|
|
I seem to be getting more and more spam, or junk mail, in my personal inbox, so much in fact that I may have to
stop using my favourite email address that I setup when I first arrived in Australia, This is a shame, because
it's very hard to get 'real' email addresses now, my name seems to have been used on all the free services and
at my local major ISP's. I did manage to get my own domain name so I suppose I'll have to resort to 'me@my domain
name dot com'. (this is an anti-spam technique, never use the actual email address in public communications,
just describe it) Symantec's Enterprise Firewall has some anti-spam features built in, there's a list here.
I've been asked to give our Enterprise customers one last reminder that virus definition file names have changed/are
changing and to check the Symantec Support website for details. Consumer products and LiveUpdate are not effected.
David Banes.
Editor, securitynews@symantec.com |
| |
| Viruses, Worms & Trojans |
| W32.Frethem@mm |
Moderate Threat [3]
|
Win32
|
| Global Infection breakdown by geographic region |
% of Total
|
|
| America (North & South) |
16.6%
|
| EMEA (Europe, Middle East, Africa) |
73.6%
|
| Japan |
7.9%
|
| Asia Pacific |
1.9%
|
Date
% reports |
13 Jul
|
14 Jul
|
14 Jul
|
15 Jul
|
16 Jul
|
17 Jul
|
18 Jul
|
19 Jul
|
20 Jul
|
21 Jul
|
|
0.1%
|
0.1%
|
0.5%
|
28.0%
|
37.2%
|
13.2%
|
9.3%
|
6.0%
|
2.8%
|
2.0%
|
|
W32.Frethem.K@mm is a worm, and is a variant of W32.Frethem.B@mm. It uses its own SMTP engine to send itself to
email addresses that it finds in the Microsoft Windows Address Book and in .dbx, .wab, .mbx, .eml, and .mdb files.
The email message arrives with the following characteristics:
Subject: Re: Your password!
Attachments: Decrypt-password.exe and Password.txt
There are many variants of this worm, please check the SYmantec web site for more details.
Removal tool
Symantec has provided a tool to remove infections of W32.Frethem@mm. Click here to obtain the tool.
This is the easiest way to remove these threats and should be tried first.
http://www.sarc.com/avcenter/venc/data/w32.frethem.k@mm.html
Douglas Knowles
Symantec Security Response,USA |
| W32.Yaha.F@mm |
Low Threat [2]
|
Win32
|
| Global Infection breakdown by geographic region |
% of Total
|
|
| America (North & South) |
8.8%
|
| EMEA (Europe, Middle East, Africa) |
89.4%
|
| Japan |
0.6%
|
| Asia Pacific |
1.2%
|
Date
% reports |
1 Jun
|
13 Jun
|
20 Jun
|
23 Jun
|
24 Jun
|
25 Jun
|
26 Jun
|
27 Jun
|
28 Jun
|
29 Jun
|
|
0.3%
|
1.2%
|
3.4%
|
8.7%
|
12.4%
|
11.8%
|
12.0%
|
10.2%
|
8.3%
|
6.3%
|
|
W32.Yaha.F@mm is a mass-mailing worm that sends itself to all email addresses that exist in the Microsoft Windows
Address Book, the MSN Messenger List, the Yahoo Pager list, the ICQ list, and files that have extensions that contain
the letters ht. The worm randomly chooses the subject and body of the email message. The attachment will have a
.bat, .pif or .scr file extension. Depending upon the name of the Recycled folder, the worm either copies itself
to that folder or to the %Windows% folder.
The name of the file that the worm creates consists of four randomly generated characters between the letters c
and y.
It also attempts to terminate antivirus and firewall processes
http://www.symantec.com/avcenter/venc/data/w32.yaha.f@mm.html
Douglas Knowles
Symantec Security Response, USA |
| VBS.Bajar.B@mm |
Low Threat [2]
|
Script
|
|
VBS.Bajar.B@mm is the VBS script that is dropped by W32.Bajar.B@mm. The script will attempt to send the W32.Bajar.B@mm
executable to all recipients in the Outlook Address Book. The e-mail message will have the following characteristics:
Subject: Nuevo programa para bajar musica gratis (Translation: New program to download music for free.)
Attachment: [W32.Bajar.B@mm File Name]
The script also deletes certain system files.
C:\Windows\System\Wsock32.dll
C:\Windows\Rundll32.exe
C:\Windows\Rundll.exe
http://www.symantec.com/avcenter/venc/data/vbs.bajar.b@mm.html
Maryl Magee
Symantec Security Response, USA |
| FreeBSD.Scalper.Worm |
Low Threat [2]
|
FreeBSD
|
|
This worm uses the Apache HTTP Server chunk encoding stack overflow vulnerability to spread itself. Currently it
has only been confirmed that this worm works on the FreeBSD platform. FreeBSD is an advanced operating system for
Intel ia32 compatible, DEC Alpha, and PC-98 architectures. It is derived from BSD UNIX, the version of UNIX developed
at the University of California, Berkeley. It is developed and maintained by a large team of individuals.
This worm has received some media coverage but we believe it is currently not prevalent in the wild. So far, we
have not received any customer reports of this worm. For information regarding the vulnerability, please click
here.
http://www.symantec.com/avcenter/venc/data/freebsd.scalper.worm.html
Peter Szor and Douglas Knowles
Symantec Security Response, USA |
|
| Security
Advisories |
| Apache HTTP Server chunk encoding stack overflow |
High [4]
|
Multiple
|
|
Apache HTTP Server contains a vulnerability in the handling of certain chunk-encoded HTTP
requests that may allow remote attackers to execute arbitrary code and a denial of service (DoS).
Chunked encoding permits the transfer of fragments of dynamically produced content of varying sizes by including
a size indicator as well as information for the recipient to verify receipt of the complete message.
For Apache versions 1.2.2 through 1.3.24, this vulnerability may allow remote attackers to execute arbitrary code
on Windows platforms. In addition, Apache has reported that a similar attack may allow the execution of arbitrary
code on both 32-bit and 64-bit UNIX-based systems.
For Apache versions 2.0 through 2.0.36, the buffer overflow condition correctly detected however, an attempted
exploit may cause the child process to exit depending on a variety of factors, including the threading model supported
by the vulnerable system. If multi-threading is used, it may lead to a denial of service attack against the Apache
Web server because all concurrent requests currently served by the affected child process will be lost.
Multi-threading is a technique that allows an independent program to perform more than one task at seemingly the
same time. For example, a program that loads a data file while also reading user input is said to have two computational
units and is therefore multi-threaded.
This vulnerability affects Apache Web server versions that run on many of the various Windows, BSD, Linux, and
UNIX releases. Users are encouraged to contact their vendor to determine whether they are affected and acquire
appropriate fixes.
References
Source: CERT CA-2002-17
URL: http://www.cert.org//advisories/CA-2002-17.html
Source: Apache 20020617
URL: http://httpd.apache.org/info/security_bulletin_20020617.txt
Source: CVE CAN-2002-0392
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0392
Source: Security Focus.com BID 5033
URL: http://online.securityfocus.com/bid/5033
Source: Red Hat RHSA-2002-103-13
URL: http://rhn.redhat.com/errata/RHSA-2002-103.html
More information and recommendations are available from the following page.
http://www.symantec.com/avcenter/security/Content/2049.html |
| |
| Microsoft IIS HTR Chunked Encoding heap overflow allows arbitrary code |
High [4]
|
Windows
|
|
There is another heap overflow condition in the Chunked Encoding data transfer mechanism
of Internet Information Server 4.0 and Internet Information Services 5.0. Although similar to a previous heap overflow
MS02-018, this vulnerability is in the Internet Services Application Programming Interface (ISAPI) extension that
implements HTR. The previous heap overflow vulnerability lay in the ISAPI extension that implemented Active Server
Pages (ASP).
Chunked encoding is a process that allows a client to submit a variable-sized quantity of data to a web server,
called a chunk. The web server can then receive and process this data.
An attacker could send a specially chosen request to an affected web server to either disrupt web services or gain
the ability to run a program on the server. Such a program would run with full system privileges in IIS 4.0. Exploiting
IIS 5.0 would give the attacker fewer but nevertheless significant privileges. In either case, the attacker could
overflow the heap with random data to corrupt program code and cause the IIS service to fail, preventing the use
by legitimate users, or, he could change the operation of the server. Specifically, he could overflow the heap
and then overwrite a section of the heap on the server with new program code, revising the functionality of the
server software. The attacker could overwrite static global variables, stored function pointers, process management
structures, memory management structures, or any number of data types that will allow him to gain control of the
target application in one session.
Mitigating factors that affect the overall impact of successful exploitation of this vulnerability include:
Systems on which HTR is disabled are not at risk from this vulnerability.
Microsoft has released an IIS Lockdown tool that disables HTR by default.
Microsoft has released a URLScan tool that provides a means of blocking chunked encoding transfer requests by default.
References
Source: Microsoft MS02-028
URL: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/ms02-028.asp
Source: CVE CAN-2002-0364
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0364
Source: Security Focus.com BID 4855
URL: http://online.securityfocus.com/bid/4855/info/
More information and recommendations are available from the following page.
http://www.symantec.com/avcenter/security/Content/2033.html |
| |
| MSN Chat Control buffer overflow allows remote code execution |
High [4]
|
Windows
|
|
The Microsoft MSN Chat Control input paramenter handling functionality contains an unchecked buffer that can allow
remote code execution.
The MSN Chat Control is an ActiveX control that adds real-time chat functionality to Microsoft's Messenger applications.
A buffer overflow condition exists in one of the functions in Chat Control that handles input. Due to a lack of
proper parameter checking, a remote attacker may be able to exploit this buffer overflow to run arbitrary code
on the targeted system with user-level privileges.
The following factors mitigate this vulnerability:
MSN Chat Control, MSN Messenger, or Microsoft Exchange Instant Messager must be installed on the system for the
system to be affected by this vulnerability.
Neither Windows nor Internet Explorer contain MSN Chat Control by default. It must be downloaded and installed
on a user's system.
MSN Messenger does come with Windows XP; however, users would only be vulnerable if they choose to install the
MSN Chat Control, which does not ship by default.
Exploiting this vulnerability through an HTML email attack is effectively blocked by Outlook 98 and Outlook 2000
with the Outlook Express Security Update applied, Outlook 2002, and Outlook Express 6.0. These products all open
HTML email in the Restricted Sites zone, which does not allow scripting of ActiveX controls.
References
Source: Microsoft TechNet
URL: http://www.microsoft.com/technet/security/bulletin/MS02-022.asp
Source: CVE Candidate CAN-2002-0155
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=2002-0155
Source: eEye Digital Security Advisory AD20020508
URL: http://www.eeye.com/html/Research/Advisories/AD20020508.html
More information and recommendations are available from the following page.
http://www.symantec.com/avcenter/security/Content/1943.html |
| |
|
|
| Security News |
| Does creating an "!0000" or other "trick" address book entry prevent the
spread of viruses? |
|
Messages that claim that you can prevent the spread of email worms and Trojans by adding a special "trick"
entry as the first contact in your email address book appear fairly frequently. Among the "names" that
they suggest that you add to your address book are:
!0000
AAAAAA
The usual claim is that this will, in one way or another, stop the threat from spreading. While these are in the
strictest definition of the word, not hoaxes (although the AAAAA version, with its recommendation to "Pass
this on to all your friends" is close), like hoaxes, they should be ignored and not forwarded.
The following are two versions of these email messages, followed by Symantec Security Response recommendations.
The !0000 letter:
Who among us doesn't know someone who has experienced the embarrassment of unknowingly spreading a computer virus
via their email address book? It's time to STOP this from happening by TAKING CONTROL of your email program!
For those who are unaware, many computer viruses spread themselves by sending themselves to everyone in your address
book. Imagine how you would feel if you were unknowingly infected with a computer virus, and worse yet, your friends,
family, and business contacts were being targeted by your computer! Well, if you want to avoid this sort of thing,
here's a great tip:
This tip won't prevent YOU from getting any viruses (you have to scan those attachments yourself before opening
them to do that), but it will stop those viruses from latching onto your address book and sending itself out to
others.
To avoid spreading computer viruses, create a contact in your email address book with the name :
!0000 with no email address in the details.
This contact will then show up as your first contact. If a virus attempts to do a "send all" on your
contact list, your pc will put up an error message saying that: "The Message could not be sent. One or more
recipients do not have an e-mail address. Please check your Address Book and make sure
all the recipients have a valid e-mail address."
You click on OK and the offending (virus) message would not have been sent to anyone. Of course no changes have
been made to your original contacts list. The offending (virus) message may then be automatically stored in your
"Drafts" or "Outbox" folder. Go in there and delete the offending message. Problem is solved
and virus is not spread.
The AAAAA letter:
Subj: Protect your address book
<< Some of you might already know about this but I didn't and we were infected with that worm last week.
I learned a computer trick today that's really ingenious in it simplicity. As you may know, when/if a worm virus
gets into your computer it heads straight for your email address book, and sends itself to everyone in there, thus
infecting all your friends and associates. This trick won't keep the virus from getting into your computer, but
it will stop it from using your address book to spread further, and it will alert you to the fact, that the worm
has gotten into your system.
Here's what you do: first, open your address book and click on "new contact" just as you would do if
you were adding a new friend to your list of email addresses. In the window where you would type your friend's
first name, type in AAAAAAA. In the window below where it prompts you to enter the new email
address, type in <A HREF="mailto:WormAlert@somewhere.com"> WormAlert@somewhere.com</A> .
Then complete everything by clicking add, enter, ok, etc.
Now, here's what you've done and why it works: The "name" AAAAAAA will be placed at the top of your address
book as entry #1. This will be where the worm will start in an effort to send itself to all your friends. But when
it tries to send itself to AAAAAAA, it will be undeliverable because of the phony email
address you entered (WormAlert@somewhere.com). If the first attempt fails (which it will because of the phony address),
the worm goes no further and your friends will not be infected.
Here's the second great advantage of this method: If an email cannot be delivered, you will be notified of this
in your InBox almost immediately. Hence, if you ever get an email telling you that an email addressed to WormAlert@somewhere.com
could not be delivered, you know right away that you have the worm virus in your system. You can then take steps
to get rid of it! Pretty neat, huh?
If everybody you know does this then you needn't ever worry about opening mail from friends. Pass this on to all
your friends.
Symantec Security Response recommendations
Although this is technically not a hoax--in theory, it could work with a few older worms and viruses--Symantec
Security Response STRONGLY recommends that you ignore it. You should not rely on such "fixes" to prevent
the spread of viruses, worms, and Trojans. Also, a hacker could exploit some variants of this message to make you
more susceptible to loss of confidential information. The best defence against such threats is to have a current
version of Norton AntiVirus installed, make sure that Auto-Protect is enabled, and update your virus definitions
frequently. In addition, if you are on a network, or if you have a full-time connection to the Internet (such as
cable or DSL), you should use firewall software.
A list of Symantec Enterprise Firewall anti-spam
features is here;
George Koris
Symantec, USA |
| |
|
| |
Contacts and Subscriptions:
Correspondence by email to: securitynews@symantec.com, no unsubscribe or support
emails please. Follow this link to subscribe or unsubscribe http://securityresponse.symantec.com/avcenter/newsletter_regions/en.html Send virus samples to: avsubmit@symantec.com |
Disclaimer- THIS DOCUMENT IS PROVIDED FOR INFORMATIONAL
PURPOSES ONLY.
This message contains Symantec Corporation's current view of the topics discussed as of the date of this document.
The information contained in this message is provided "as is" without warranty of any kind, either expressed
or implied, including but not limited to the implied warranties of merchantability, fitness for a particular purpose,
and freedom from infringement. The user assumes the entire risk as to the accuracy and the use of this document.
This document may not be distributed for profit.
Symantec and the Symantec logo are U.S. registered trademarks of Symantec Corporation. Other brands and products
are trademarks of their respective holder(s). (c) Copyright 2002 Symantec Corporation. All rights reserved. Materials
may not be published in other documents without the express, written permission of Symantec Corporation. |
|