Security Response

A new variant in the family of worms Symantec calls "Pykspa" - W32.Pykspa.D- is targeting Skype Instant Messenger. It spreads by using Skype'schat function, sending a message to contacts containing a link to whatappears to be a harmless .jpeg file, but if clicked on actuallydownloads and runs a copy of the worm on the user's computer. In anattempt to mask this innocuous activity the worm displays a legitimateWindows image (if it exists on the victim's machine), the bitmap fileSoap Bubbles.bmp, contained by default in the Windows installationdirectory. So if you saw the below image recently after clicking on alink contained in a Skype message from someone, chances are yourmachine is infected.

...

One of our team members received anunsolicited but interesting email recently confirming his new accountat a certain website, and containing the login username and password.The email was addressed to him personally using his full name soundoubtedly his details were mined from somewhere on the Internet.

Using a secure computer he investigated by going first to the rootdirectory of the domain in the email, and found that it appeared to bea legitimate site. However upon then moving to the directory which waspart of the login URL contained in the email, he discovered exploitcode targeting the Microsoft Windows Media Player Plugin BufferOverflow Vulnerability (BID 16644).

The page contains shell code that downloads and runs an executable filewhich in turn drops other malware onto the computer. This malware isinjected into the explorer.exe process and scans all directories...

A vulnerability has been discovered in theway the Windows Client/Server Runtime Server Subsystem (CSRSS)processes a type of system message referred to as the HardErrormessage, reportedly allowing a logged on user to execute arbitrary codein the CSRSS.EXE process and elevate their privileges to SYSTEM level.The vulnerable code is present in the new Vista operating system, aswell as Windows 2000, XP and 2003.

When certain events occur within the operating system, a HardErrormessage is sent to CSRSS containing the caption and text of a messagebox to be displayed in order to notify the user of a critical systemerror. The HardError message is handled by a function in WINSRV.DLLwhich returns pointers to the caption and text of the message box. Ifthe caption or text parameters are prefixed with certain characters,the function erroneously frees the buffer holding the text and returnsa pointer to freed memory. After the message box is closed by the user,the same...