--------------------------------------------------------------------------
symantec                                       symantec security response

                             January 2003 Newsletter
--------------------------------------------------------------------------
February has been a busy month for Security Response, so I must apologise
for publishing this edition later than usual. W32.SQLExp.Worm was a major
event and is documented below in our Virus, Worms and Trojans summaries
and a more detailed look in our monthly Security News article.

W32.HLLW.Lovgate.C@mm started out as a high profile risk but it soon
became apparent that the levels of submission had dropped of so we
downgraded it to a Low threat (level 2) to match other Lovgate variants.

Symantec's latest Internet Security Threat Report was released in
February, I have included the abstract and a link to this and prior
reports;

--

'The February 2003 edition of the Symantec Internet Security Threat Report
provides the most comprehensive analysis of evolving Internet threats.
Drawing empirical data and expert analysis from several of Symantec's vast
security resources, the Report identifies critical trends related to cyber
attack activity, new vulnerabilities, and new forms of malicious code. By
combining analysis of several different sources of threat data, the
February 2003 edition provides the world's most comprehensive analysis of
current Internet threats and how they are evolving over time.'

http://enterprisesecurity.symantec.com/content.cfm?articleid=1539&EID=0

--

Best Regards

David Banes.
Editor, Symantec Security Response Newletter.
--------------------------------------------------------------------------
Useful Links
Microsoft Security Bulletin MS02-061
Elevation of Privilege in SQL Server Web Tasks (Q316333)


http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS02-061.asp
--------------------------------------------------------------------------
To unsubscribe to this newsletter please go to;
http://securityresponse.symantec.com/avcenter/newsletter.html
--------------------------------------------------------------------------
Country Spotlight
South Africa

W95.Spaces.1445
W32.Funlove.4099
W32.Opaserv.G.Worm
W95.Dupator.1503
W32.Opaserv.Worm
W32.Lirva.C@mm
W32.Opaserv.H.Worm
W32.Klez.H@mm
Trojan Horse
W32.Datom.Worm

--------------------------------------------------------------------------
These are the most reported Viruses, Trojans and Worms to the Symantec
Security Response offices during the last month.

Top Threats

W32.Klez.H@mm
- http://www.symantec.com/avcenter/venc/data/w32.klez.h@mm.html
Trojan.Horse
- http://www.symantec.com/avcenter/venc/data/trojan.horse.html
W32.Sobig.A@mm
- http://securityresponse.symantec.com/avcenter/venc/data/w32.sobig.a@mm.html
JS.Exception.Exploit
- http://www.symantec.com/avcenter/venc/data/js.exception.exploit.html
IRC Trojan
- http://securityresponse.symantec.com/avcenter/venc/data/irc.trojan.html
HTML.Redlof.A
- http://www.symantec.com/avcenter/venc/data/w32.klez.h@mm.html
W95.Hybris.worm
- http://www.symantec.com/avcenter/venc/data/w95.hybris.worm.html
W32.Lirva.A@mm
- http://securityresponse.symantec.com/avcenter/venc/data/w32.lirva.a@mm.html
W32.Bugbear@mm
- http://www.symantec.com/avcenter/venc/data/w32.bugbear@mm.html
W32.Lirva.C@mm
- http://securityresponse.symantec.com/avcenter/venc/data/w32.lirva.c@mm.html

--------------------------------------------------------------------------
Viruses, Worms & Trojans
--------------------------------------------------------------------------
W32.SQLExp.Worm

Aliases: SQL Slammer Worm [ISS], DDOS.SQLP1434.A [Trend],
         W32/SQLSlammer [McAfee], Slammer [F-Secure], Sapphire [eEye],
         W32/SQLSlam-A [Sophos]
Risk: Moderate [3]
Date: 25th January 2003
Platforms Affected
Windows 95, Windows 98, Windows NT, Windows 2000, Windows XP, Windows Me

Overview
W32.SQLExp.Worm is a worm that targets the systems running Microsoft SQL
Server 2000, as well as Microsoft Desktop Engine (MSDE) 2000. The worm
sends 376 bytes to UDP port 1434, the SQL Server Resolution Service Port.

The worm has the unintended payload of performing a Denial of Service
attack due to the large number of packets it sends.

Symantec Security Response strongly recommends that all the users of
either Microsoft SQL Server 2000 or MSDE 2000 audit their computers for
the vulnerabilities that are referred to in Microsoft Security Bulletin
MS02-039 and Microsoft Security Bulletin MS02-061.

Symantec Security Response also recommends that you:

Configure perimeter devices to block the ingress UDP traffic to port 1434
from untrusted hosts. Block the egress UDP traffic from your network to
the destination port 1434. For more information on the SQL outbreak, refer
to the Web cast at:

https://enterprisesecurity.symantec.com/Content/webcastarchive.cfm?SSL=YES&EID=0&webcastID=45

Information on removal and how to configure Symantec products to detect
this threat is available in the document linked below.

References
http://www.sarc.com/avcenter/venc/data/w32.sqlexp.worm.html
Microsoft Security Bulletin MS02-039

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS02-039.asp
Microsoft Security Bulletin MS02-061

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS02-061.asp

Credit
Douglas Knowles, Symantec Security Response, USA

--------------------------------------------------------------------------
W32.HLLW.Lovgate.C@mm

Aliases: WORM_LOVGATE.C [Trend], Win32/Lovgate.C@mm [RAV],
         W32/Lovgate.c@M [McAfee], I-Worm.Supnot.c [KAV],
         W32/Lovgate-B [Sophos], Win32.Lovgate.C [CA]
Risk: Low [2]
Date: 24th February 2003
Platforms Affected
Windows 95, Windows 98, Windows NT, Windows 2000, Windows XP, Windows Me

Overview
W32.HLLW.Lovgate.C@mm is a variant of W32.HLLW.Lovgate@mm . This worm
contains mass-mailing and backdoor functionality.

To spread itself, the worm attempts to reply to incoming messages when
they arrive in the mailbox of certain MAPI-compliant email clients, which
include Microsoft Outlook. W32.HLLW.Lovgate.C@mm does this in an effort to
emulate the auto-reply function of the email client, as well as to lure
those who sent the original messages to the infected computer into opening
the returned messages.

There are no major functionality differences between this variant and
W32.HLLW.Lovgate@mm. This particular variant appears to have been
recompiled with a different compiler, and then packed with the same
run-time compression utility as W32.HLLW.Lovgate@mm.

NOTE: Definitions dated February 23, 2003 detect this threat as
W32.HLLW.Lovgate@mm. Definitions dated February 24, 2003 or later will
detect this threat as W32.HLLW.Lovgate.C@mm.

Recommendations
Removal using the W32.HLLW.Lovgate Removal Tool
This is the easiest way to remove this threat. Symantec Security Response
has created a W32.HLLW.Lovgate Removal Tool . Click here to obtain the
tool.

Credit
Tony Conneff and Neal Hindocha,
Symantec Security Response, EMEA

References
http://securityresponse.symantec.com/avcenter/venc/data/w32.hllw.lovgate.c@mm.html

--------------------------------------------------------------------------
Security Advisories
--------------------------------------------------------------------------
Opera Cross Domain Scripting Vulnerability
Risk:High
Date:4th February2003
Components Affected
Opera Software Opera Web Browser 7.0 win32

Description
A vulnerability has been reported reported for Opera 7 browsers for
Microsoft Windows operating systems.

Due to flaws in Opera, it is possible for functions in different domains
to be accessed and executed by an attacker with the credentials of the
victim user. This vulnerability is also exacerbated by the fact that an
attacker may also be able to override properties and methods in other
windows to create malicious methods that will be accessed by a victim user.

Exploitation of this vulnerability will allow an attacker to obtain access
to local resources on a vulnerable system.

Recommendations

Run all client software as a non-privileged user with minimal access
rights. Perform trivial tasks, such as browsing the Web, as a user with
minimal privileges. This may reduce the consequences of successful
exploitation.

Do not follow links provided by unknown or untrusted sources. Some links
may be obfuscated to redirect a user to a malicious site; be extremely
cautious before following links provided by unknown sources.

Set web browser security to disable the execution of script code or active
content. Configure Opera to disable JavaScript as this will prevent
exploitation of this vulnerability.

Opera Software has reportedly addressed this issue in Opera 7.01 for Windows.

Opera Software Opera Web Browser 7.0 win32:
Opera Software Upgrade Opera Web Browser 7.01 Win32
http://www.opera.com/download/index.dml?opsys=Windows&lng=en&platform=Windows

References
Source: GreyMagic Security Advisory GM#002-OP
URL: http://security.greymagic.com/adv/gm002-op/

Source: Opera Browser
URL: http://www.opera.com
Credits
Discovery of these vulnerabilities credited to GreyMagic Software.

--------------------------------------------------------------------------
IBM Lotus Domino HTTP Redirect Buffer Overflow Vulnerability
Risk:High
Date:17th February 2002
Components Affected
Lotus Domino 6.0

Description
It has been reported that Lotus Domino 6 is affected by a buffer overflow
vulnerability. The condition occurs when the server constructs a HTTP
redirect response. This may be exploited by malicious clients to gain
control of affected servers. This vulnerability is reportedly fixed in
Notes/Domino release 6.0.1.

Recommendations

Block external access at the network boundary, unless service is required
by external parties. External access to internal or sensitive servers
should be blocked at the network border. This may prevent attack attempts
from external, untrusted hosts.

Administrators are advised to upgrade to Domino 6.0.1. The upgrades for
various platforms are available at the following location:

Lotus Domino 6.0: Lotus
Upgrade Lotus Domino 6.0.1 Upgrade

http://www14.software.ibm.com/webapp/download/search.jsp?q=&cat=&pf=&k=&dt=&go=y&rs=ESD-DMNTSRVRi&S_TACT=&S_CMP=&sb=r

References
http://securityresponse.symantec.com/avcenter/security/Content/6870.html
Credits
Discovered by Mark Litchfield of Next Generation Security Software.

-------------------------------------------------------------------------
Security News
--------------------------------------------------------------------------

SQLExp SQL Server Worm Analysis

Executive Summary

On January 25, 2003, the DeepSight Threat Management System registered a
sudden and extremely large increase in UDP traffic targeted at port 1434;
this port is commonly associated with the Microsoft SQL Server Monitor.
This significant rise in attack activity was later confirmed to be the
result of a memory-resident worm named W32.SQLExp.Worm.

W32.SQLExp.Worm exploits a stack overflow vulnerability in the Microsoft
SQL Server Monitor in order to distribute itself. As a result of SQLExp’s
propagation process and generation of copious amounts of network traffic,
degradation of network performance was observed throughout the Internet
during the outbreak.

Action Items

The DeepSight Threat Analyst Team strongly encourages all system
administrators of Microsoft SQL Servers and Microsoft Data Engine
applications to audit their machines for known security vulnerabilities.
If necessary, the patches given in the Patches section should be applied.
Additionally, perimeter devices should be configured to block UDP port
1434 traffic from untrusted hosts. The Snort IDS signature found in the
IDS Updates section should also be deployed.

Overview

Initial traffic related to the SQLExp worm was seen by the DeepSight Threat
Management System on Saturday, January 25, at approximately 05:00 GMT. Over
the following hours, the worm proceeded to infect vulnerable systems at a
rate not seen before by previous threats. Many simultaneous reports of
network outages were being received. Reports of ATM and Voice over IP
networks becoming infected were also received early that day. Networks all
over the world experienced severe performance degradation and packet loss
due to excessive traffic. The worm is believed to have infected internal
enterprise hosts, which would normally have been segregated, through
dial-up and VPN users, in addition to unknown gateways. In total, over
200,000 individual systems were reportedly affected by this threat.

The primary affected parties were small to medium sized businesses and
above. Some user-level applications also were affected through use of the
Microsoft Data Engine. Consumers may have seen degradation in network
performance during this time. This would have resulted in difficulty
accessing common Web sites, or using other Internet services such as email.

There is no evidence at this moment, that this worm was an act of
terrorism. The worm did not carry a malicious payload, its primary goal
being to propagate as quickly as possible. This worm could have been
significantly more malicious, and could have contained code to damage
infected systems. The primary impact of this worm was a consumption of
network bandwidth, in some cases, causing 100% packet loss on networks.
This trait also initially led it to be mistaken as a denial of service
attack.

While this worm does possess some similarities with Code Red, in that both
were completely memory resident viruses, the overall impact was not as
significant. This is largely due to the smaller number of vulnerable
systems. The number of exposed systems running Microsoft SQL Server or
MSDE components are fewer than the number of Microsoft IIS Web servers that
were vulnerable to Code Red. As result, there are fewer systems to infect,
and a lesser overall impact than that of Code Red. Additionally, the spread
of this worm could be controlled through filtering at network perimeters
and indications are that numerous Internet Service Providers performed this
filtering which also would help control the spread of the worm.

The SQLExp worm uses the UDP protocol, and as a result, did not have the
overhead of the associated connection setup time and connection management
that is required by TCP-based threats. Previous threats, including Code
Red and Nimda, had used flaws in TCP-based services, and required a three
way handshake before exchanging data. As a result, the SQLExp worm had a
much quicker propagation rate, and the time to reach saturation was short.

Corporations and Internet Service Providers reacted quickly to this threat.
Many reacted by blocking the associated UDP port at their perimeter. This
resulted in both limiting the number of new incoming attacks, and
preventing infected systems on internal networks from spreading to the
outside. A significant drop in traffic was observed early the following
morning by DeepSight Threat Management System sensors. At this time, the
worm was still, however, affecting corporate internal networks.

A full technical description of the worm, vulnerabilities and data about
the attack are available in the full document available here;

http://securityresponse.symantec.com/avcenter/Analysis-SQLExp.pdf
--------------------------------------------------------------------------
Top Reported Viruses, Trojans and Worms
Following is a list of the top reported viruses to Symantec's regional
offices.

-Asia Pacific
HTML.Redlof.A
W32.Klez.H@mm
JS.Exception.Exploit
Trojan Horse
W32.Sobig.A@mm
W32.Lirva.A@mm
W32.Bugbear@mm
W95.Hybris.worm
W32.Nimda.E@mm
IRC Trojan

-Europe, Middle
East & Africa
W32.Klez.H@mm
Trojan Horse
W32.Sobig.A@mm
JS.Exception.Exploit
W32.Lirva.C@mm
W32.Lirva.A@mm
HTML.Redlof.A
W32.Nimda.E@mm
W32.Bugbear@mm
IRC Trojan

-Japan
W32.Klez.H@mm
HTML.Redlof.A
Trojan Horse
W95.Hybris.worm
IRC Trojan
W32.Klez.E@mm
W32.Bugbear@mm
W95.Spaces.1445
W32.Sobig.A@mm
W32.Nimda.E@mm

-The Americas
W32.Klez.H@mm
Trojan Horse
W32.Sobig.A@mm
IRC Trojan
W95.Hybris.worm
JS.Exception.Exploit
W32.Bugbear@mm
W32.Lirva.A@mm
W32.Yaha.K@mm
W95.Spaces.1445

--------------------------------------------------------------------------
A list of Virus Hoaxes reported to Symantec
http://www.symantec.com/avcenter/hoax.html

--------------------------------------------------------------------------
No New Joke Programs reported to Symantec this month.
http://www.symantec.com/avcenter/jokes.html

--------------------------------------------------------------------------
Symantec Security Response now has Removal Tools for the following threats
available on the web site at:
http://www.symantec.com/avcenter/tools.list.html

--------------------------------------------------------------------------
Symantec Glossary for definitions of viruses, Trojans and worms and more.
http://www.symantec.com/avcenter/refa.html
--------------------------------------------------------------------------
Contacts
--------------------------------------------------------------------------
Correspondence by email to: securitynews@symantec.com no unsubscribe or
support emails please.
Send virus samples to: avsubmit@symantec.com
Newsletter Archive: http://www.symantec.com/avcenter/sarcnewsletters.html
--------------------------------------------------------------------------
Subscribe and Unsubscribe
--------------------------------------------------------------------------
To be added or removed from the subscription mailing list, please fill out
the form available on the Symantec website at:
http://www.symantec.com/help/subscribe.html
The Symantec Security Response NEwsletter is published periodically by
Symantec Corporation. No reprint without permission in writing, in advance.
--------------------------------------------------------------------------
This message contains Symantec Corporation's current view of the topics
discussed as of the date of this document. The information contained in
this message is provided "as is" without warranty of any kind, either
expressed or implied, including but not limited to the implied warranties
of merchantability, fitness for a particular purpose, and freedom from
infringement. The user assumes the entire risk as to the accuracy and the
use of this document. This document may not be distributed for profit.

Symantec and the Symantec logo are U.S. registered trademarks of Symantec
Corporation. Other brands and products are trademarks of their respective
holder(s). (c) Copyright 2002 Symantec Corporation. All rights reserved.
Materials may not be published in other documents without the express,
written permission of Symantec Corporation.
ISSN 1444-9994
--------------------------------------------------------------------------