[Fwd: Symantec Security Response - May 2002 Newsletter]

[Guest guest]

Just received this note and thought it would be good to pass along since

the "bugs" have been coming so regularly.

Barb

Banes wrote:

--------------------------------------------------------------------------

symantec

symantec security response

May 2002 Newsletter

--------------------------------------------------------------------------

It appears that everyone has received Klez infected email during the

last

few weeks. Many of us who know how Klez works would have spent a while

explaining why we are not infected. Because of the way Klez spoofs

(impersonates) the sender by modifying the From: address of email the

average user is led to believe that their best friends and work colleagues

are sending them infected emails.

Klez has however spread very widely and here at Symantec we are still

seeing a large number of reports from customers, mainly of Klez.H.

Interestingly we are still discovering new 'features' in Elkern, the

virus

that Klez drops, some of which make it very difficult to clean up.

It does

appear however that we have passed the peak and Klez is now fading

into

the background noise of other malicious code running around the net.

Anti-virus researchers, security engineers and savvy corporate support

staff will have come across piggy back or multiple infections many

times

in the past but this is a topic we don't often cover and needs some

clarification. Often a program file (.exe, .dll etc) will become infected

with a virus. If the virus is well written and the file is still functional

it will appear to the Operating System and any other process as a normal

executable file.

Now imagine that another file infector finds it's way onto the infected

PC

and starts infecting your programs. It's easy to see how we may end

up

with a program file, for example notepad.exe infected with W32.Klez

and

then re-infected with this second virus. This is exactly what we are

seeing now, a new CIH variant, W95.CIH.1049, infecting files that are

already infected with Klez. This is not a new scenario, Magistr and

Funlove spring to mind ( Ferries mind that is:) and Trojans

(BackOrifice) infected with CIH.

One other interesting comparison we made was to look at the number of

submissions of Love Letter and , we had to double check, as

they

appeared very low compared to Sircam, Badtrans and Klez. I think this

tells us that we are all (the anti-virus industry) getting much better

at

handling high volume virus and worm breakouts through a combination

of

experience and systems automation.

Think about this, LoveLetter and would probably rate as level

three's now and then only for a short period of time. As the net grows,

bandwidth utilisation and speed increases and the level of malicious

code

and rate of infection increase but the security vendors products and

support services do keep pace. We will never have a 'clean' internet,

if

we can relegate the levels of malicious code and network intrusions

to

mere background noise and create an environment where businesses can

operate safely and securely then we have done our job.

Banes.

Editor, securitynews@...

Banes.

Editor, securitynews@...

--------------------------------------------------------------------------

Country Spotlight - Germany

W32.Klez.gen@mm

JS.Exception.Exploit

Trojan Horse

W32.Klez.H@mm

W32.Klez.E@mm

W32.DSS.Trojan

W95.Hybris.worm

Backdoor.Trojan

W32.Badtrans.B@mm

W95.MTX

--------------------------------------------------------------------------

These are the most reported Viruses, Trojans and Worms to the Symantec

Security Response offices during the last month.

Top Threats

W32.Klez.gen@mm

- http://www.symantec.com/avcenter/venc/data/w32.klez.gen@...

W32.Klez.H@mm

- http://www.symantec.com/avcenter/venc/data/w32.klez.h@...

W32.Klez.E@mm

- http://www.symantec.com/avcenter/venc/data/w32.klez.e@...

JS.Exception.Exploit

- http://www.symantec.com/avcenter/venc/data/js.exception.exploit.html

Trojan.Horse

-http://www.symantec.com/avcenter/venc/data/trojan.horse.html

W95.Hybris

- http://www.symantec.com/avcenter/venc/data/w95.hybris.gen.html

W32.Magistr.39921@mm

- http://www.symantec.com/avcenter/venc/data/w32.magistr.39921@...

Backdoor.Trojan

-http://www.symantec.com/avcenter/venc/data/backdoor.trojan.html

Backdoor.Autoupder

-http://www.symantec.com/avcenter/venc/data/backdoor.autoupder.html

W32.Badtrans.B@mm

-http://www.symantec.com/avcenter/venc/data/w32.badtrans.b@...

--------------------------------------------------------------------------

Viruses, Worms & Trojans

--------------------------------------------------------------------------

W32.Klez

Moderate [3] Threat Win32

Global Infection breakdown by geographic region % of Total

39.5% America (North & South)

46.5% EMEA (Europe, Middle East, Africa)

5.7% Japan

8.6% Asia Pacific

Date % Reports

8 Mar 12.0%

9 Mar 1.9%

10 Mar 4.7%

> 11 Mar 25.2% <

12 Mar 19.6%

13 Mar 14.0%

14 Mar 7.5%

15 Mar 7.0%

16 Mar 0.5%

17 Mar 1.4%

W32.Klez.gen@mm is a mass-mailing worm that searches the Windows address

book for email addresses and sends messages to all recipients that

it

finds. The worm uses its own SMTP engine to send the messages.

The subject and attachment name of incoming emails is randomly chosen.

The attachment will have one of the following extensions: .bat, .exe,

..pif or .scr.

The worm exploits a vulnerability in Microsoft Outlook and Outlook Express

in an attempt to execute itself when you open or even preview the message.

Information and a patch for the vulnerability can be found at

http://www.microsoft.com/technet/security/bulletin/MS01-020.asp.

W32.Klez.gen@mm attempts to copy itself to all network shared drives

that

it finds.

Depending on which variant of the worm, the worm will drop one of the

following viruses:

W32.Elkern.3326

W32.Elkern.3587

W32.Elkern.4926

which will then infect the system.

Email spoofing

Some variants of this worm use a technique known as "spoofing." If

it does

this, it chooses at random an address that it finds on an infected

computer

as the "From:" address that it uses when it performs its mass-mailing

routine. Numerous cases have been reported in which users of uninfected

computers receive complaints that they have sent an infected message

to

someone else.

For example, is using a computer that is infected with

W32.Klez.E@mm; is not using a antivirus program or does not have

current virus definitions. When W32.Klez.gen@mm performs its emailing

routine, it finds the email address of Harold Logan. It inserts Harold's

email address into the "From:" line of an infected email that it then

sends to Janet Bishop. Janet then contacts Harold and complains that

he

sent her infected email, but when Harold scans his computer, Norton

AntiVirus does not find anything--as would be expected--because his

computer is not infected.

If you are using a current version of Norton AntiVirus, have the most

recent virus definitions, and a full system scan with Norton AntiVirus

set

to scan all files does not find anything, you can be confident that

your

computer is not infected with this worm.

--------------------------------------------------------------------------

W95.CIH.1049

Low Threat [2] Win95

CIH is a virus that infects 32-bit Windows 95/98/NT executable files,

but

it can function only under Windows 95/98/Me. It does not function under

Windows NT/2000/XP. When an infected program is run under Windows 95/98/Me,

the virus becomes resident in memory.

Although Windows NT system files can be infected, the virus cannot become

resident or infect files on a computer running Windows NT/2000/XP.

The

virus does not function under DOS, Windows 3.1, or on Macintosh computers.

Once the virus is resident, CIH virus infects other files when they

are

accessed.

Files infected by CIH may have the same size as the original files because

of CIH's unique mode of infection. The virus searches for empty, unused

spaces in the file. Next it breaks itself up into smaller pieces and

inserts its code into these unused spaces. When Norton AntiVirus repairs

a

file that is infected by CIH, it looks for these small viral pieces

and

removes them from the file.

Payload

The payload for W95.CIH.1049 executes on August 2nd.

The first payload overwrites the hard disk with random data, starting

at

the beginning of the disk (sector 0). The overwriting of the sectors

does

not stop until the system has crashed. As a result, the computer will

not

boot from the hard disk or a floppy disk. Also, the data that has been

overwritten on the hard disk will be very difficult or impossible to

recover. You must restore the data from backups.

The second payload tries to cause permanent damage to the computer.

This

payload attacks the Flash BIOS (a part of your computer that initializes

and manages the relationships and data flow between the system devices,

including the hard drive, serial and parallel ports, and the keyboard)

and tries to corrupt the data that is stored there. As a result, nothing

may be displayed when you start the computer. To fix this requires

the

services of a computer technician.

W95.CIH.1049 has been known to infect the worm W32.Klez.gen (AT) mm (DOT)

http://securityresponse.symantec.com/avcenter/venc/data/w95.cih.1049.html

Knowles

Symantec Security Response, USA

--------------------------------------------------------------------------

Security Advisories

--------------------------------------------------------------------------

MSN Chat Control buffer overflow allows

High Risk [4] Win32

remote code execution

The Microsoft MSN Chat Control input paramenter handling functionality

contains an unchecked buffer that can allow remote code execution.

The MSN Chat Control is an ActiveX control that adds real-time chat

functionality to Microsoft's Messenger applications.

A buffer overflow condition exists in one of the functions in Chat

Control that handles input. Due to a lack of proper parameter checking,

a remote attacker may be able to exploit this buffer overflow to run

arbitrary code on the targeted system with user-level privileges.

The following factors mitigate this vulnerability:

MSN Chat Control, MSN Messenger, or Microsoft Exchange Instant Messager

must be installed on the system for the system to be affected by this

vulnerability. Neither Windows nor Internet Explorer contain MSN Chat

Control by default. It must be downloaded and installed on a user's

system. MSN Messenger does come with Windows XP; however, users would

only be vulnerable if they choose to install the MSN Chat Control,

which

does not ship by default.

Exploiting this vulnerability through an HTML email attack is effectively

blocked by Outlook 98 and Outlook 2000 with the Outlook Express Security

Update applied, Outlook 2002, and Outlook Express 6.0. These products

all

open HTML email in the Restricted Sites zone, which does not allow

scripting of ActiveX controls.

Platforms Affected

Windows

Components Affected

Microsoft MSN Chat Control

Microsoft MSN Instant Messenger Service 4.5 and 4.6

Microsoft Exchange Instant Messenger 4.5 and 4.6

Recommendations

MSN Chat Control Upgrade

Download the latest version of MSN Chat Control.

http://chat.msn.com/

MSN Instant Messenger update

Download the latest version of MSN Instant Messenger.

http://messenger.msn.com/download/download.asp?client=1 & update=1

Microsoft Exchange Instant Messenger update

Download the latest version of Microsoft Exchange Instant Messenger.

http://www.microsoft.com/Exchange/downloads/2000/IMclient.asp

MSN Chat Control Buffer Overflow Security Fix

This hotfix patches the buffer overflow vulnerability in the MSN Chat

Control input pramenter functionality.

http://www.microsoft.com/Downloads/Release.asp?ReleaseID=38790

Best Practice - Regulate Employee use of public Instant Messaging Systems

Instant Messaging (IM) software, such as AOL Instant Messenger, Yahoo!,

ICQ, and MSN Messenger, lets users communicate in real time via the

Internet. Some IM applications have features that allow file transfers.

Some are beginning to offer additional features such as voice chat

and

video. IM is quick, easy, and dangerous.

Like regular Internet email, Instant Messages generally travel over

the

Internet in clear text format. Nothing is encrypted. When a message

is sent,

an Internet eavesdropper can capture it. If the intended recipient

is not

online, IM services can save the message on a central server for delivery

when the recipient logs on again. Sensitive information that is shared

via

IM is completely open to outside eavesdropping.

If IM is to be used in the company, choose an IM that offers security

(such

as 128-bit encryption) to protect sensitive information.

References

Source: Microsoft TechNet

URL: http://www.microsoft.com/technet/security/bulletin/MS02-022.asp

Source: CVE Candidate CAN-2002-0155

URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=2002-0155

Source: eEye Digital Security Advisory AD20020508

URL: http://www.eeye.com/html/Research/Advisories/AD20020508.html

--------------------------------------------------------------------------

Sun Solaris admintool buffer overflow in

High [4] Risk Various

PRODVERS argument allows root access

The Sun Solaris admintool is vulnerable to a buffer overflow that allows

a

local attacker to gain root privileges.

Using the Sun Solaris admintool, system administrators add users, create

and manage user accounts, as well as view, add, and remove software

packages.

The admintool vulnerability results from insufficient bounds checking

of

the PRODVERS argument in a .cdtoc file, which specifies variables for

software distribution media. To exploit the vulnerability, a local

attacker can specify a directory that contains a .cdtoc file through

the

admintool add or modify software feature. If this .cdtoc file includes

a

specially crafted string for the PRODVERS argument, a crash may result

or the attacker may gain root privileges.

Although this admintool vulnerability was originally detected in 2000,

it has only been publicized recently.

Platforms Affected

Sun Microsystems Solaris 2.5, 2.6, 7, and 8 SPARC and x86

Recommendations

Sun Solaris admintool buffer overflow patches

Sun Solaris admintool buffer overflow - workaround

As a temporary solution to the buffer overflow vulnerabilities associated

with the admintool -d command line option as well as the PRODVERS argument

in the .cdtoc file, system administrators should remove the setuid

permissions with the following:

As root: Chmod -s /usr/bin/admintool

See the following document for more complete information;

http://securityresponse.symantec.com/avcenter/security/Content/1920.html

----

References

Source: eSecurity Online

URL: http://www.esecurityonline.com/advisories/eSO2397.asp

Source: CAN 2002-0089

URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0089

Source: Security Focus.com

URL: http://www.securityfocus.com/bid/4624

-------------------------------------------------------------------------

Various Buffer Overflows and vulnerabilities

wu-ftpd format string debug set allows remote command execution

NetRecon can discover versions of wu-ftp running on network resources,

which allow unauthorized users to create and run unauthorized commands

on

those resources.

Sendmail mail.local allows unauthorized LMTP commands to be executed

NetRecon can discover a Sendmail service that could allow unauthorized

execution of LMTP (local mail transfer protocol) commands. This

vulnerability is the result of a problem with mail.local, a program

included with Sendmail, which was intended as a delivery agent for

local

mail using LMTP. In LMTP mode, mail.local checks user input for an

end of

message indicator. Should an unauthorized user synthesize a false end

of

message indicator, mail.local would treat any text after the synthesized

indicator as LMTP commands.

OpenSSH UseLogin directive can allow remote access as root

NetRecon can discover any network resource with an OpenSSH server

vulnerability that allows an intruder to execute arbitrary code. If

an

intruder can authenticate to the system using public key authentication,

and the UseLogin directive is enabled, the intruder can set environment

variables that are used by login. Anyone exploiting this vulnerability

can execute commands with the privileges of OpenSSH, which is usually

root. UseLogin is not enabled by default; however, it is a common

configuration

Lotus Domino Password Bypass

Vulnerabilities exist in Lotus Domino Server allowing malicious users

to

bypass administrative authentication resulting in complete administrative

control of the server. Lotus Domino Server versions 5.0.9 and prior

are

vulnerable.

http://online.securityfocus.com/bid/4022

mIRC Nickname Buffer Overflow

Khaled Mardam-Bay mIRC, a popular Internet Relay Chat client, conducts

improper bounds checking of nicknames sent by the server. A malicious

user can exploit this unchecked buffer with a long nickname and

overwrite stack variables ultimately allowing the user to gain control

of

the host computer running the client software. This bug is corrected

in

version 6.0.

http://online.securityfocus.com/bid/4027

Quicktime Content Type Overflow

Vulnerabilities exist in Apple QuickTime Player 5.01 and 5.02 for Windows.

When an HTTP response containing a long "Content-Type" is received

from a

malicious web server, a local buffer is overwritten and then executed

on

the client host. If exploited, this vulnerability allows a web server

to

execute malicious code on the client computer.

http://online.securityfocus.com/bid/4064

SNMP Community Name Root Access

Vulnerabilities exist in many vendors' implementations of Simple Network

Management Protocol, Version 1. If exploited, this vulnerability could

lead to a denial of service for managed network devices using SNMP,

or

in extreme cases, administrator-level remote access by unauthorized

users.

This signature identifies an exploit that includes malicious shell

code

that is designed to permit the malicious user to gain privileged remote

access to the system under attack.

http://cve.mitre.org/cgi-bin/cvename.cgi?name=2002-0013

SNMP Set Sysname Overflow

Vulnerabilities exist in many vendors' implementations of Simple Network

Management Protocol, Version 1. The system name of the managed device

may

be overflowed, as the protocol does improper bounds checking on the

sysname buffer to limit the number of characters it will accept. If

exploited, this vulnerability could lead to a denial of service for

managed network devices using SNMP. In extreme cases, this vulnerability

may lead to unauthorized users gaining administrator-level remote access.

http://cve.mitre.org/cgi-bin/cvename.cgi?name=2002-0013

-------------------------------------------------------------------------

Enterprise Security News Clips

VISIT THE SYMANTEC ENTERPRISE SECURITY WEB SITE

http://enterprisesecurity.symantec.com/

Recent Enterprise Security News headlines include:

Get the latest Enterprise Security News delivered straight to your inbox.

Register for Symantec's free Enterprise Security newsletters.

https://enterprisesecurity.symantec.com/Content/Subscribe.cfm

--------------------------------------------------------------------------

Security News

--------------------------------------------------------------------------

Striking Similarities

Win32.Simile is the latest 'product' of the developments in metamorphic

virus code. The virus was released in the most recent 29A #6 issue

in

early March 2002. It was written by the virus writer who calls himself

'The Mental Driller'. Some of his previous viruses, such as Win95/Drill

(which used the Tuareg polymorphic engine), have proved very challenging

to detect.

Win32/Simile moves yet another step up the scale of complexity. The

source

code of the virus is approximately 14,000 lines of assembly code. About

90% of the virus code is taken up by the metamorphic engine itself,

which

is extremely powerful.

The virus was named 'MetaPHOR' by its author, which stands for 'Metamorphic

Permutating High-Obfuscating Reassembler'.

The first generation virus code is about 32KB and there are three known

variants of the virus in circulation. Samples of the original variant

which was released in the 29A issue have been received by certain AV

companies from some major corporations in Spain, indicating a minor

outbreak.

Win32/Simile is highly obfuscated and challenging to understand. The

virus

attacks disassembling, debugging and emulation techniques, as well

as

standard evaluation-based techniques for virus analysis. As with many

other

complex viruses, Simile uses EPO techniques.

The full article is posted on the Symantec Security Response web site

at;

http://securityresponse.symantec.com/avcenter/reference/simile.pdf

Frédéric Perriot and Péter Ször, Symantec

Security Response, USA

Ferrie, Symantec Security Response, APAC

--------------------------------------------------------------------------

Top Reported Viruses, Trojans and Worms

Following is a list of the top reported viruses to Symantec's regional

offices.

- Americas

W32.Klez.gen@mm

W32.Klez.H@mm

JS.Exception.Exploit

W32.Klez.E@mm

W95.Hybris.worm

Trojan Horse

Backdoor.Autoupder

W32.Magistr.39921@mm

Backdoor.Trojan

VBS.LoveLetter.AS

- Asia Pacific

W32.Klez.gen@mm

JS.Exception.Exploit

W32.Klez.H@mm

W32.Klez.E@mm

Backdoor.Trojan

W95.Hybris.worm

Trojan Horse

W32.Magistr.39921@mm

IFrame.Exploit

W32.Nimda.enc

- Europe Middle East and Africa

W32.Klez.gen@mm

W32.Klez.E@mm

W32.Klez.H@mm

JS.Exception.Exploit

Trojan Horse

W95.Hybris.worm

W32.Badtrans.B@mm

W32.Magistr.39921@mm

Backdoor.Trojan

W32.Sircam.Worm@mm

- Japan

W32.Klez.gen@mm

W32.Klez.E@mm

W32.Klez.H@mm

IFrame.Exploit

JS.Exception.Exploit

W95.Hybris.worm

W32.Badtrans.B@mm

W32.Badtrans@...

W32.Nimda.enc

Backdoor.Trojan

--------------------------------------------------------------------------

A list of Virus Hoaxes reported to Symantec

http://www.symantec.com/avcenter/hoax.html

--------------------------------------------------------------------------

No New Joke Programs reported to Symantec this month.

http://www.symantec.com/avcenter/jokes.html

--------------------------------------------------------------------------

Symantec Security Response now has Removal Tools for the following

threats

available on the web site at:

http://www.symantec.com/avcenter/tools.list.html

--------------------------------------------------------------------------

Symantec Glossary for definitions of viruses, Trojans and worms and

more.

http://www.symantec.com/avcenter/refa.html

--------------------------------------------------------------------------

Contacts

--------------------------------------------------------------------------

Correspondence by email to: securitynews@... no unsubscribe

or

support emails please.

Send virus samples to: avsubmit@...

Newsletter Archive: http://www.symantec.com/avcenter/sarcnewsletters.html

--------------------------------------------------------------------------

Subscribe and Unsubscribe

--------------------------------------------------------------------------

To be added or removed from the subscription mailing list, please fill

out

the form available on the Symantec website at:

http://www.symantec.com/help/subscribe.html

The Symantec Security Response NEwsletter is published periodically

by

Symantec Corporation. No reprint without permission in writing, in

advance.

--------------------------------------------------------------------------

This message contains Symantec Corporation's current view of the topics

discussed as of the date of this document. The information contained

in

this message is provided "as is" without warranty of any kind, either

expressed or implied, including but not limited to the implied warranties

of merchantability, fitness for a particular purpose, and freedom from

infringement. The user assumes the entire risk as to the accuracy and

the

use of this document. This document may not be distributed for profit.

Symantec and the Symantec logo are U.S. registered trademarks of Symantec

Corporation. Other brands and products are trademarks of their respective

holder(s). © Copyright 2002 Symantec Corporation. All rights reserved.

Materials may not be published in other documents without the express,

written permission of Symantec Corporation.

ISSN 1444-9994

--------------------------------------------------------------------------

--

"When we do the best that we can, we never know what miracle

is wrought in our life,

or in the life of another." --Helen Keller