/ht_root/doc/misc/wasd_advisory_020925.txt Security News UNIX malwares on Mac OS X Kaoru Hayashi, Symantec Security Response, Japan, Introduction On March 24, 2001, Apple Computer released their next generation operating system, Mac OS X. In stark contrast to their previous OS (Mac OS 9 or earlier), Mac OS X is a UNIX based operating system. Consequently, customers and editors asked us how many malwares work on Mac OS X We know that one of the most famous backdoor trojans in Windows, Sub7, is ported on the OS (and NAV for Mac OS X can detect it). In this paper I will explain other existing UNIX malwares. Introducing Mac OS X The core of the system is called Darwin and it is based on an open source project. Darwin integrates Mach 3.0 kernel and an operating system service based on BSD UNIX. This document does not explain the Mac OS X system in detail. Please see the following site for more information. http://developer.apple.com/macosx/architecture/index.html I investigated Mac OS 10.2 + Developer CD. This is a brief introduction of the environment. Mach 3.0 kernel BSD 4.4 Lite Java 2 Standard Edition 1.3.1 gcc 3.1 several BSD UNIX commands/development tools UNIX malware overview Symantec has currently detected over 100 malicious programs that work on UNIX. Almost all malwares are Zoo (that is not reported from customers/end users). I have classified them into three categories: binary, script, and Java. In this document I will only explain binary and script malwares, because Java is "write once, run anywhere", even on Mac OS X :). Binary malwares In contrast to the Windows platform, not that many binary malwares work on UNIX. Most binary malwares only work on Linux on an Intel platform. Fortunately, they cannot work on Mac OS X for the following reasons: First, the CPU for Macintosh is not the same as the Intel platform. Currently, Mac OS X only runs on Macintosh computers that use a Motorola/IBM PowerPC G3 or G4 processor. For the same reason, binary malwares do not work on Linux for PowerPC. The second reason binary malwares do not work on Mac OS X is the executable format. Commonly, the "Executable and Linking Format (ELF)" is used on UNIX. Of course Linux for PowerPC uses it too, but Mac OS X kernel can only understand the "Mach-O" binary format and does not support ELF. Mach-O is completely different from ELF. Its structure can be found by using "otool" from the command line. Possibilities of binary malwares Malwares may work properly on Mac OS X if they are re-compiled for the OS. Apple has released a GNU C++ compiler and linker, GCC, for Mac OS X. If a user installs developer tools from Apple, the user can compile numerous source codes such as GNU software. So, only three commands are required: configure make make install This is the same as on other UNIX and, therefore, provides another possibility for binary malwares to work on Mac OS X. If someone inserts a malicious code into the source and the user downloads and compiles it on Mac OS X, it is likely to work properly on the OS. We can remember the case when a trojan code was inserted into OpenSSH (for more information on this, see http://www.cert.org/advisories/CA-2002-24.html). Script There are three types of script malwares: shell, perl, and PHP script. Shell script The default shell on Mac OS X is tcsh and it is based on C shell. As other common UNIX tools, B shell is ported as /bin/sh. Therefore, common shell script can run on Mac OS X. As I mentioned above, many common UNIX tools are ported, even the "shutdown" command, but not all. If the shell script uses a command that is not ported on the OS, the script cannot run properly. Perl script Perl is also installed as /usr/bin/perl or /usr/bin/perl5.6.0. Perl script can work properly with the correct path and permission. PHP script PHP is a widely used server side script and it is not enabled by default on the OS. However the component is installed and only requires modifying a /etc/httpd.conf file. Script malwares Viruses Simple viruses, such as UNIX.Gobleen and UNIX.Gift, work easily. search target open target insert virus or overwrite by virus write target close target search again No special techniques or approaches are applied that are of interest to us. The "mail" command Some malwares use the "mail" command to spread or to send information from an infected system to a hacker, such as UNIX.Penguin, UNIX.LoveLetter, and UNIX.Psite. However, these do not work properly on Mac OS X. The "mail" command exists but it cannot be run by default. To use the mail command on Terminal, the Sendmail configuration needs to be modified (you know it is very difficult!). Therefore, we do not need to consider these malware types. Malware for specific environments UNIX.Abuser is an exploit of game on Linux. UNIX.Bash drops ELF for Linux. UNIX.Capdrop drops the C source code and compiles it on an infected system. The source code needs to be compiled on Linux. Many PHP malwares (but not all) contain fixed strings like "C:\Windows". Of course they only affect Windows. UNIX.Psite needs X Window System but Mac OS X does not have it by default. These malwares do all not work on Mac OS X. Trojans Mac OS X uses NetInfo for managing user and group accounts, email configurations, NFS, printers, computers, and other resources. This is almost the same concept as Active Directory or NIS and it is the one significant difference from other UNIX. Using some of these resources requires using NetInfo manager or NetInfo tools from the command line. Some trojans attempt to add new services for hackers. Some files require being modified the same as other UNIX instead of using NetInfo. /etc/inetd.conf /etc/services /etc/hosts Conclusion Fortunately, almost all malwares for UNIX are Zoo and are rarely found, even if we want to. In addition, not many UNIX malwares can work on Mac OS X. The OS has inherited "Stability and Power" from UNIX, as Apple has said themselves. On the other hand, the OS has also taken over negative characteristics from UNIX. They are; -Securities are difficult to manage for the user -The same malwares may work as on other UNIX Obviously, we need to be more wary in terms of security issues on this OS than on Mac OS 9 or earlier.     Contacts and Subscriptions: Correspondence by email to: securitynews@symantec.com, no unsubscribe or support emails please. Follow this link to subscribe or unsubscribe http://securityresponse.symantec.com/avcenter/newsletter_regions/en.html Send virus samples to: avsubmit@symantec.com Disclaimer- THIS DOCUMENT IS PROVIDED FOR INFORMATIONAL PURPOSES ONLY. This message contains Symantec Corporation's current view of the topics discussed as of the date of this document. The information contained in this message is provided "as is" without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability, fitness for a particular purpose, and freedom from infringement. The user assumes the entire risk as to the accuracy and the use of this document. This document may not be distributed for profit. Symantec and the Symantec logo are U.S. registered trademarks of Symantec Corporation. Other brands and products are trademarks of their respective holder(s). (c) Copyright 2002 Symantec Corporation. All rights reserved. Materials may not be published in other documents without the express, written permission of Symantec Corporation.