Picture of me. jep.jpg (13389 bytes)

CHAOS MANOR REPORTS

SECURITY NOTICES

Tuesday, November 07, 2006

click to mail to jerryp@jerrypournelle.com blimp

Click to go to how to subscribe page

Click to go to columns page

click to go to New Order (Index)

click to go to mail page

click to go to view page

click to go to Current Mail

Click to go to Current View

REPORTS

Work in Progress

click to go to book reviews page

Click to go to Amazon.com

 

This page will have Security Notices as received. I'll also try to index them. The latest will be first.

I have moved these to their own page because while some are of extreme interest to some readers who want all the details, they do tend to fill the MAIL and VIEW pages and thus are an annoyance to other readers. I will in future put the Security Notices here and add pointers in VIEW and MAIL and sometimes on the INDEX page as well.

================================

 

Begin with this mail:

If your readers would like to get a good digest of security news, including vulnerabilities, how some large companies are dealing with a particular vulnerability, and general information security news, I would recommend subscribing to the newsletters at http://www.sans.org/newsletters/  .  I have found them to have some very good information, along with a very good 'reading room' of white papers (non-vendor) about info security. (Their classes are good also, but priced for businesses rather than personal.) If you are involved in setting security practices and guidelines, there are also good 'best practices' security policy templates.

Your readers should also consider the Microsoft vulnerability newsletters.

  Of the two, I really like the SANS newsletters. Their information is timely, but the best source of information is Roland Dobbins, of course.

  Rick Hellewell

Information Security Dweeb

digitalchoke@digitalchoke.com

 

 

Note this one:

I haven't seen anything about this message anywhere so I think this one needs attention.  This would fool anyone who doesn't have email protection and believes MS would send an update this way.  Of course I am sure no one who reads your column would fall into either of those categories.  Text of the message follows.
 
The attachment was: Update448.exe.
The attachment was infected with the W32.Gibe.B@mm virus, which was removed by Norton AV 2003.
 
MS Customer

this is the latest version of security update, the
"May 2003, Cumulative Patch" update which eliminates
all known security vulnerabilities affecting Internet Explorer,
Outlook and Outlook Express as well as five newly
discovered vulnerabilities. Install now to protect your computer
from these vulnerabilities, the most serious of which could allow
an attacker to run executable on your system. This update includes
the functionality of all previously released patches.

System requirements Win 9x/Me/2000/NT/XP
This update applies to Microsoft Internet Explorer, version 4.01 and later
Microsoft Outlook, version 8.00 and later
Microsoft Outlook Express, version 4.01 and later
Recommendation Customers should install the patch at the earliest opportunity.
How to install Run attached file. Click Yes on displayed dialog box.
How to use You don't need to do anything after installing this item.

Microsoft Product Support Services and Knowledge Base articles
can be found on the Microsoft Technical Support web site.
For security-related information about Microsoft products, please
visit the Microsoft Security Advisor web site, or Contact us.

Please do not reply to this message. It was sent from an unmonitored
e-mail address and we are unable to respond to any replies.

Thank you for using Microsoft products.

With friendly greetings,
Microsoft Network Customer Assistance

©2003 Microsoft Corporation. All rights reserved. The names of the actual companies
and products mentioned herein may be the trademarks of their respective owners.

You will note that this is NOT from Microsoft, and you will get the usual consequences of opening mail attachments.


 

 

 

From Peter Glaskowsky

I'd like to think your readers don't need to be told that this sort of thing is nonsense, but perhaps a reminder wouldn't hurt. What this actually does is attempt to install something called "QuickLaunch".

These provide yet another reason to have a Mac around-- none of these commercial Trojans are Mac-compatible, so it's generally pretty safe to follow spam links on a Mac. :-)

. png

------ Forwarded Message > From: <windowsupdate@windowsupdatenow.com> > Reply-To: <windowsupdate@windowsupdatenow.com> > Date: Sun, 11 May 2003 19:33:54 -0900 > To: Registered Member > Subject: Windows Update Notification > > WINDOWS SECURITY WARNING!! > > A VIRUS HAS BEEN DETECTED ON YOUR COMPUTER. IN ORDER FOR YOUR COMPUTER NOT > TO CRASH YOU WILL NEED TO GO TO: > > HTTP://WWW.WINDOWSUPDATENOW.COM > > AND IT WILL AUTOMATICALLY UPDATE YOUR COMPUTERS SECURITY PATCHES. > > SIMPLY TYPE IN WWW.WINDOWSUPDATENOW.COM INTO YOUR BROWSER. OTHERWISE YOU > WILL KEEP RECEIVING THIS SECURITY ALERT EMAIL EVERY DAY.

------ End of Forwarded Message


 

>

> -----Original Message-----

> From: Hunter, T N (Neal), SOLCM

> Sent: Thursday, May 08, 2003 11:27 AM

> Subject: Network Security AV Flash: W32/Deborm.worm and associated Trojans

> Importance: High

>

> New Virus Advisory:

>

> We are seeing a small number of infections on computers from the following viruses:

>

> Backdoor-JZ http://vil.nai.com/vil/content/v_98963.htm 

> IRC-Sdbot http://vil.nai.com/vil/content/v_99410.htm 

> ProcKill-AF http://vil.nai.com/vil/content/v_100119.htm 

> W32/Deborm.worm http://vil.nai.com/vil/content/v_100143.htm 

>

> Detection for all four of these virus/trojans have been in existence since March 12th, 2003 with the 4.0.4252 DAT files.

>

> Generally, when a computer initially gets infected with the W32/Deborm.worm, then the other trojans are dropped onto the computer. So, we are seeing infected computers having 2 or more of these virus/trojans present. Since the Prockill-AF trojan DOES have the payload of corrupting various Security programs, including the McAfee Antivirus software, then when a computer becomes infected and the payload triggered, the McAfee Antivirus software services are disabled and are corrupted. With the few infections we have seen so far, the McAfee software must be reinstalled.

>

> If you do encounter a issue re-installing the McAfee software, here are some additional symptoms and resolutional guidance (Courtesy of Bruce Bell - PDS DTC).

>

> In some cases, the clients have the McAfee VShield and the Virus Scan Console in the System Tray and their versions are correct for everything. When you try to run McAfee from the console, the program runs for about 10 seconds and then vanishes.

>

> In other cases, the McAfee icons are not present in the System Tray. When you try to remove McAfee with the normal tool, it will start to run and will then vanish. An error window pops up indicating the vshwin32.exe has caused errors and will be shut down.

>

> To clean these with the current version of McAfee, you must eliminate bogus entries in the registry and end task on their corresponding executables using the task manager. It may be necessary to grant admin rights to the user to do this. Scan the entire hard drive (all files) and these particular bugs should be deleted.

>

> The process is a little more involved if the client does not have the latest McAfee components. You will have to terminate the processes to remove an old version, but when you restart the PC, the virus will reactivate because it has not been cleaned as yet. You will have to repeat the terminate of active known bogus processes before reinstalling McAfee. Another reboot is required after the McAfee install and this will again reactivate the viruses. You will have to clean the registry and terminate the active known bogus processes again before cleaning the computer. Note: be certain to change the scan parameters to scan all files.

>

> The processes you will be terminating in the task manager are noted below, however look out for additional entries beginning with a tilde (~) and followed by a letter or numbers

 - e.g. ~A.exe, ~B.exe, ~C.exe, ~21.exe, ~22.exe. etc. and delete those as well.

>

> The bogus registry entries reside in the following areas:

> HKEY_LOCAL_MACHINE\SOFTWARE\
Microsoft\Windows\CurrentVersion\Run\

> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft
\Windows\CurrentVersion\RunServices\

> The entries themselves include, but may not be limited to:>

> "NAV Live Update" = (path to worm)

> "Windows Explorer" = Explore .exe (note the space before the .exe)

> "W1N32.DLL" = C:\WINDOWS\WINLOGON .exe (note the space before the .exe)

> SVCHosty.exe (note: the y has 2 dots above it)

> lknq.exe

> "Taskschd" = %WINDIR%\traywnd

> Configuration Loader="cnfgld32.exe"

> "sysconfig" = iexplorer.exe

>

> This message has been sent Bcc to the GNOC, PDS All Associates, Desktop Central GAL distribution lists and to the McAfee Alerts Public Folder (All Public Folders\General Interest\AT&T Mcafee AV Alerts)

>

> Anti-Virus Team

> AT&T Network Security

> http://antivirus.security.att.com

>

>

>

Douglas M. Colbary

I & C

The Electric Plant

City of Painesville

"You Can't See Where you stand,

From Where You Sit"

unknown

 

 

=============

You might already have this one. I saw it posted on Slashdot this morning.

http://www.secunia.com/advisories/8642/ 

"...The vulnerability is caused due to a NULL pointer dereference bug in Microsoft Shell Light-Weight Utility Library ("shlwapi.dll"). A malicious person can exploit the vulnerability by constructing a special HTML document, which will crash applications using the vulnerable library...."

Barry Smith http://theforge.smithwrite.com

 

 

=====================

Jerry:

Last weekend I updated the setup on a new 875 chipset motherboard with a 3Ghz 800FSB CPU and 1GB of DDR 400 memory. Launching applications slowed to a crawl (15-20 seconds) when security update Q811493 was loaded into the system. For individuals this update is not that necessary. The patch takes care of a buffer overrun in the Windows XP kernal message handling which may lead to elevated privileges. Although this is listed as a "Critical" patch when released by Microsoft an attacker would have to have local access to your local system.

Not all systems will experience this problem. I have another unit running XP with SP1 and the patch, and it appears to be running fine. This system is a P4 2.66Ghz with the Intel 845G Rev-A chipset. But it certainly seems to affect newer machines equipped with Intel's latest chipsets (865 & 875). It may well be hyperthreading and/or specific chipsets only that this affects. I have not looked further into this problem yet.

Larry Aldridge

A message was sent to Redmond early this week by Steve Bink and the following was their reply to Steve:

"Thank you for the info. I'm not sure yet what is conflicting with Q811493. We currently have a group of developers working on the problem. We'll get this resolved as soon as possible. Sorry for the inconvenience."

Thanks, Lucy [MS]

Alex Pournelle adds:

Some reports have said that this is directly related to either Symantec

Personal Firewall, so it's a third-party interaction. Keep your ears open

for more on the subject.

--Aex

 

 

Thanks.

 

 

Internet Explorer: Four Vulnerabilities

Begin forwarded message:

> From: Secunia Security Advisories <sec-adv@secunia.com>

> Date: Wed Apr 23, 2003 11:43:05 AM US/Pacific

> Subject: [sec-adv] Internet Explorer Four Vulnerabilities

> TITLE:

> Internet Explorer Four Vulnerabilities

>

> READ ONLINE:

> http://www.secunia.com/advisories/8649/ 

>

> CRITICAL:

> Highly critical

>

> IMPACT:

> Exposure of system information, Exposure of sensitive information,

> System access

>

> WHERE:

> From remote

>

> SOFTWARE:

> Microsoft Internet Explorer 5.01

> Microsoft Internet Explorer 5.5

> Microsoft Internet Explorer 6

>

> DESCRIPTION:

> Microsoft has issued a cumulative patch for Internet Explorer, which

> fixes the following four vulnerabilities:

>

> 1) A boundary error exists in "urlmon.dll" because certain parameters

> are checked incorrectly. A malicious person can exploit this to cause

> a buffer overflow on a user's system and execute arbitrary code with

> the privileges of the user by constructing a speciel web page and

> trick a user into visiting it.

>

> 2) An information disclosure vulnerability exists in the file upload

> control caused by a flaw in the way incoming requests for file

> uploads are handled. This allows input to be passed to the vulnerable

> control without user interaction. A malicious person can exploit this

> to retrieve arbitrary files from a user's system by constructing a

> malicious web page and luring the user into visiting it.

>

> Successful exploitation requires that the requested file is not in

> use and that the malicious person knows the exact location of the

> file on the user's system.

>

> 3) An input validation error exists in a method for invoking third

> party plug-ins. The problem is that parameters of the URL used to

> reference a third party file type is not checked properly. A

> malicious person can exploit this to execute arbitrary script code on

> a user's system in the local computer zone by constructing a web page

> containing a specially crafted link to a third party file.

>

> 4) An information disclosure vulnerability exists in the way modal

> dialogs are rendered. Specifically, the vulnerability is caused by an

> input validation error because a parameter in the Cascading Style

> Sheet input parameter for modal dialogs is not checked properly. A

> malicious person can exploit this to read arbitrary files on a user's

> system by contructing a special web page and luring the user into

> visiting it.

>

> Successful exploitation requires that the malicious person knows the

> exact location of the file on the user's system.

>

> It is also possible to exploit the described vulnerabilities

> automatically in an email-borne attack when a user views a malicious

> email. However, this is not possible if the user is viewing the email

> in Outlook Express 6.0 or Outlook 2002 in their default

> configurations, or Outlook 98 or Outlook 2000 in conjunction with the

> Outlook Email Security Update.

>

> NOTE: The released patch also sets the Kill Bit on the ActiveX

> control "plugin.ocx" and includes a fix for Internet Explorer 6.0

> SP1, which corrects the way help information is displayed in the

> local computer zone.

>

> SOLUTION:

> Apply patch manually or via Windows Update:

> http://www.microsoft.com/windows/ie/
downloads/critical/813489/default.asp
 

>

> REPORTED BY / CREDITS:

> Microsoft credits the following:

> Mark Litchfield, Andreas Sandblad and Jouko Pynnönen.

>

> ORIGINAL ADVISORY:

> http://www.microsoft.com/technet/security/bulletin/MS03-015.asp 

>

> ----------------------------------------------------------------------

>

> Secunia recommends that you verify all advisories you receive, by

> clicking the link.

> Secunia NEVER sends attached files with advisories.

> Secunia does not advise people to install third party patches, only

> use those supplied by the vendor.

>

> Contact details:

> Web : http://www.secunia.com/

> E-mail : support@secunia.com

>

Roland Dobbins 


Subject: Today's Lovegate variant ( priority one)

http://www.trendmicro.com/vinfo/virusencyclo/
default5.asp?VName=PE_LOVGATE.J

----------- Roland Dobbins


I got this:

From: support@microsoft.com [mailto:support@microsoft.com]
Sent: Monday, May 19, 2003 8:15 AM
To: jerryp@earthlink.net
Subject: Cool screensaver

 

All information is in the attached file.

Of course the attachment was a virus. Be warned. Obviously the "From" was faked.

On that:

There is a new mass-mailing worm called W32.HLLW.Mankx@mm that is now spreading fast. Although it does not appear to damage infected systems directly, there are many possible exploits that this worm may be in aid of. The worm is particularly dangerous because it forges "support@microsoft.com" as the From: line, thereby greatly increasing the likelihood that recipients will open the attached file.

The subject line is reported to be one of the following:

o Your details o Approved (Ref: 38446-263) o Re: Approved (Ref: 3394-65467) o Your password o Re: My details o Screensaver o Cool screensaver o Re: Movie o Re: My application

The text body of the message is reported to be:

"All information is in the attached file."

For more details, including removal instructions, see < http://www.sarc.com/avcenter/venc/data/w32.hllw.mankx@mm.html >.

-- Robert Bruce Thompson thompson@ttgnet.com http://www.ttgnet.com/thisweek.html

 http://forums.ttgnet.com/ikonboard.cgi 

And the remedy:

Returning the favor [Chaos Manor Mailing]. A link to a new tool from McAfee for detection / removal of the 11 top nuisances.

http://www.mcafeeb2b.com/naicommon
/avert/avert-research-center/tools.asp#stinger
 

It will fit on a floppy, handy for debugging machines that have been isolated for suspected infections.

Timothy Bowser

Thanks!

Microsoft has some new web pages devoted to information about major virus alerts, and a new alliance with Network Associates and Trend Micro (two major anti-virus vendors) to provide users with "detailed information on significant viruses that are affecting Microsoft products and our customers."

A quick look at the base site (here:

 http://www.microsoft.com/technet/treeview/default.asp?
url=/technet/security/virus/alerts/default.asp
  

) shows a lot of information that might be helpful to your readers. They may want to add it to their 'Favorites' list, and subscribe to the Microsoft security lists.

Some of the info in that area is a bit old, but there is current info on "Fizzer" and "Palyh" (the last is the one that is an email that purports to be from "support<at>microsoft.com" ). I've seen more of the Palyh virus emails lately on my company site, which usually means that it is becoming wide-spread.

That virus, since it apparently comes from microsoft.com, initially made it through our first line of email defense (where we block all messages with executable files). But we also have a rule that allows content from what I call 'trusted sources'. Our users get technical email newsletters from microsoft.com, so that source is allowed.

Our second line of defense is an anti-virus mail server (Network Associates). It looks for virus content, and strips out the virus, while still delivering the message. (It also blocks all executable files.) That second line of defense was important for us, since I know of three users in our network that got that message.

The lesson here is one of 'eternal vigilance'. Keep your anti-virus software current. Keep your operating system current. Be careful of your spam-filtering rules. And, especially on a corporate network, make sure you have multiple layers of defense against virus and other attacks.

Regards, Rick Hellewell digitalchoke@ digitalchoke.com

Thanks


June 5, 2003

Subject: Microsoft worm du jour ( priority one)

http://www3.ca.com/solutions/collateral.asp?CT=27081&CID=44267

--------------- Roland Dobbins

Today Microsoft announced yet another have-your-way-with-me critical security flaw in Internet Explorer. For details, see:

<http://www.microsoft.com/security/
security_bulletins/ms03-020.asp

and

<http://www.microsoft.com/technet/treeview/?
url=/technet/security/bulletin/MS03-020.asp

Note that Microsoft rates this problem "critical" for all versions of Internet Explorer from 5.01 through current running on any Microsoft operating systems except Windows 2003 Server, for which severity is rated "moderate". Presumably versions of Internet Explorer earlier than 5.01 are affected as well, but Microsoft does not support or comment on such problems.

The "critical" rating means Microsoft considers this problem to be of the utmost severity. A problem rated only "important" is described as:

"A vulnerability whose exploitation could result in compromise of the confidentiality, integrity, or availability of users’ data, or of the integrity or availability of processing resources."

A problem rated "critical" is described as:

"A vulnerability whose exploitation could allow the propagation of an Internet worm without user action"

This is another of the Microsoft security flaws that requires nothing more than viewing or previewing a malicious email or visiting a malicious web site. Applying the patch sounds like a good idea.

-- Robert Bruce Thompson thompson@ttgnet.com http://www.ttgnet.com/thisweek.html 
http://forums.ttgnet.com/ikonboard.cgi

The real moral to these stories is the same as I have always said: DO NOT OPEN UNEXPECTED MAIL ATTACHMENTS, and understand that Microsoft software is no more vulnerable to worms transmitted by opening mail attachments than is most other software. Yes, Linux doesn't get so many of them, but even there if you go about opening mail attachments and programs promising free this and that, you will eventually regret it.

=============================

 

June 13, 2003

Begin forwarded message:

> From: Secunia Security Advisories <sec-adv@secunia.com>

> Date: Fri Jun 13, 2003 5:36:06 AM US/Pacific

> To: mordant@gothik.org

> Subject: [sec-adv] 

Mozilla, Opera and Netscape Security Model Violation

> Received: from mail.secunia.com (213.150.41.227 [213.150.41.227]) by

> mail.secunia.com with SMTP; 13 Jun 2003 12:36:10 -0000

> Received: (from nobody@localhost) by websrv.secunia.com

> (8.11.6/8.11.6) id h5DCa6D16756; Fri, 13 Jun 2003 14:36:06 +0200

> Message-Id: <200306131236.h5DCa6D16756@websrv.secunia.com>

> Content-Type: text/plain; charset="US-ASCII"

> Content-Transfer-Encoding: 7bit

>

>

> TITLE:

> Mozilla, Opera and Netscape Security Model Violation

>

> READ ONLINE:

> http://www.secunia.com/advisories/9017/ 

>

> CRITICAL:

> Less critical

>

> IMPACT:

> Security Bypass

>

> WHERE:

> From remote

>

> SOFTWARE:

> Opera 6.x

> Netscape 6.x

> Netscape 7.x

> Mozilla 1.0

> Mozilla 1.1

> Opera 7.x

> Mozilla 1.3

> Mozilla 1.4

>

> DESCRIPTION:

> An older vulnerability has apparently resurfaced in Mozilla, Opera

> and Netscape, which allows malicious websites to execute arbitrary

> JavaScript and possibly Java in the context of other sites.

>

> The problem is that it is possible to create a JavaScript function,

> which will open a different website and execute code in this site's

> security context.

>

> SOLUTION:

> Disable JavaScript and Java for all sites (except trusted sites).

>

> REPORTED BY / CREDITS:

> meme-boi

>

> OTHER REFERENCES:

> Test page:

> http://meme-boi.netfirms.com/werd.html 

>

> ----------------------------------------------------------------------

>

> Secunia recommends that you verify all advisories you receive, by

> clicking the link.

> Secunia NEVER sends attached files with advisories.

> Secunia does not advise people to install third party patches, only

> use those supplied by the vendor.

>

> Contact details:

> Web : http://www.secunia.com/

> E-mail : support@secunia.com

> Tel : +44 (0) 20 7016 2693

> Fax : +44 (0) 20 7637 0419

>

Roland Dobbins 


 From: Antivirus Security Team

 Sent: Monday, June 09, 2003 11:12 AM

 Subject: Network Security AV Flash: W32/Mofei.worm virus may be causing the account lockouts

 Importance: High

 

 New Virus Activity:

 

 Initial investigation shows that this activity could be caused by a new virus called W32/MoFei.worm. Information on MoFei can be found at http://vil.nai.com/vil/content/v_100357.htm . We have requested and will be receiving a Extra.dat file shortly from McAfee and will be distributing the file at that time.

 

 More information will be forthcoming.

 

 This message has been sent Bcc to the GNOC, PDS All Associates, Desktop Central, and BU Support Teams GAL distribution lists and to the McAfee Alerts Public Folder (All Public Folders\General Interest\AT&T Mcafee AV Alerts)

 

 Anti-Virus Team

 AT&T Network Security

 http://antivirus.security.att.com 

 

 

 -----Original Message-----

 From: Antivirus Security Team

 Sent: Monday, June 09, 2003 10:44 AM

 Subject: Network Security AV Flash: User ID Account lockouts

 Importance: High

   Possible New Virus Advisory:

 

 We are receiving numerous instances of Domain User Accounts and Local Computer Accounts being locked out today. We are investigating the account lockouts at this time as this does look like some type of Virus Activity. As we gather new information, we will be distributing it.

 

 This message has been sent Bcc to the GNOC, PDS All Associates, Desktop Central, and BU Support Teams GAL distribution lists and to the McAfee Alerts Public Folder (All Public Folders\General Interest\AT&T Mcafee AV Alerts)

 

 Anti-Virus Team

 AT&T Network Security

 http://antivirus.security.att.com 

 

 

  Douglas M. Colbary
   I & C
   The Electric Plant
   City of Painesville
   P.O. box 601
   Painesville, Ohio



   

Begin forwarded message:

> From: Secunia Security Advisories <sec-adv@secunia.com>

> Date: Tue Jun 17, 2003 5:12:09 AM US/Pacific

> Subject: [sec-adv] Internet Explorer Custom HTTP Error Script

> Injection Vulnerability

>

> TITLE:

> Internet Explorer Custom HTTP Error Script Injection Vulnerability

>

> READ ONLINE:

> http://www.secunia.com/advisories/9056/

>

> CRITICAL:

> Moderately critical

>

> IMPACT:

> Cross Site Scripting, System access

>

> WHERE:

> From remote

>

> SOFTWARE:

> Microsoft Internet Explorer 5.01

> Microsoft Internet Explorer 5.5

> Microsoft Internet Explorer 6

>

> DESCRIPTION:

> A vulnerability has been identified in Internet Explorer (IE), which

> can be exploited by malicious people to execute arbitrary script code

> on a user's system.

>

> The vulnerability is caused due to an input validation error in the

> custom errors generated by IE, when a website returns an error page.

> The problem is that the requested URL is included, which may allow

> execution of arbitrary script code in the "My Computer" security

> zone.

>

> Successful exploitation requires that a user is tricked into visiting

> a malicious website or click a malicious link. Afterwards, the user

> must click the link generated by the resource.

>

> SOLUTION:

> Reportedly, Microsoft has acknowledged the existence of the

> vulnerability and will fix it in a Service Pack.

>

> Active scripting support can be disabled in the "My Computer"

> security zone. However, this has to be done manually by editing the

> registry, since no GUI for changing settings in this security zone is

> provided.

>

> Navigate to the following key:

> HKEY_CURRENT_USER\SOFTWARE\
Microsoft\Windows\CurrentVersion\InternetSettings\Zones\0 

>

> Change the setting in the value "1400" (Active scripting) from "0"

> (enabled) to "3" (disabled).

>

> REPORTED BY / CREDITS:

> GreyMagic Software

>

> ORIGINAL ADVISORY:

> http://sec.greymagic.com/adv/gm014-ie/ 

>

> ----------------------------------------------------------------------

>

> Secunia recommends that you verify all advisories you receive, by

> clicking the link.

> Secunia NEVER sends attached files with advisories.

> Secunia does not advise people to install third party patches, only

> use those supplied by the vendor.

>

> Contact details:

> Web : http://www.secunia.com/

> E-mail : support@secunia.com

> ----------------------------------------------------------------------

>

And a Worm warning June 25 2003

Subject: Microsoft email worm du jour ( priority one)

http://www.trendmicro.com/vinfo/
virusencyclo/default5.asp?VName=WORM_SOBIG.E
 

--- Roland Dobbins

Subject: Windows buffer overflow DoS/exploit (priority one

http://www.microsoft.com/technet/treeview/default.asp?
url=/technet/security/bulletin/MS03-024.asp

-------------------- Roland Dobbins


 

VIRUS WARNING (July 11, 2003)

THE FOLLOWING IS CERTAINLY A VIRUS. If you get this message, DO NOT follow these instructions. They are NOT from Microsoft.

Subject: probable virus

Jerry,

Yesterday I received the email copied below. I suspect it's a disguised virus. Does it need a warning, or have you already mentioned it?

Of course my Mac is immune to most viruses. :-)

Thanks for your excellent web site.

Bob

At 11:03 AM +0200 7/10/03, Mauras Yves wrote: >Status: U 

>Subject: Prove this security patch from M$ Corporation 

>Date: Thu, 10 Jul 2003 11:03:27 +0200 >Thread-Topic: Prove this security patch from M$ Corporation >Thread-Index: AcNGwjj3u/lk+bKtEdeFBQABAqedTg== >From: "Mauras Yves" <y.mauras@fidunion.fr> >

To: >>A VERY LARGE NUMBER of people in many countries including Australia and New Zealand as well as the USA>>\

 > >----- Original message follows ----- > >

Microsoft Customer > >this is the latest version of security update, the >"July 2003, Cumulative Patch" update which eliminates all >known security vulnerabilities affecting Internet Explorer, >Outlook and Outlook Express as well as five newly discovered >vulnerabilities. Install now to protect your computer from these >vulnerabilities, the most serious of which could allow an attacker to >run executable on your system. 

This update includes the functionality >of all previously released patches. > >System requirements: >Win 9x/Me/2000/NT/XP > >This update applies to: >Microsoft Internet Explorer, version 4.01 and later >Microsoft Outlook, version 8.00 and later >Microsoft Outlook Express, version 4.01 and later > >Recommendation: >Customers should install the patch at the earliest opportunity. > 

>How to install: >Run attached file. Click Yes on displayed dialog box. > 

>How to use: >You don't need to do anything after installing this item. > >Microsoft Technical Support is available at >http://support.microsoft.com/ > >For security-related information about Microsoft products, >please visit the Microsoft Security Advisor web site at > http://www.microsoft.com/security   > 

>Contact us at > http://www.microsoft.com/isapi/
goregwiz.asp?target=/contactus/contactus.asp
   > 

> >Please do not reply to this message. It was sent from an unmonitored >e-mail address and we are unable to respond to any replies. > >Thank you for using Microsoft products. > > >Content-Type: application/octet-stream; > name="update937.exe" >Content-Description: update937.exe >Content-Disposition: attachment; > filename="update937.exe" > >Attachment converted: Macintosh HD:update937.exe (bina/mdos) (0007DDA5)

AGAIN, WARNING, do not install anything like this. Microsoft will NEVER send you a message like this!! Microsoft will NEVER ask you to run a mail attachment file.

DO NOT run mail attachment files!!

===========================================

Subject: Today's critical Microsoft remote-exploit vuln/fix ( priority one)

http://www.microsoft.com/security/security_bulletins/ms03-026.asp

 ---------------- Roland Dobbins

----

Microsoft has issued yet another have-your-way-with-me critical vulnerability warning. This warning applies to all current versions of Windows except Windows Me. Windows 98SE and earlier versions of Windows 9X were not tested and may or may not be vulnerable. You can read the details at:

<http://www.microsoft.com/technet/treeview/?url=
/technet/security/bulletin/MS03-026.asp

-- Robert Bruce Thompson thompson@ttgnet.com http://www.ttgnet.com/thisweek.html
 http://forums.ttgnet.com/ikonboard.cgi 

Subject: Fakeerr Worm - Destructive Payload

This worm looks like an Internet Explorer error message from Microsoft. It is particularly dangerous: if you you click on one of the buttons, it will start deleting vital system files. It doesn't appear to be widespread, but it is getting some media attention.

Information about this virus is here: http://vil.nai.com/vil/content/v_100489.htm  , among other places.

Of course, if you never open up mail attachments that are programs, and you keep your anti-virus up to date, you are safe.

Of course, if you never open up mail attachments that are programs, and you keep your anti-virus up to date, you are safe.

Of course, if you never open up mail attachments that are programs, and you keep your anti-virus up to date, you are safe.

...what I tell you three times is true.

Rick Hellewell digitalchoke@digitalchoke.com

Indeed.


Roland sends this:

http://www.nipc.gov/warnings/advisories/2003/Potential72403.htm 

I suggest you all read it.


This scam is increasingly prevalent. If you follow the links you will be sent to the genuine web site of the web provider, Ebay, Paypals, or whatever; but the information you supply also goes to a mail address in China. You may imagine what happens next.

FOLLOWING IS EXAMPLE OF RECENT SCAM Dear Valued Customer,

Due to a recent billing conversion, we are performing an audit of our subscriber database to ensure we have the most accurate information. We have set up a secure website where you are asked to provide non-sensitive account information. You are not being asked for any security information such as usernames or passwords.

If we are unable to verify your account information prior to August 15th, you may experience unnecessary service interruptions. You can provide your account information by pointing your web browser to our secure website located at http://www.pipelinecheck.com.

If you have already submitted your information via this website, please disregard this message.

Sincerely,

Charter Communications

Let me say again, Do NOT send  information in response to schemes such as this!


Subject: Updated DHS/Microsoft notice ( priority one)

http://www.nipc.gov/warnings/advisories/2003/Potential7302003.htm
 

Roland Dobbins


If you wonder whether all this security stuff I talk about is serious, Roland provides this:

Subject: Zero tolerance.

 http://news.zdnet.co.uk/0,39020330,39115422,00.htm

Roland Dobbins

Think about this one.

=====================

FROM ROLAND DOBBINS September 3, 2003

Begin forwarded message:

> From: Irwan Hadi <irwanhadi@phxby.com>

> Date: Wed Sep 3, 2003 1:09:39 PM US/Pacific

> To: full-disclosure@lists.netsys.com

> Subject: [Full-Disclosure] Flaw in Microsoft Word Could Enable Macros

> toRun Automatically (827653)

>

> Just Released today

>

> http://www.microsoft.com/technet/treeview/default.asp
?url=/technet/security/bulletin/MS03-035.asp
 

>

> Microsoft Security Bulletin MS03-035 Print

>

>

> Flaw in Microsoft Word Could Enable Macros to Run Automatically

> (827653)

> Originally posted: September 03, 2003

>

> Summary

> Who should read this bulletin: Customers who are using Microsoft® Word

>

> Impact of vulnerability: Run macros without warning

>

> Maximum Severity Rating: Important

>

> Recommendation: Customers who are using affected versions of Microsoft

> Word should apply the security patch immediately.

>

> End User Bulletin:

> An end user version of this bulletin is available at:

>

> http://www.microsoft.com/security/security_bulletins/ms03-035.asp .

>

> Affected Software:

>

> Microsoft Word 97

> Microsoft Word 98 (J)

> Microsoft Word 2000

> Microsoft Word 2002

> Microsoft Works Suite 2001

> Microsoft Works Suite 2002

> Microsoft Works Suite 2003

>

> Technical details

> Technical description:

>

>

> A macro is a series of commands and instructions that can be grouped

> together as a single command to accomplish a task automatically.

> Microsoft Word supports the use of macros to allow the automation of

> commonly performed tasks. Since macros are executable code it is

> possible to misuse them, so Microsoft Word has a security model

> designed

> to validate whether a macro should be allowed to execute depending on

> the level of macro security the user has chosen.

>

> A vulnerability exists because it is possible for an attacker to craft

> a

> malicious document that will bypass the macro security model. If the

> document was opened, this flaw could allow a malicious macro embedded

> in

> the document to be executed automatically, regardless of the level at

> which macro security is set. The malicious macro could take the same

> actions that the user had permissions to carry out, such as adding,

> changing or deleting data or files, communicating with a web site or

> formatting the hard drive.

>

> The vulnerability could only be exploited by an attacker who persuaded

> a

> user to open a malicious document .there is no way for an attacker to

> force a malicious document to be opened.

>

>

> Mitigating factors:

>

> The user must open the malicious document for an attacker to be

> successful. An attacker cannot force the document to be opened

> automatically.

> The vulnerability cannot be exploited automatically through e-mail. A

> user must open an attachment sent in e-mail for an e-mail borne attack

> to be successful.

> By default, Outlook 2002 block programmatic access to the Address Book.

> In addition, Outlook 98 and 2000 block programmatic access to the

> Outlook Address Book if the Outlook Email Security Update has been

> installed. Customers who use any of these products would not be at risk

> of propagating an e-mail borne attack that attempted to exploit this

> vulnerability.

> The vulnerability only affects Microsoft Word . other members of the

> Office product family are not affected.

> Severity Rating: Microsoft Word (all versions) Important

> Microsoft Works Suite (all versions) Important

>

> The above assessment is based on the types of systems affected by the

> vulnerability, their typical deployment patterns, and the effect that

> exploiting the vulnerability would have on them.

>

> Vulnerability identifier: CAN-2003-0664

>

> Tested Versions:

> Microsoft tested Microsoft Word 2002, Microsoft Word 2000, Microsoft

> Word 98(J), Microsoft Word 97, Microsoft Word X for Macintosh,

> Microsoft

> Word 2001 for Macintosh, Microsoft Word 98 for Macintosh, Microsoft

> Works Suite 2003, Microsoft Works Suite 2002 and Microsoft Works Suite

> 2001 to assess whether they are affected by this vulnerability.

> Previous

> versions are no longer supported and may or may not be affected by this

> vulnerability.

>

>

> Frequently asked questions

> What.s the scope of the vulnerability?

>

> This vulnerability could enable an attacker to create a document that,

> when opened in Microsoft Word, could allow an unsigned macro to run

> regardless of the macro security level. Macros can take any action that

> the user can take, and as a result this vulnerability could allow an

> attacker to take actions such as changing data, communicating with Web

> sites, reformatting the hard disk, or changing the Word security

> settings. The vulnerability only affects Word.other members of the

> Office product family are not affected.

>

> What causes the vulnerability?

>

> The vulnerability results because Word incorrectly checks properties in

> a modified document, causing it to not prompt the user with a macro

> security warning when macros are present in the document.

>

> What.s a macro?

>

> Generally, the term macro refers to a small program that automates

> frequently-performed tasks in an operating system or in a program. For

> example, all members of the Office family of products support the use

> of

> macros. This allows companies to develop macros that perform as

> sophisticated productivity tools that run in Word, in Excel, or in

> other

> programs.

>

> Like any computer program, macros can be misused. Many viruses are

> written as macros and are embedded in Office documents. To combat this

> threat, Office has a security model that is designed to make sure that

> macros can only run when the user wants them to run. In this case,

> however, there is a flaw in the security model, which can be exploited

> when a user opens a malformed document.

>

> What's wrong with the way Microsoft Word checks macro security?

>

> There is a flaw in the way that Word assesses macro security when a

> document is opened that could allow the macro security checks to be

> bypassed under certain circumstances.

>

> What could this vulnerability enable an attacker to do?

>

> This vulnerability could enable an attacker to create a malicious

> document that could allow a macro to run automatically, if an attacker

> persuaded a user to open the specially-crafted document. This could

> allow an attacker to take any action on the system that the user can

> take, including adding, changing, or deleting data, running other

> programs, or formatting the hard disk.

>

> What could the macro do?

>

> The macro could take any action that the user can take. This would

> include adding, changing, or deleting files, communicating with a Web

> site, reformatting the hard disk, and so forth.

>

> A macro also could change the user.s macro security level. This could

> include disabling macro protection. As a result, if the user were

> attacked by means of this vulnerability, the user.s macro security

> level

> could be reduced and other macros that would otherwise be stopped by

> Word could be allowed to run.

>

> How could an attacker exploit this vulnerability?

>

> An attacker could seek to exploit this vulnerability by creating a

> specially-crafted Word document that contained a malicious macro. The

> attacker could then send it to a user, typically through an e-mail

> message, and then persuade the user to open the document. An attacker

> could also host the specially-crafted Word document on a network share

> or on a Web site; however, the attacker would still need to persuade

> the

> user to open the document.

>

> Microsoft Works Suite is listed as a vulnerable product . why?

>

> Microsoft Works Suite includes Microsoft Word. Microsoft Works users

> should use Office Update at:

> http://www.office.microsoft.com/ProductUpdates/default.aspx  to detect

> and to install the appropriate patch.

>

> What does the patch do?

>

> This patch eliminates the vulnerability by making sure that Word

> carries

> out the appropriate macro security checks when it opens a document.

>

> Patch availability

> Download locations for this patch

> Microsoft Word 2002:

> http://microsoft.com/downloads/details.
aspx?FamilyId=7D3775FC-F424-4B04-ABEB
-9B4CA1EB182D&displaylang=en
 

> Administrative update only:

> http://www.microsoft.com/office/ork/xp/journ/wrd1006a.htm 

>

>

> Microsoft Word 2000:

> http://microsoft.com/downloads/details.aspx?FamilyId=4A8F6ACE-E14E-

> 4978-A9C9-6989CD03A4A3&displaylang=en

> Administrative update only:

> http://www.microsoft.com/office/ork/xp/journ/wrd0903a.htm

>

>

> Microsoft Word 97/Microsoft Word 98(J):

> Information on receiving Microsoft Word 97 & Microsoft Word 98(J)

> support is available at:

> http://support.microsoft.com/default.aspx?scid=kb;en-us;827647

>

>

> Microsoft recommends users visit Office Update at

> http://www.office.microsoft.com/ProductUpdates/default.aspx to detect

> and install this security patch and all other public updates to Office

> family products (note: Office Update does not support Office 97 or

> Visio

> 2000).

>

> Additional information about this patch

> Installation platforms:

>

> The Word 2002 patch can be installed on systems that are running Word

> 2002 with Office XP Service Pack 2, and on systems that are running

> Microsoft Works Suite 2003 or Microsoft Works Suite 2002. The

> administrative update can also be installed on systems that are running

> Office XP Service Pack 1.

> The Word 2000 patch can be installed on systems that are running Word

> 2000 with Office 2000 Service Pack 3 and Microsoft Works 2001.

> For information about Microsoft Word 97 and Microsoft Word 98(J)

> support, see the following the following Microsoft Knowledge Base

> article: http://support.microsoft.com/default.aspx?scid=kb;en-us;827647

> Inclusion in future service packs:

> The fix for this issue will be included in future service packs for the

> affected products.

>

> Reboot needed: No

>

> Patch can be uninstalled: No

>

> Superseded patches: None.

>

> Verifying patch installation:

>

> Word 2002: Verify that the version number of WinWord.exe is

> 10.0.5522.0.

> Word 2000: Verify that the version number of WinWord.exe is

> 9.00.00.7924.

> Word 97 and Word 98(J): Information about checking Microsoft Word 97

> and

> Microsoft Word 98(J) is available in Microsoft Knowledge Base article

> 827647.

> Works Suite 2002 and Works Suite 2003: Verify that the version number

> of

> WinWord.exe is 10.0.5522.0.

> Works Suite 2001: Verify that the version number of WinWord.exe is

> 9.00.00.7924.

> Caveats:

> None

>

> Localization:

> Localized versions of this patch are available at the locations

> discussed in "Patch Availability".

>

> Obtaining other security patches:

> Patches for other security issues are available from the following

> locations:

>

> Security patches are available from the Microsoft Download Center, and

> can be most easily found by doing a keyword search for

> "security_patch".

> Patches for consumer platforms are available from the WindowsUpdate web

> site

> Other information:

> Acknowledgments

> Microsoft thanks Jim Bassett of Practitioners Publishing Company for

> reporting this issue to us and working with us to protect customers.

>

> Support:

>

> Microsoft Knowledge Base article 827653 discusses this issue. Knowledge

> Base articles can be found on the Microsoft Online Support web site.

> Technical support is available from Microsoft Product Support Services.

> There is no charge for support calls associated with security patches.

> Security Resources: The Microsoft TechNet Security Web Site provides

> additional information about security in Microsoft products.

>

> Disclaimer:

> The information provided in the Microsoft Knowledge Base is provided

> "as

> is" without warranty of any kind. Microsoft disclaims all warranties,

> either express or implied, including the warranties of merchantability

> and fitness for a particular purpose. In no event shall Microsoft

> Corporation or its suppliers be liable for any damages whatsoever

> including direct, indirect, incidental, consequential, loss of business

> profits or special damages, even if Microsoft Corporation or its

> suppliers have been advised of the possibility of such damages. Some

> states do not allow the exclusion or limitation of liability for

> consequential or incidental damages so the foregoing limitation may not

> apply.

>

> Revisions:

>

>

> V1.0 (September 03, 2003): Bulletin Created.

>

> Contact Us | E-mail this Page | TechNet Newsletter

> © 2003 Microsoft Corporation. All rights reserved. Terms of Use

> Privacy Statement Accessibility

>

> _______________________________________________

> Full-Disclosure - We believe in it.

> Charter: http://lists.netsys.com/full-disclosure-charter.html

 

===============

A new Warning!

Subject: Microsoft RPC vuln patch didn't fix all methods - new patch supersedes, re-patch all systems pronto

http://www.microsoft.com/technet/treeview/default.asp?url
=/technet/security/bulletin/MS03-039.asp
 

Roland Dobbins

HEAR AND BELIEVE


A new Warning!

WARNING

Subject: Hours or days

http://apnews.excite.com/article/20030916/D7TJP93G0.html

Roland Dobbins

WASHINGTON (AP) - Security researchers on Tuesday detected hackers distributing software to break into computers using flaws announced last week in some versions of Microsoft Corp. (MSFT)'s Windows operating system.

The threat from this new vulnerability - which already has drawn stern warnings from the Homeland Security Department - is remarkably similar to one that allowed the Blaster virus to infect hundreds of thousands of computers last month. < snip >

LINUX USERS SEE BELOW!!!

I did a mailing to subscribers as well as posting this above. LINUX USERS TAKE HEED. 

Dear Dr Pournelle,

Thanks for that, I have the patches. There is another pair of

critical alerts, this time involving Linux/Unix: an SSH exploit and a

Sendmail exploit, both exceedingly dangerous. You might want to let

people know:

SSH exploit: http://www.openssh.com/txt/buffer.adv 

Sendmail exploit: http://www.sendmail.org/8.12.10.html 

Regards, TC

===========================================

And a new virus warning:

Subject: QHosts-1 

http://us.mcafee.com/virusInfo/
default.asp?id=description&virus_k=100719
 

I disagree with the Low/Low rating, this is very dangerous.

Roland Dobbins

==============================

New Windows Trojan Appears

Morning Jerry,

There's a new Windows trojan that's appeared. It uses DHCP to hijack the browser, by replacing the DNS servers on the PC, and depositing a hosts file as well. It's relatively low risk, but it will get media attention.

Details at: http://vil.nai.com/vil/content/v_100719.htm 

And I quote:

"Don't open unexpected e-mail attachments.
 Don't open unexpected e-mail attachments.
 Don't open unexpected e-mail attachments. "
 ~ Dr. Jerry Pournelle

And an addition for this one:

Don't click yes when asked to install something on a website unless you know what it is. 

Don't click yes when asked to install something on a website unless you know what it is. 

Don't click yes when asked to install something on a website unless you know what it is.

Hopefully people are aware that spyware LIES in the 'click yes to install' dialog box. Cheers,

Doug

Doug Lhotka

PGP Sig: C2F9 EB96 127A D4DD 02C7 ABE0 13A0 4C30 9C93 9D6F

"Liberalism is a philosophy of consolation for Western Civilization as it commits suicide." ~ Jim Burnham

"I swear, by my Life and my love of it, that I will never live for the sake of another man, nor ask another man to live for mine." ~ John Galt, Ayn Rand, Atlas Shrugged

======================================

Subject: Critical IE patch ( priority one)

'Run code of attacker's choice'.

Trusted, indeed!

http://www.microsoft.com/technet/treeview/default.asp?
url=/technet/security/bulletin/ms03-040.asp
 

Roland

====================================

Subject: Fwd: Bad news on RPC DCOM vulnerability ( priority one)

Begin forwarded message:

> From: K-OTiK Security <Special-Alerts

To: bugtraq@securityfocus.com

Subject: Re: Bad news on RPC DCOM vulnerability  as confirmed by 3APA3A and security labs, it seems that the public > exploit *works* even if the patch MS03-039 is *installed* > > This is a highly critical vulnerability - users MUST block vulnerable > ports ! > > Regards. > > K-OTik Staff 

/\\/ http://wwww.k-otik.com  > > > >> From: 3APA3A <3APA3A@SECURITY.NNOV.RU> >> >> Dear bugtraq@securityfocus.com, >>

 >> There are few bad news on RPC DCOM vulnerability: >> 

>> 1. Universal exploit for MS03-039 exists in-the-wild, PINK FLOYD >> is >> again actual. 

>> 2. It was reported by exploit author (and confirmed), Windows XP >> SP1 >> with all security fixes installed still vulnerable to variant of >> the >> same bug. Windows 2000/2003 was not tested. For a while only DoS >> exploit >> exists, but code execution is probably possible.

 Technical details >> are >> sent to Microsoft, waiting for confirmation. >> 

>> Dear ISPs. Please instruct you customers to use personal fireWALL >> in >> Windows XP. > > ------------------------------------------------------------- Roland Dobbins <mordant@gothik.org>

> As with the prior RPC vulnerability (MS03-039), these attacks can occur > on TCP ports 135, 139, 445 and 593; and UDP ports 135, 137, 138 and > 445. >

==================================

Dr. Pournelle:

One down..... "A 39-year-old Sydney man was today arrested in relation to a multi-million dollar scam commonly known as "Nigerian fraud"."

http://australianit.news.com.au/articles/0,7204,
7715101%5E15306%5E%5Enbv%5E,00.html
 

And Network Associates / McAfee released a special anti-virus file today (10/31/03) for the more-prevalent "MiMail" virus...which does a Denial of Service (DOS) attack against two obscure servers; but that may just be a test. It could easily turn your computer into a "DOS-ing" machine that targets multiple sites; which would make your ISP and others very unhappy.

Rick Hellewell, Security Dweeb, security@digitalchoke.com

Hurrah. And thanks for the warning.

Roland sends this link regarding this virus:

http://us.mcafee.com/virusInfo/default.
asp?id=description&virus_k=100795
 

==================

VIRUS WARNING JANUARY 26, 2004:

Dr. Pournelle:

There is a big surge of messages related to a new virus, called "MyDoom" by McAfee/Network Associates. It comes with an attachment of various extensions, with the actual attached file names "something.txt" + lots of space characters + ".exe" or ".scr" or other executable extensions.

The subject is various, but I have seen it to include "Status" "hello", "Server Report", "Hi", "Mail Delivery System".

I don't know the damage it does, but it is spreading so fast that it seems like a 'SoBig" variant. At work here (local government agency), I am getting 20-30 per minute, which is a high volume of one type of virus mail for us. I suspect that many will be finding this in their personal email boxes over the next few days.

More info about the virus here, among others http://vil.nai.com/vil/content/v_100983.htm  .

The usual warnings apply.

Rick Hellewell Information Security Dude

==============================

VIRUS AND WORM WARNINGS:

Subject: Today's Microsoft email-borne worm ( priority one).

http://vil.nai.com/vil/content/v_101048.htm 

------ Roland Dobbins

More on that one:

Dr. Pournelle:

The next MyDoom virus (release "F") is spreading. This one is more dangerous, as it will delete files. This is from the McAfee/Network Associates alert:

"A variant of the original Mydoom virus, W32/Mydoom.f@MM is a Medium Risk mass-mailing worm that can open up hacker backdoors on infected systems and launch denial-of-service attacks that target www.microsoft.com and www.riaa.com domains.

"Note: Unlike previous versions of Mydoom, Mydoom.f can also delete image, movie, Excel and Word files on an infected machine."

On this version, the executable is hidden inside a ZIP file. If your mail filter is not able to 'look inside' zip files for executables, the mail will be delivered. (An important feature of a good spam/virus mail filter, IMHO.) The user will still have to open the executable inside the ZIP to become infected. (Details about MyDoom.F here: http://us.mcafee.com/root/campaign.asp?cid=9674 )

This one seems to be the latest escalation in viruses. It was just a mater of time before really damaging viruses (deleting files, etc) appeared.

Regards, Rick Hellewell, Information Security Guy, securitydude@digitalchoke.com

and more yet:

 

Hi Jerry,

A new one running rampant through our network today, and the systems are not protected -- yet --

McAfee and Norton have updated definition files out there now.

Cheers!

Greg H

WORM_NETSKY.B aka W32/Netsky.b@MM

This mass mailing worm arrives with the following information: Subject: (any of the following) hello read it immediately something for you warning information stolen fake unknown Message body: (any of the following) * anything ok? * what does it mean? * ok * i'm waiting * read the details. * here is the document. * read it immediately! * my hero * here * is that true? * is that your name? * is that your account? * i wait for a reply! * is that from you? * you are a bad writer * I have your password! * something about you! * kill the writer of this document! * i hope it is not true! * your name is wrong * i found this document about you * yes, really? * that is bad * here it is * see you * greetings * stuff about you? * something is going wrong! * information about you * about me * from the chatter * here, the serials * here, the introduction * here, the cheats * that's funny * do you? * reply * take it easy * why? * thats wrong * misc * you earn money * you feel the same * you try to steal * you are bad * something is going wrong * something is fool Attachment: The file name can be any of the following: * msg * doc * talk * message * creditcard * details * attachment * me * stuff * posting * textfile * concert * information * bill * swimmingpool * product * topseller * ps * shower * aboutyou * nomoney * found * story * mails * website * friend * jokes * location * final * release * dinner * ranking * object * mail2 * part2 * disco * party * misc * #n#o#t#n#e#t#s#k#y#-#s#k#y#n#e#t#! The first extension, which may or may not appear, can be any of the following: * RTF * DOC * HTM The second extension can be any of the following: * SCR * COM * PIF This worm Creates 40 .zip files in the %Windir% folder, which contain copies of the worm. The names of these files match the Attachment Names above.

Technical Details: Creates a mutex named "AdmSkynetJKIS003." This mutex allows only one instance of the worm to execute. May display a dialog box with the text: The file could not be opened! Copies itself as %Windir%\services.exe. *Note: %Windir% is a variable. The worm locates the Windows installation folder (by default, this is C:\Windows or C:\Winnt) and copies itself to that location. Adds the value: * "service" = "%Windir%\services.exe -serv" to the registry key: * HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run so that the worm runs when you start Windows. Deletes the values: * "Taskmon" * "Explorer" from the registry keys: * HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run * HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices Deletes the values: * "KasperskyAV" * "System." from the registry key: * HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Deletes the registry key: * HKEY_CLASSES_ROOT\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32 Mcafee definitions files 4325 Symantec definition files dated: February 18th

===================

 

Subject: UN-IMPORTANT VIRUS INFO (but humorous)

Dr. Pournelle:

At the risk of being politically incorrect, this "virus" message is making the rounds (and there are variants):

"ehican Virus

BUENOS DIAS!!

JOU HAVE YUST RECEIVED A MEHICAN BIRUS!!!!! SINCE WE NOT SO TECHNOLOGICALLY ADBANCED IN MEHICO, DIS IS A MANUAL BIRUS. PLEASE DELETE ALL THE FILES ON JOUR HARD DRIVE JOURSELF AND SEND THIS E-MAIL TO EBERYONE JOU KNOW.

TAN JOU POR YELPING ME.

JULIO MANUEL JOSE RODIRGUEZ GARCIA MEXICAN HACKER

Regards, Rick Hellewell, securitydude@digitalchoke.com

  Which ought to be enough on that subject.

==============================================

The Russian Hack

Dr. Pournelle:

From the Microsoft Security site ( http://www.microsoft.com/security/default.mspx  ), the fix for the "Russian Hack" (my name, everyone else calls it "Download.Ject", among other names):

"On Friday, July 2, 2004, Microsoft is releasing a configuration change for Windows XP, Windows 2000, and Windows Server 2003, to address recent malicious attacks against Internet Explorer, also know as Download.Ject.

"Windows customers are encouraged to apply this configuration change immediately to help be protected from current Internet Explorer exploits.

"The update is currently available on the Download Center and will be made available later today on Windows Update.

"Customers who have enabled automatic updates will receive the configuration change automatically. We recommend that customers immediately install this configuration change as soon as it is downloaded by automatic updates or by visiting the Windows Update site later today."

Mantra: automatic updates are good for workstations. (Testing might be required for servers, but these updates are important for servers and workstations.)

Regards, Rick Hellewell, information security at digitalchoke.com

Note that if you have XP Service Pack 2 Release Candidate 2 (SP-2 RC-2) installed you are already safe. The Russian Hack server was taken down by law enforcement; rumor has it that the perpetrators are enjoying a tour of the Lubianka.

The Lovegate Worm

Dr. Pournelle:

According to various AV vendors, a new variant of the "LovGate" worm via email messages is becoming more prevalent. It comes as an executable attachment to an email message. The message may appear to be a reply to a message you sent out that was unread by the recipient. Of course, if you don't open executable attachments, or are filtering them, you will be protected. (info from McAfee here: http://vil.nai.com/vil/content/v_126560.htm  )

This one will try to spread across a network as well as email. It will disable any anti-virus software on your computer. On the network, it will attempt to log in as administrator using weak passwords. It can be destructive on network drives by replacing all EXE's with a copy of itself, with the original EXE renamed to <filename>.ZMX . There is also a 'backdoor" component. From the reports, it doesn't seem to install a keystroke-logger, but it will allow remote access to your computer, probably to allow the infected computer to be used as a mail (spam) relay.

Several protections against this (the usual): - current Windows Updates (it exploits a vulnerability fixed last year MS03-026) - block and do not run executables found in attachments - current anti-virus updates (the backdoor component has been sensed by the AV for a while; this new version will be detected by AV updates made available today) - strong passwords, especially at the administrator and network level - careful email practices

Regards, Rick Hellewell, Information Security at DigitalChoke.com

Both these hacks have been a real problem, enough so that I sent mailings to subscribers. They are here for historical and archive purposes since they were so serious that I doubt many systems have not had them fixed now.

 

 

 

 

 

w

 

 Click to go to What Is This Place? page