symantecTM

symantec security response

ISSN 1444-9994

September 2001 Newsletter

These are the most common Viruses, Trojans and Worms reported to Symantec Security Response during the last month.

Top Global Threats
W32.Sircam.Worm@mm
W95.Hybris.Worm
W32.Magistr.24876@mm
VBS.Haptime.A@mm
Wscript.KakWorm
Trojan.VirtualRoot
W95.MTX
Trojan.JS.Clid.gen
JS.Exception.Exploit
W32.HLLW.Bymer


Americas
W32.Sircam.Worm@mm
W95.Hybris.Worm
W32.Magistr.24876@mm
VBS.Haptime.A@mm
Wscript.KakWorm
W95.SoFunny.Worm@m
W32.Annoying.Worm
Trojan.JS.Clid.gen
W32.HLLW.Bymer
W32.HLLW.Hai


Asia Pacific
W32.Sircam.Worm@mm
W95.Hybris
W32.Magistr.24876@mm
VBS.Haptime.A@mm
W95.MTX
Trojan.VirtualRoot
W32.HLLW.Bymer
Trojan.JS.Clid.gen
Wscript.KakWorm
JS.Exception.Exploit


Europe Middle East
and Africa
W32.Sircam.Worm@mm
W95.Hybris.Worm
W32.Magistr.24876@mm
VBS.Haptime.A@mm
W95.MTX
Trojan.VirtualRoot
JS.Exception.Exploit
JS.Seeker
Trojan.JS.Clid.gen
Wscript.KakWorm


Japan
W95.Hybris
W32.Sircam.Worm@mm
Trojan.VirtualRoot
W95.MTX
W32.Magistr.24876@mm
Trojan.JS.Clid.gen
JS.Exception.Exploit
W32.HLLW.Bymer
VBS.Haptime.A@mm
Backdoor Trojan


View the Expanded Threat List here



Removal Tools for malicious code are on our web site



A list of Virus Hoaxes
reported to Symantec



A list of Joke Programs
reported to Symantec.



Glossary for definitions of viruses, Trojans and worms and more.





















































































Use this form to unsubscribe

First name:

Last name:

Email address:

Welcome to the newly named Symantec Security Response Newsletter. Symantec recently announced the merger of it's research and technical support centers into one body, Symantec Security Response. To learn more about Symantec Security Response, please click here to read the press release.

The newsletter has a new name and look to reflect this merger and the publication will now cover Internet security threats, exploits and vulnerabilities as well as viruses, Trojans and worms. We have a added a new section to the Newsletter covering
Security Advisories and will add other relevant sections as needed. This month Leigh Costin writes about wireless security issues in an article titled, Drive by Hacking.

To find out about the latest Internet security threats, go to
http://securityresponse.symantec.com. Don't worry, if you already have SARC's old URL book marked, it will automatically redirect to the new site.

David Banes.
Editor,
securitynews@symantec.com
 
Viruses, Worms & Trojans
W32.BlueCode.Worm

Low [2]

Win32

At this time, Symantec Security Response has not received any reports of this worm being "in the wild" (actual infections).

W32.BlueCode.Worm is a worm that uses the known IIS Web Directory Traversal exploit. Information and a patch for this exploit are located at http://www.Microsoft.com/technet/security/bulletin/ms00-078.asp. Systems that have been patched are not affected.
http://securityresponse.symantec.com/avcenter/venc/data/w32.bluecode.worm.html

Eric Chien

Symantec Security Response, EMEA
 
W32.Apost.Worm@mm

Moderate [3]

Win32

Symantec has received a substantial number of submissions since September 3, 2001 for this worm, formerly known as W32.Urgent.worm@mm. Therefore, Symantec has upgraded the threat level from 2 to 3. We have added detection since its original discovery and certified defs will be posted on September 4, 2001.

This worm is a Visual Basic Application that arrives as a readme.exe attachment to an e-mail. This worm requires Microsoft Visual Basic Runtime Libraries to replicate.

The body of the e-mail asks you to to review the attachment, but once viewed the worm will activate hook your systems activation routines and then spread itself to all persons in your address book.
http://securityresponse.symantec.com/avcenter/venc/data/w32.apost.worm@mm.html

Atli Gudmundsson
Symantec Security Response, EMEA
 
W32.Magistr.39921@mm

Moderate [3]

Win32

Due to an increased number of submissions, Symantec has upgraded this virus to a Category 3 rating on 9/6/2001.
Here is a list of the additional features and behavioral differences between W32.Magistr.39921@mm and W32.Magistr.24876@mm:

  • Aware of Eudora address books (listed in eudora.ini.)
  • Deletes *.NTZ while searching for files.
  • Terminates ZoneAlarm before connecting to the Internet.
  • Adds entry in the Shell=explore.exe entry in the Boot section of system.ini calling the W32.Magistr.Trojan.
  • Searches for more "Windows" directories (WINNT, WINDOWS, WIN95, WIN98, WINME, WIN2000, WIN2K, WINXP.)
  • Mail attachment has a random extension (exe, bat, pif, com.)
  • Occasionally attaches .gifs to emails.
  • W32.Magistr.Trojan payload overwrites ntldr and win.com on all drives with code to store garbage in the first sector of the first IDE hard disk.

http://securityresponse.symantec.com/avcenter/venc/data/w32.magistr.39921@mm.html

Peter Ferrie
Symantec Security Response, APAC

 
Trojan.Zeraf

Low [2]

Win32

Trojan.Zeraf is a destructive Trojan horse that deletes critical system files. If it has executed, you will no longer be able to run Windows.

This Trojan is programmed in Delphi and distributed as a UPX-packed, self-extracting RAR archive. (UPX is a runtime compressor for Windows executable files).

When the Trojan is run, it inserts the actual Trojan executable on the hard disk as C:\Zeraful\Zeraful.exe and then executes that file.

While counting to 100%, the destructive payload activates. It attempts to delete files including many from the Windows directory, for more information read the full description on our web site.

http://securityresponse.symantec.com/avcenter/venc/data/Trojan.zeraf.html
Andre Post
Symantec Security Response, EMEA

 
Security Advisories

This new section of the Security Response Newsletter will contain current and newly discovered security advisories.

 
Enterprise Security News Clips
VISIT THE SYMANTEC ENTERPRISE SECURITY WEB SITE
http://enterprisesecurity.symantec.com/

Recent Enterprise Security News headlines include:

Code Red Computer Worm Cost Set at $ 2.6 Billion;
The Houston Chronicle
http://enterprisesecurity.symantec.com/content.cfm?articleid=852

Privacy During Downtime - Panel to Make Rules on Tracking Surfing Habits of Court Workers;
The San Francisco Chronicle
http://enterprisesecurity.symantec.com/content.cfm?articleid=850

British E-Business Warned of Stifling Risks by Cybercrimes;
Xinhua General News Service
http://enterprisesecurity.symantec.com/content.cfm?articleid=848

Get the latest Enterprise Security News delivered straight to your inbox.Register for Symantec's free Enterprise Security newsletters.
https://enterprisesecurity.symantec.com/Content/Subscribe.cfm
 
Vulnerability & Exploit News
Drive by hacking - How secure is Wireless Networking?  
In a recent story hackers are reputed to have driven by the corporate headquarters of a major supplier of wireless networking equipment and connected to the network using a laptop and a PCMCIA Wireless card. No real claims of what was accessed or stolen were made or verified.

There has been much discussion about the level of security offered by the Wireless Networking standard 802.11b also known as Wi-Fi. Most has centered on the encryption standard used and how it is implemented.

How does this affect the real world usage of Wi-Fi technology?

The three key areas of Wi-Fi usage are:

Home use; where a small home network or 2-5 systems are connected to share expensive resources such as high speed Internet access, or servers or printers.

Small business; where premises might be temporary, or the location might be too expensive to cable up.

Corporate use; where Wi-Fi is an extension of the main corporate network into work areas that are difficult or impractical to cable. Often used where mobility is required, such as in hospital wards and warehouses.

Looking at each scenario from the viewpoint of risk, what is at risk for each user? For the home user, your neighbour could connect to your home wireless network and hijack your cable connection, but it is extremely unlikely. They may get access to shared files and data, but that would depend on the level of security you have, and the systems you use. The lower level of Microsoft networking that is likely to be used, for example, Windows 98 file sharing, makes this a possibility if a remote one. Overall the level of risk can be assumed to be low to moderate.

Small business, on the other hand, could have a range of networks from the Windows 98 file sharing level up to Windows NT/2000 or Novell NetWare. The more secure the server operating system is the less risk of data being stolen, provided the data is stored on the server. If the Wi-Fi is compromised, what could be introduced to the network are the various Trojans and viruses that are prevalent on the Internet. In this case the impact would be the same as unregulated access to the Internet.

The degree of risk is similar to having no firewall, and not patching vulnerable systems, something that small business struggles to implement and manage. For this level of business, the degree of risk can be rated as moderate.

If, however, you have something that someone really wants to steal, and they are likely to know where you are, then the risk should be rated as high.

Use of Wi-Fi in major corporations provides an additional level of risk. If compromised, then the attacker has achieved one of the key levels of penetration of the network. They are now through the firewall, an entity on the LAN, and have the ability to test the more fundamental aspects of the corporate IT security. Systems with vulnerabilities that aren't patched, passwords and logins that are too obvious, applications that send passwords in clear text all provide means to elevate their access rights. The IT and security personnel would now be relying on their Intrusion Detection systems to be able to defend or trace any hostile actions by an intruder inside the network. The risk associated with all this should be rated as high, to extremely high.

So how do we minimise the risk associated with Wi-Fi?

The first risk to look at is: Do You Care? In the home user scenario, history shows that not a lot of people understand that their privacy is at risk. If a secure system costs more, or is harder to setup, fewer home users will implement it. After all, I don't keep anything really secret on my home computer, right?

The next risk is in the level of technology used. Wi-Fi can use encryption to secure all traffic from the client to the base station, this forms part of the Wired Equivalent Privacy, or WEP standard. The base station can be configured to use an authentication key that is stored and transmitted when a client wants to connect to it. The base station can also be configured to only accept connections from a set range of IP addresses. The initial round of Wi-Fi products used what is now deemed to be low level encryption of 40 bits in length. In the current technology level, this can be broken by a single computer in a relatively short period of time - minutes in fact. In addition, fixed keys were used by some early Wi-Fi solutions; so that one if someone bought an identical card they could gain access to the network of someone else.

The current Wi-Fi offerings use a higher level of encryption based on 128 bit key length, and planned future solutions are offering higher levels. This broadens the options for the security conscious Wi-Fi buyer.

For corporate users, the option of using Virtual Private Networking should be considered. This would provide a strong encryption tunnel over the Wi-Fi connection, securing the traffic from external analysis. A personal firewall would provide additional security for the client operating system. The network should also be enhanced by adding a firewall between the wireless network and the corporate LAN.

The third risk is the use of default settings for anything associated with Wi-Fi. All the products have default settings, and using them exposes the network to compromise. With current offerings, the ability to change the authentication key is not always easy and this leads to users choosing the defaults. It would require the attacker to know what hardware was being used by the target network, but this is not impossible to find out, the list of defaults can be guaranteed to be posted on a web site somewhere, and the attacker could troll through a list until they get a suitable response.

Is Wi-Fi a viable solution for use in the home and in business?
The answer is yes, but.

The Wi-Fi user needs to be aware of the security options offered for the solutions they choose. They need to avoid using default settings for authentication keys, and IP address ranges. Corporate users need to be setup to use additional security applications such as Personal Firewalls and VPNs if this is at all practical. All Wi-Fi users need to keep strict control of the client interface card, particularly PCMCIA cards for laptops. Once they are lost, the network can be assumed to be compromised, as the card holds most, if not all, the information necessary to gain access to the Wi-Fi network.

Wi-Fi is a very useful technology for a large number of portable network solutions. Its convenience out-weighs its risks to many users. But let's not forget to maintain the level of security appropriate for the functions we run over the network.

Best Practices for Wi-Fi LANs
· Avoid using the default settings, particularly for authentication
· Install a personal firewall on all Wi-Fi clients
· Use Virtual Private Network solutions [IPSec standard] or SSH for Corporate implementations on top of Wi-Fi and in preference to WEP.
· Isolate the Wi-Fi network by placing a firewall between it and the corporate network
· Treat Wi-Fi interface cards as security devices, particularly any PCMCIA units.

Leigh Costin
Product Manager
Enterprise Security Appliances
Symantec Asia Pacific.
 
 
Contacts and Subscriptions:
Correspondence by email to: securitynews@symantec.com, no unsubscribe or support emails please. Follow this link to subscribe or unsubscribe http://securityresponse.symantec.com/avcenter/newsletter.html Send virus samples to: avsubmit@symantec.com
This is a Symantec Corporation publication, use of requires permission in advance from Symantec. All information contained in this newsletter is accurate and valid as of the date of issue. Copyright © 1996-2001 Symantec Corporation. All rights reserved.