-------------------------------------------------------------------------- symantec symantec security response March 2003 Newsletter -------------------------------------------------------------------------- CodeRed F will probably be working it's way through the Internet for a while as unlike CodeRed II it does not have a built in self termination date. This is bad news, because someone has to pay for the bandwidth it's using, engineers need to patch systems and it creates security systems management issues. The sendmail viulnerability is fairly serious as it is obvious that many organisations use sendmail as their MTA (Message Transfer Agent). We can't stress enough how important it is to have a program in place to ensure all of you software programs are patched up to the latest level. There are two IT Security related conferences running in May this year, one in the the northern and one in the southern hemisphere, they are; AusCERT Asia Pacific - Information Technology Security Conference 2003 May 11 - 15 2003 - Brisbane, Australia EICAR - Annual Conference on IT Security: May 10 - 13. 2003 - Copenhagen, Denmark There are details of these events at the end of the newsletters. Best Regards David Banes. Editor, Symantec Security Response Newletter. -------------------------------------------------------------------------- Useful Links Microsoft Security Bulletin MS02-061 Elevation of Privilege in SQL Server Web Tasks (Q316333) http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS02-061.asp -------------------------------------------------------------------------- To unsubscribe to this newsletter please go to; http://securityresponse.symantec.com/avcenter/newsletter.html -------------------------------------------------------------------------- Country Spotlight Switzerland W95.Hybris.worm W32.Klez.H@mm Trojan Horse IRC Trojan W32.Kwbot.C.Worm W95.Spaces.1445 W32.Funlove.4099 W32.Nimda.E@mm Swporta.Trojan Backdoor.IRC.Zcrew -------------------------------------------------------------------------- These are the most reported Viruses, Trojans and Worms to the Symantec Security Response offices during the last month. Top Threats W32.Klez.H@mm Trojan Horse JS.Exception.Exploit HTML.Redlof.A IRC Trojan W95.Hybris.worm W32.Nimda.E@mm W32.Funlove.4099 W95.Spaces.1445 W32.Bugbear@mm -------------------------------------------------------------------------- Viruses, Worms & Trojans -------------------------------------------------------------------------- CodeRed.F Aliases: CodeRed.v3, CodeRed.C, CodeRed III, W32.Bady.C, W32/CodeRed.a.worm [McAfee] Risk: Medium [3] Date: March 11th 2003 Platforms Affected: Microsoft IIS Overview As of March 11, 2003, Symantec Security Response has confirmed that a new minor variant of CodeRed II has been found in the wild. CodeRed.F differs in only two bytes than the original CodeRed II. CodeRed II will restart the system if the year is greater than 2001. This is no longer the case for this variant. Symantec antivirus products detect CodeRed.F as CodeRed Worm if it is saved to a file. The worm also drops a Trojan, which will be detected as Trojan.VirtualRoot . The existing CodeRed Removal Tool will correctly detect and remove this new variant. Please click here for information on how to best leverage Symantec technologies to combat the CodeRed threat. CodeRed.F scans IP addresses for vulnerable Microsoft IIS 4.0 and 5.0 Web servers and uses a buffer overflow vulnerability to infect the remote computers. The worm injects itself directly into memory, rather than copying itself as a file on the system. In addition, CodeRed.F creates a file detected as Trojan.VirtualRoot . Trojan.VirtualRoot gives the hacker full remote access to the Web server. If you are running the Microsoft IIS Server, we recommend that you apply the latest Microsoft patch to protect yourself from this worm. The patch can be found at http://www.microsoft.com/technet/security/bulletin/MS01-033.asp . A cumulative patch for IIS, including the four patches released to date, is available at http://www.microsoft.com/technet/security/bulletin/MS01-044.asp. In addition, Trojan.VirtualRoot takes advantage of a vulnerability in Windows 2000. Download and install the following Microsoft security patch to address this problem and stop the Trojan from re-infecting the computer: http://www.microsoft.com/technet/security/bulletin/MS00-052.asp . References http://www.sarc.com/avcenter/venc/data/codered.f.html -------------------------------------------------------------------------- W32.HLLW.Oror.AI@mm Aliases: W32.HLLW.Oror.AD@mm, W32/Roro.AD@mm [F-Prot], I-Worm.Roron.gen [KAV] Risk:Low [2] Date: March 14th 2003 Platforms Affected Windows 95, Windows 98, Windows NT, Windows 2000, Windows XP, Windows Me Overview W32.HLLW.Oror.AI@mm is a variant of the W32.HLLW.Oror@mm mass-mailing worm. This worm attempts to spread using email, mIRC, KaZaA, network shares, and mapped drives. The email attachment arrives with a .exe or .scr file extension. W32.HLLW.Oror.AI@mm also attempts to terminate and remove various security products from the infected computer. This threat is written in the C++ language. Some of the files are compressed with UPX. References http://www.sarc.com/avcenter/venc/data/w32.hllw.oror.ai@mm.html Credit Jari Kytojoki, Symantec Security Response EMEA -------------------------------------------------------------------------- Security Advisories -------------------------------------------------------------------------- Sendmail Header Processing Buffer Overflow Vulnerability Risk:High Date:3rd March 2003 Components Affected Many, listed here; http://www.sarc.com/avcenter/security/Content/3.3.2003.html Description Sendmail is a widely used MTA for Unix and Microsoft Windows systems. A remotely exploitable vulnerability has been discovered in Sendmail. The vulnerability is due to a buffer overflow condition in the SMTP header parsing component. Remote attackers may exploit this vulnerability by connecting to target SMTP servers and transmitting to them malformed SMTP data. The overflow condition occurs when Sendmail processes incoming e-mail messages with multiple addresses in a field such as "From:" or "CC:". One of the checks to ensure that the addresses are valid is flawed, resulting in a buffer overflow condition. Successful attackers may exploit this vulnerability to gain root privileges on affected servers remotely. Versions 5.2 to 8.12.7 are affected. Administrators are advised to upgrade to 8.12.8 or apply available patches to prior versions of the 8.x tree. References http://www.sarc.com/avcenter/security/Content/3.3.2003.html Credits Discovered by Mark Dowd of ISS X-Force. -------------------------------------------------------------------------- Microsoft Windows 2000 WebDAV Buffer Overflow Vulnerability Risk:High Date:17th March 2003 Components Affected IIS 5.0 on Microsoft Windows 2000 Description Microsoft has released Security Bulletin MS03-007, outlining a previously unreported vulnerability present in the Microsoft Windows 2000 IIS WebDAV component. The vulnerability is a buffer overflow condition, which requires Microsoft IIS to be enabled in order to be exploitable. WebDAV (World Wide Web Distributed Authoring and Versioning) is implemented by IIS, if installed, in the Microsoft Windows 2000 operating system. IIS is installed by default on Windows 2000 Server and Advanced Server, but is not installed by default on Windows 2000 Professional. The WebDAV protocol is documented in RFC 2518 (ftp://ftp.rfc-editor.org/in-notes/rfc2518.txt , and provides a standard for Web-based editing and file management. A buffer overflow vulnerability is present in a Microsoft Windows 2000 component used by WebDAV. WebDAV does not perform sufficient bounds checking on data passed to a particular system component. When unusually long data is supplied to the vulnerable WebDAV component, it is in turn passed to the ntdll.dll system component. WebDAV fails to perform sufficient bounds checking on this data, allowing a buffer to be overrun. This could result in the execution of arbitrary code in the context of the IIS service, which is by LocalSystem default. Recommendations Administrators are highly encouraged to apply the vendor-specific supplied fixes provided below. Patches may be installed on Windows 2000 systems, running either Service Pack 2 or Service Pack 3. All versions of Windows 2000 except Japanese NEC Patch http://microsoft.com/downloads/details.aspx?FamilyId=C9A38D45-5145-4844-B62E-C69D32AC929B&displaylang=en Windows 2000 Japanese NECE version Patch http://microsoft.com/downloads/details.aspx?FamilyId=FBCF9847-D3D6-4493-8DCF-9BA29263C49F&displaylang=ja References http://www.microsoft.com/ Credits Microsoft ------------------------------------------------------------------------- Security News -------------------------------------------------------------------------- EICAR - Annual Conference on IT Security: May 10 - 13. 2003 - Copenhagen, Denmark The 12th annual EICAR conference promises again to be an exciting event welcoming vendors, researchers, users from business, government and universities to discuss new develpments in: - Pervasive computing - Forensics - Intrustion detection - Cybercrime, privacy and security - Anti-virus and malware - IT law More information can be found here: http://conference.EICAR.org Take advantage of the online registration at: http://conference.eicar.org/frame/registration/other/registration.html There are Student Awards for best research proposal, paper, etc. and the Graduate workshop promises a lot of excitement: http://conference.eicar.org/frame/students/students.html As well as these events, a professional clinic allows attendees to acquire new or freshen their IT Security skills. (Please quote reference AU2003 if enquiring about this conference via this publication) -------------------------------------------------------------------------- AusCERT Asia Pacific - Information Technology Security Conference 2003 May 11 - 15 2003 - Brisbane, Australia An international conference focussing on IT security for CFOs, CIOs, CTOs and technical staff from government agencies, universities and industry. At AusCERT 2003, you will learn from world class experts about the latest strategies to make your information systems secure and how to address computer security breaches: Discover the key security issues your organisation should be addressing. Understand the strategic and tactical implications of IT security for your organisation. Get up-to-date on the latest threats and mitigation strategies. Understand computer security threats and trends. This is an IT security conference with a difference: it includes business and technical streams and a day and a half of tutorials. World class IT security speakers will be present from Asia, Australia, Europe and the USA. Over 400 delegates attended AusCERT2002. On their feedback form, 90% of respondees said the content was excellent or very good. Delegates said this was the best IT Security conference they had ever been to! (Please quote reference AU2003 if enquiring about this conference via this publication) -------------------------------------------------------------------------- Top Reported Viruses, Trojans and Worms Following is a list of the top reported viruses to Symantec's regional offices. -Asia Pacific HTML.Redlof.A W32.Klez.H@mm JS.Exception.Exploit Trojan Horse W32.Nimda.E@mm W95.Hybris.worm W95.Spaces.1445 W32.Bugbear@mm W32.Funlove.4099 W32.Opaserv.Worm -Europe, Middle East & Africa W32.Klez.H@mm Trojan Horse JS.Exception.Exploit HTML.Redlof.A IRC Trojan W32.Nimda.E@mm W95.Hybris.worm W32.Funlove.4099 W95.Spaces.1445 W32.Bugbear@mm -Japan W32.Klez.H@mm HTML.Redlof.A Trojan Horse W95.Hybris.worm IRC Trojan W32.Klez.E@mm W32.Bugbear@mm W95.Spaces.1445 W32.Sobig.A@mm W32.Nimda.E@mm -The Americas W32.Klez.H@mm Trojan Horse IRC Trojan JS.Exception.Exploit W95.Hybris.worm W32.HLLP.Handy W95.Spaces.1445 W32.Bugbear@mm Backdoor.IRC.Zcrew W32.Sobig.A@mm -------------------------------------------------------------------------- A list of Virus Hoaxes reported to Symantec http://www.symantec.com/avcenter/hoax.html -------------------------------------------------------------------------- No New Joke Programs reported to Symantec this month. http://www.symantec.com/avcenter/jokes.html -------------------------------------------------------------------------- Symantec Security Response now has Removal Tools for the following threats available on the web site at: http://www.symantec.com/avcenter/tools.list.html -------------------------------------------------------------------------- Symantec Glossary for definitions of viruses, Trojans and worms and more. http://www.symantec.com/avcenter/refa.html -------------------------------------------------------------------------- Contacts -------------------------------------------------------------------------- Correspondence by email to: securitynews@symantec.com no unsubscribe or support emails please. Send virus samples to: avsubmit@symantec.com Newsletter Archive: http://www.symantec.com/avcenter/sarcnewsletters.html -------------------------------------------------------------------------- Subscribe and Unsubscribe -------------------------------------------------------------------------- To be added or removed from the subscription mailing list, please fill out the form available on the Symantec website at: http://www.symantec.com/help/subscribe.html The Symantec Security Response NEwsletter is published periodically by Symantec Corporation. No reprint without permission in writing, in advance. -------------------------------------------------------------------------- This message contains Symantec Corporation's current view of the topics discussed as of the date of this document. The information contained in this message is provided "as is" without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability, fitness for a particular purpose, and freedom from infringement. The user assumes the entire risk as to the accuracy and the use of this document. This document may not be distributed for profit. Symantec and the Symantec logo are U.S. registered trademarks of Symantec Corporation. Other brands and products are trademarks of their respective holder(s). (c) Copyright 2002 Symantec Corporation. All rights reserved. Materials may not be published in other documents without the express, written permission of Symantec Corporation. ISSN 1444-9994 --------------------------------------------------------------------------