December 2004 - Posts

Firefox New York Times Ad Hits the Presses

Dave writes "The long awaited New York Times ad for Firefox has finally hit the presses. Because of the vast number of donations the ad covered two pages of the newspaper. It's being timed to coincide with 11 million downloads."


SANS - Internet Storm Center Diary for 12/15/2004

New XPSP2 Firewall Patch in Windows Update
Several diary readers sent e-mail letting us know of a new (critical) patch to the XPSP2 firewall that was not mentioned in yesterday's patch release.
"After you set up Microsoft Windows Firewall in Microsoft Windows XP Service Pack 2 (SP2), you may discover that your computer can be accessed by anyone on the Internet when you use a dial-up connection to connect to the Internet."
Details can be found at


I am sure that Rod will be interested in this one…

From TV

Entertainment News - [TV Guide Online]

In The News: Stargate, Star Jones and More!
Wednesday, December 15, 2004
Ben Browder
Ben Browder

OPEN STARGATE: We've got good news for fans of Sci Fi's Stargate SG-1 and great news for fans of Farscape: TV Guide Online has learned exclusively that when SG-1 begins its ninth season, Farscape hunk Ben Browder will join the long-running series as a regular. In the meantime, the show is continuing its efforts to hammer out a deal to keep erstwhile MacGyver Richard Dean Anderson (who has been with SG-1 since its 1997 debut) on board, at least in a limited capacity. Whatever happens when all the moondust settles, SG-1 returns to finish out its eighth season on Jan. 21, when it will take over the 8 pm/ET time slot to accommodate the addition of Battlestar Galactica to the net's lineup at 10. And although no reason for the cast shake-up was given, I'm pretty sure Elton John will explain it all to us shortly. How can we be so sure? Oh, keep reading; you'll see.

I also heard a rumor that Mr. Browder was up for a role in a Green Lantern (that is a comic book character for you non-geeky types) movie, but I haven’t heard anything concrete.

TV Guide .com   

Reports are coming in that there is another Christmas card based e-mail virus going around out there.  So far this is at Low risk  Here is some info from F-Secure’s Weblog:

Another Christmas greeting virus found

A new variant of Atak worm was found on 15th of December 2004. The worm spreads in emails that have a subject "Merry X-Mas!" or "Happy New Year!". Here's an example of how the worm's message looks like:


F-Secure Anti-Virus detects Atak.h worm with the 2004-12-15_01 update.

On 15/12/04 At 01:37 PM


This is also being tracked at Secunia and at McAfee as well.

Trend Micro has an excellent behavior diagram of the Zafi.D virus on their description for this virus. 

WORM_ZAFI.D Behavior Diagram

For those of you that wondered why they re-released the MS04-028 Update Scan Tool, this is the reason why:


Title: Microsoft Security Bulletin Re-Release, December 2004

Issued: December 14, 2004




The following bulletin has undergone a major revision increment.  Please see the bulletin for more details.

* MS04-028

Bulletin Information:


* MS04-028


- Reason for revision: Bulletin updated to advise on the availability of additional security updates. Standalone security

updates for The Microsoft .NET Framework version 1.0 Service Pack 2 and The Microsoft .NET Framework version 1.1 are now

available. Security updates for Microsoft Visual FoxPro 8.0 and the Microsoft Visual FoxPro 8.0 runtime are also now available.

Bulletin updated to reflect the release of Windows Messenger 5.1 that contains an updated version of the affected file. The MS04-

028 Enterprise Update Scanning Tool has been updated to detect and deploy the additional security updates.

- Originally posted: September 14, 2004

- Updated: December 14, 2004

- Bulletin Severity Rating: Critical

- Version: 3.0

An updated risk rating and information: WORM_ZAFI.D


Trend Micro is now reporting the new Zafi variant as well, and is currently at Low risk:


As of December 14, 2004 6:05 PM PST, TrendLabs has received several infection reports of a new malware spreading in Germany via email.

TrendLabs is currently doing an in-depth analysis regarding the spread of this malware and will inform you as soon as possible.

I guess I spoke too soon on the name of this. Symantec now has a listing for a new Erkez variant. Previous variants of Erkez have had an alias of Zafi on their website.



Symantec Security Response is currently analyzing W32.Erkez.D@mm and will provide more details shortly. Rapid Release definitions with a sequence number of 39330 or higher provide detection for this threat.

Looks like this little gem is spreading rapidly, no matter what you call it…


Secunia has issued a Medium Risk Alert for Zafi.D




- Update Dec 14th 2004 --

The risk assessment of this threat has been raised to Medium due to increased prevalence. The 4414 DATs will be released early for this threat.

In the meantime, the following EXTRA.DAT packages are available:


Breaking news on the new Zafi variant, be on the lookout…

F-Secure News from the Lab: Zafi.D upgraded to Radar Level 2

Due increased submissions, we have updated Zafi.D to Radar Level 2. Here is an example of an email sent by Zafi.D, in English:

Zafi.D email screenshot


I thought this was kind of funny and I thought I would share.  Personally, Black Tuesday doesn’t bother me that much… 

SANS - Internet Storm Center - Diary for 12/13/2004

Microsoft Black Tuesday Coming Attractions!

As a disinterested observer in the world of cyclical patching of Windows boxes, I'm always fascinated with the quasi-ritualistic undertones given to updating since Microsoft's shift to a (allegedly) monthly patch-and-release program. It's as if promptly patching on MS Tuesday is an offering of sorts to the old gods, Lovecraftian horrors the likes of which we dare not speak of lest we invoke their terrible wrath.*

... sorry 'bout that ...

* Tune in tomorrow for the chills, spills and thrills of no less than *FIVE* security bulletins!
* Recoil in horror as you realize one or more of these bulletins will be *IMPORTANT* in severity!
* Cry out as you may or may not be forced to reboot!

All this and MUCH MORE awaits you at the Microsoft Security Bulletin Advance Notification site!

Cory Altheide
Handler on Duty

*Please don't let my observations imply any sort of disdain for conscientious Tuesday patchers or those forced to admin Windows boxes. I greatly admire the sacrifices you make in order to keep the Great Old Ones from devouring the net.

Information on a new worm was posted on the Security Forums by Harry Waldron this morning:

The social engineering in this worm may fool a lot of folks who haven't learned to avoid opening attachments.  Hopefully, this one won't spread significantly and so far it remains low-risk, but it's design gives it potential.

Zafi.D - Christmas Card Social Engineering

This new variant contains the following characteristics:

* contains its own SMTP engine to construct outgoing messages
* spoofs the From: address
* harvests target email addresses from the victim machine
* outgoing email message body is either in Hungarian or English
* displays p2p worm behaviour
* shuts down security services


Secunia has this virus being reported by 3 more vendors, so it must be spreading:

So far, Secunia has this rated at Low risk.   

Mazu scores VC lifeblood from Symantec, others

Mazu Networks, the Cambridge, Massachusetts, network intrusion prevention system (IPS) technology company, has secured another round of venture capital funding, including a stake from security software giant Symantec.


More Posts « Previous page - Next page »