[Fwd: Symantec Security Response - July 2002 Newsletter]

[Guest guest]

Here is some news to help avoid the " bugs " that are going around.

Barb

Banes wrote:

> --------------------------------------------------------------------------

> symantec symantec security response

>

> July 2002 Newsletter

> --------------------------------------------------------------------------

> I seem to be getting more and more spam, or junk mail, in my personal

> inbox, so much in fact that I may have to stop using my favourite email

> address that I setup when I first arrived in Australia, This is a shame,

> because it's very hard to get 'real' email addresses now, my name seems to

> have been used on all the free services and at my local major ISP's. I did

> manage to get my own domain name so I suppose I'll have to resort to

> 'me@my domain name dot com'. (this is an anti-spam technique, never use

> the actual email address in public communications, just describe it)

> Symantec's Enterprise Firewall has some anti-spam features built in.

>

> I've been asked to give our Enterprise customers one last reminder that

> virus definition file names have changed/are changing and to check the

> Symantec Support website for details. Consumer products and LiveUpdate

> are not effected.

>

> Banes.

> Editor, securitynews@...

> --------------------------------------------------------------------------

> Stop Press - W32.Frethem.K@mm Spreading fairly quickly - Level 3 Threat,

> Updated Definitions are on the web site and available from LiveUpdate.

> http://www.symantec.com/avcenter/venc/data/w32.frethem.k (AT) mm (DOT) html

>

> --------------------------------------------------------------------------

> Country Spotlight - Italy

>

> W32.Klez.H@mm

> W32.Higuy@mm

> W32.Klez.E@mm

> JS.Exception.Exploit

> W95.Hybris.worm

> Trojan Horse

> W32.Magistr.39921@mm

> W32.Storiel@mm

> JS.Seeker

> Backdoor.Trojan

>

> --------------------------------------------------------------------------

> These are the most reported Viruses, Trojans and Worms to the Symantec

> Security Response offices during the last month.

>

> Top Threats

>

> W32.Klez.H@mm

> - http://www.symantec.com/avcenter/venc/data/w32.klez.h (AT) mm (DOT) html

> JS.Exception.Exploit

> - http://www.symantec.com/avcenter/venc/data/js.exception.exploit.html

> W32.Klez.E@mm

> - http://www.symantec.com/avcenter/venc/data/w32.klez.e (AT) mm (DOT) html

> Trojan.Horse

> -http://www.symantec.com/avcenter/venc/data/trojan.horse.html

> W95.Hybris

> - http://www.symantec.com/avcenter/venc/data/w95.hybris.gen.html

> W32.Yaha.F@mm

> - http://securityresponse.symantec.com/avcenter/venc/data/w32.yaha.f (AT) mm (DOT) html

> Backdoor.Trojan

> -http://www.symantec.com/avcenter/venc/data/backdoor.trojan.html

> W32.Magistr.39921@mm

> - http://www.symantec.com/avcenter/venc/data/w32.magistr.39921 (AT) mm (DOT) html

> W32.Higuy@mm

> - http://securityresponse.symantec.com/avcenter/venc/data/w32.higuy (AT) mm (DOT) html

> JS.Seeker

> - http://www.symantec.com/avcenter/venc/data/js.seeker.html

>

> --------------------------------------------------------------------------

> Viruses, Worms & Trojans

> --------------------------------------------------------------------------

> W32.Frethem@mm Medium Threat [3] Win32

>

> Global Infection breakdown by geographic region % of Total

>

> 16.6% America (North & South)

> 73.6% EMEA (Europe, Middle East, Africa)

> 7.9% Japan

> 1.9% Asia Pacific

>

> Date % Reports

>

> 12 Jul 0.1%

> 13 Jul 0.1%

> 14 Jul 0.5%

> 15 Jul 28.0%

> > 16 Jul 37.2% <

> 17 Jul 13.2%

> 18 Jul 9.3%

> 19 Jul 6.0%

> 20 Jul 2.8%

> 21 Jul 2.0%

>

> W32.Frethem.K@mm is a worm, and is a variant of W32.Frethem.B (AT) mm (DOT) It uses

> its own SMTP engine to send itself to email addresses that it finds in the

> Microsoft Windows Address Book and in .dbx, .wab, .mbx, .eml, and .mdb

> files. The email message arrives with the following characteristics:

>

> Subject: Re: Your password!

> Attachments: Decrypt-password.exe and Password.txt

>

> There are many variants of this worm, please check the SYmantec web site

> for more details.

>

> Symantec has provided a tool to remove infections of W32.Frethem (AT) mm (DOT) Click

> here to obtain the tool.This is the easiest way to remove these threats

> and should be tried first.

>

> http://www.symantec.com/avcenter/venc/data/w32.frethem.k (AT) mm (DOT) html

>

> Knowles

> Symantec Security Response,USA

>

> --------------------------------------------------------------------------

> W32.Yaha@mm Low Threat [2] Win32

>

> Global Infection breakdown by geographic region % of Total

>

> 8.8% America (North & South)

> 89.4% EMEA (Europe, Middle East, Africa)

> 0.6% Japan

> 1.2% Asia Pacific

>

> Date % Reports

>

> 1 Jun 0.3%

> 13 Jun 1.2%

> 20 Jun 3.4%

> 23 Jun 8.7%

> > 24 Jun 12.4% <

> 25 Jun 11.8%

> 26 Jun 12.0%

> 27 Jun 10.2%

> 28 Jun 8.3%

> 29 Jun 6.3%

>

> W32.Yaha.F@mm is a mass-mailing worm that sends itself to all email

> addresses that exist in the Microsoft Windows Address Book, the MSN

> Messenger List, the Yahoo Pager list, the ICQ list, and files that have

> extensions that contain the letters ht. The worm randomly chooses the

> subject and body of the email message. The attachment will have a .bat,

> .pif or .scr file extension. Depending upon the name of the Recycled

> folder, the worm either copies itself to that folder or to the %Windows%

> folder.

>

> The name of the file that the worm creates consists of four randomly

> generated characters between the letters c and y.

>

> It also attempts to terminate antivirus and firewall processes

> http://www.symantec.com/avcenter/venc/data/w32.yaha.f (AT) mm (DOT) html

>

> Knowles

> Symantec Security Response, USA

>

> --------------------------------------------------------------------------

> VBS.Bajar.B@mm Low Threat [2] Script

>

> VBS.Bajar.B@mm is the VBS script that is dropped by W32.Bajar.B (AT) mm (DOT) The

> script will attempt to send the W32.Bajar.B@mm executable to all recipients

> in the Outlook Address Book. The e-mail message will have the following

> characteristics:

>

> Subject: Nuevo programa para bajar musica gratis (Translation: New program

> to download music for free.)

>

> Attachment: [W32.Bajar.B@mm File Name]

>

> The script also deletes certain system files.

>

> C:\Windows\System\Wsock32.dll

> C:\Windows\Rundll32.exe

> C:\Windows\Rundll.exe

>

> http://www.symantec.com/avcenter/venc/data/vbs.bajar.b (AT) mm (DOT) html

> l Magee

> Symantec Security Response, USA

>

> --------------------------------------------------------------------------

> FreeBSD.Scalper.Worm Low Threat [2] FreeBSD

>

> This worm uses the Apache HTTP Server chunk encoding stack overflow

> vulnerability to spread itself. Currently it has only been confirmed that

> this worm works on the FreeBSD platform. FreeBSD is an advanced operating

> system for Intel ia32 compatible, DEC Alpha, and PC-98 architectures. It

> is derived from BSD UNIX, the version of UNIX developed at the University

> of California,

>

> This worm has received some media coverage but we believe it is currently

> not prevalent in the wild. So far, we have not received any customer

> reports of this worm. For information regarding the vulnerability, please

> click here.

>

> http://www.symantec.com/avcenter/venc/data/freebsd.scalper.worm.html

>

> Szor and Knowles

> Symantec Security Response, USA

>

> --------------------------------------------------------------------------

> Security Advisories

> --------------------------------------------------------------------------

> Apache HTTP Server chunk encoding High Threat [4] Multiple

> stack overflow

>

> Apache HTTP Server contains a vulnerability in the handling of certain

> chunk-encoded HTTP requests that may allow remote attackers to execute

> arbitrary code and a denial of service (DoS).

>

> Chunked encoding permits the transfer of fragments of dynamically produced

> content of varying sizes by including a size indicator as well as

> information for the recipient to verify receipt of the complete message.

>

> For Apache versions 1.2.2 through 1.3.24, this vulnerability may allow

> remote attackers to execute arbitrary code on Windows platforms. In

> addition, Apache has reported that a similar attack may allow the execution

> of arbitrary code on both 32-bit and 64-bit UNIX-based systems.

>

> For Apache versions 2.0 through 2.0.36, the buffer overflow condition

> correctly detected however, an attempted exploit may cause the child

> process to exit depending on a variety of factors, including the threading

> model supported by the vulnerable system. If multi-threading is used, it

> may lead to a denial of service attack against the Apache Web server because

> all concurrent requests currently served by the affected child process will

> be lost.

>

> Multi-threading is a technique that allows an independent program to

> perform more than one task at seemingly the same time. For example, a

> program that loads a data file while also reading user input is said to

> have two computational units and is therefore multi-threaded.

>

> This vulnerability affects Apache Web server versions that run on many of

> the various Windows, BSD, Linux, and UNIX releases. Users are encouraged

> to contact their vendor to determine whether they are affected and acquire

> appropriate fixes.

>

> References

> Source: CERT CA-2002-17

> URL: http://www.cert.org//advisories/CA-2002-17.html

> Source: Apache 20020617

> URL: http://httpd.apache.org/info/security_bulletin_20020617.txt

> Source: CVE CAN-2002-0392

> URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0392

> Source: Security Focus.com BID 5033

> URL: http://online.securityfocus.com/bid/5033

> Source: Red Hat RHSA-2002-103-13

> URL: http://rhn.redhat.com/errata/RHSA-2002-103.html

>

> More information and recommendations are available from the following page.

> http://www.symantec.com/avcenter/security/Content/2049.html

>

> --------------------------------------------------------------------------

> Microsoft IIS HTR Chunked Encoding High Threat [4] Windows

> heap overflow allows arbitrary code

>

> There is another heap overflow condition in the Chunked Encoding data

> transfer mechanism of Internet Information Server 4.0 and Internet

> Information Services 5.0. Although similar to a previous heap overflow

> MS02-018, this vulnerability is in the Internet Services Application

> Programming Interface (ISAPI) extension that implements HTR. The previous

> heap overflow vulnerability lay in the ISAPI extension that implemented

> Active Server Pages (ASP).

>

> Chunked encoding is a process that allows a client to submit a variable-

> sized quantity of data to a web server, called a chunk. The web server can

> then receive and process this data.

>

> An attacker could send a specially chosen request to an affected web server

> to either disrupt web services or gain the ability to run a program on the

> server. Such a program would run with full system privileges in IIS 4.0.

> Exploiting IIS 5.0 would give the attacker fewer but nevertheless

> significant privileges. In either case, the attacker could overflow the

> heap with random data to corrupt program code and cause the IIS service to

> fail, preventing the use by legitimate users, or, he could change the

> operation of the server. Specifically, he could overflow the heap and then

> overwrite a section of the heap on the server with new program code,

> revising the functionality of the server software. The attacker could

> overwrite static global variables, stored function pointers, process

> management structures, memory management structures, or any number of data

> types that will allow him to gain control of the target application in one

> session.

>

> Mitigating factors that affect the overall impact of successful

> exploitation of this vulnerability include:

>

> Systems on which HTR is disabled are not at risk from this vulnerability.

> Microsoft has released an IIS Lockdown tool that disables HTR by default.

> Microsoft has released a URLScan tool that provides a means of blocking

> chunked encoding transfer requests by default.

>

> References

> Source: Microsoft MS02-028

> URL:

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bull\

etin/ms02-028.asp

> Source: CVE CAN-2002-0364

> URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0364

> Source: Security Focus.com BID 4855

> URL: http://online.securityfocus.com/bid/4855/info/

>

> More information and recommendations are available from the following page.

> http://www.symantec.com/avcenter/security/Content/2033.html

>

> -------------------------------------------------------------------------

> MSN Chat Control buffer overflow High Threat [4] Windows

> allows remote code execution

>

> The Microsoft MSN Chat Control input paramenter handling functionality

> contains an unchecked buffer that can allow remote code execution.

>

> The MSN Chat Control is an ActiveX control that adds real-time chat

> functionality to Microsoft's Messenger applications.

>

> A buffer overflow condition exists in one of the functions in Chat Control

> that handles input. Due to a lack of proper parameter checking, a remote

> attacker may be able to exploit this buffer overflow to run arbitrary code

> on the targeted system with user-level privileges.

>

> The following factors mitigate this vulnerability:

> -------------------------------------------------------------------------

> MSN Chat Control, MSN Messenger, or Microsoft Exchange Instant Messager

> must be installed on the system for the system to be affected by this

> vulnerability. Neither Windows nor Internet Explorer contain MSN Chat

> Control by default. It must be downloaded and installed on a user's system.

> MSN Messenger does come with Windows XP; however, users would only be

> vulnerable if they choose to install the MSN Chat Control, which does not

> ship by default. Exploiting this vulnerability through an HTML email

> attack is effectively blocked by Outlook 98 and Outlook 2000 with the

> Outlook Express Security Update applied, Outlook 2002, and Outlook Express

> 6.0. These products all open HTML email in the Restricted Sites zone,

> which does not allow scripting of ActiveX controls.

>

> References

> Source: Microsoft TechNet

> URL: http://www.microsoft.com/technet/security/bulletin/MS02-022.asp

> Source: CVE Candidate CAN-2002-0155

> URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=2002-0155

> Source: eEye Digital Security Advisory AD20020508

> URL: http://www.eeye.com/html/Research/Advisories/AD20020508.html

>

> More information and recommendations are available from the following page.

> http://www.symantec.com/avcenter/security/Content/1943.html

>

> --------------------------------------------------------------------------

> Security News

> --------------------------------------------------------------------------

> Does creating an " !0000 " or other " trick " address book

> entry prevent the spread of viruses?

>

> Messages that claim that you can prevent the spread of email worms and

> Trojans by adding a special " trick " entry as the first contact in your

> email address book appear fairly frequently. Among the " names " that they

> suggest that you add to your address book are:

>

> !0000

> AAAAAA

>

> The usual claim is that this will, in one way or another, stop the threat

> from spreading. While these are in the strictest definition of the word,

> not hoaxes (although the AAAAA version, with its recommendation to " Pass

> this on to all your friends " is close), like hoaxes, they should be

> ignored and not forwarded.

>

> Although this is technically not a hoax--in theory, it could work with a

> few older worms and viruses--Symantec Security Response STRONGLY

> recommends that you ignore it. You should not rely on such " fixes " to

> prevent the spread of viruses, worms, and Trojans. Also, a hacker could

> exploit some variants of this message to make you more susceptible to

> loss of confidential information. The best defence against such threats

> is to have a current version of Norton AntiVirus installed, make sure

> that Auto-Protect is enabled, and update your virus definitions

> frequently. In addition, if you are on a network, or if you have a full

> -time connection to the Internet (such as cable or DSL), you should use

> firewall software.

>

> Koris

> Symantec, USA

> --------------------------------------------------------------------------

> Top Reported Viruses, Trojans and Worms

> Following is a list of the top reported viruses to Symantec's regional

> offices.

>

> - Americas

> W32.Klez.H@mm

> JS.Exception.Exploit

> Trojan Horse

> W95.Hybris.worm

> VBS.LoveLetter.AS

> W32.Klez.E@mm

> W32.Magistr.39921@mm

> JS.Seeker

> Backdoor.Trojan

> Backdoor.Autoupder

>

> -Asia Pacific

> W32.Klez.H@mm

> JS.Exception.Exploit

> W95.CIH.1049

> JS.Seeker

> Backdoor.Trojan

> VBS.Haptime.A@mm

> W32.Nimda.enc

> W32.Magistr.39921@mm

> Trojan Horse

>

> - Europe Middle East and Africa

> W32.Klez.H@mm

> JS.Exception.Exploit

> W32.Klez.E@mm

> W32.Yaha.F@mm

> W32.Higuy@mm

> W95.Hybris.worm

> Trojan Horse

> Backdoor.Trojan

> W32.Magistr.39921@mm

> W95.CIH.1049

> - Japan

> Japan

> W32.Klez.H@mm

> W32.Klez.E@mm

> VBS.LoveLetter.A

> W32.Badtrans.B@mm

> W95.Hybris.worm

> JS.Exception.Exploit

> W32.Klez.gen@mm

> W95.Tecata.1761

> VBS.Network.E

> VBS.Internal

>

> --------------------------------------------------------------------------

> A list of Virus Hoaxes reported to Symantec

> http://www.symantec.com/avcenter/hoax.html

>

> --------------------------------------------------------------------------

> No New Joke Programs reported to Symantec this month.

> http://www.symantec.com/avcenter/jokes.html

>

> --------------------------------------------------------------------------

> Symantec Security Response now has Removal Tools for the following threats

> available on the web site at:

> http://www.symantec.com/avcenter/tools.list.html

>

> --------------------------------------------------------------------------

> Symantec Glossary for definitions of viruses, Trojans and worms and more.

> http://www.symantec.com/avcenter/refa.html

> --------------------------------------------------------------------------

> Contacts

> --------------------------------------------------------------------------

> Correspondence by email to: securitynews@... no unsubscribe or

> support emails please.

> Send virus samples to: avsubmit@...

> Newsletter Archive: http://www.symantec.com/avcenter/sarcnewsletters.html

> --------------------------------------------------------------------------

> Subscribe and Unsubscribe

> --------------------------------------------------------------------------

> To be added or removed from the subscription mailing list, please fill out

> the form available on the Symantec website at:

> http://www.symantec.com/help/subscribe.html

> The Symantec Security Response NEwsletter is published periodically by

> Symantec Corporation. No reprint without permission in writing, in advance.

> --------------------------------------------------------------------------

> This message contains Symantec Corporation's current view of the topics

> discussed as of the date of this document. The information contained in

> this message is provided " as is " without warranty of any kind, either

> expressed or implied, including but not limited to the implied warranties

> of merchantability, fitness for a particular purpose, and freedom from

> infringement. The user assumes the entire risk as to the accuracy and the

> use of this document. This document may not be distributed for profit.

>

> Symantec and the Symantec logo are U.S. registered trademarks of Symantec

> Corporation. Other brands and products are trademarks of their respective

> holder(s). © Copyright 2002 Symantec Corporation. All rights reserved.

> Materials may not be published in other documents without the express,

> written permission of Symantec Corporation.

> ISSN 1444-9994

> --------------------------------------------------------------------------

--

" The greater part of our happiness or misery depends on our dispositions, and

not our circumstances. "

--Martha Washington