Chris Mosby at myITforum.com

SANS - Internet Storm Center - phpBB worms continued

phpBB worms continued

phpBB worms continue to to be active. As Mr. Mancini found out before he sent us the bot he found on his server. The bot communicated over IRC and his machine had scanned more than 4500 hosts. It was a variant on the Santy/AWS theme.

If you happen to run into a bot we'd like to get a copy of logs and the code you find, even if the comments in the source code are in Portuguese as in this case, we'll help in finding a way to alert the right people.

Last minute update: phpBB 2.0.13 was released to fix 2 security vulnerabilities. Read the announcement at http://www.phpbb.com/phpBB/viewtopic.php?f=14&t=267563
One of the fixes was labeled as critical by the developers as it would allow anybody to login with admin credentials.

Once again AntiVirus companies don’t agree on what to name their descriptions of this new virus family, some vendors are still calling the first member a variant of MyDoom. Here is what we have so far.

Mytob.A

Secunia: http://secunia.com/virus_information/103/mytob.a/

Sophos (W32/MyDoom-B): http://www.sophos.com/virusinfo/analyses/w32mydoomb.html

McAfee (Mydoom.bg@MM): http://vil.nai.com/vil/content/v_132094.htm

F-Secure (Mytob.A): http://www.f-secure.com/v-descs/mytob_a.shtml

Symantec (W32.Mytob@mm): http://www.sarc.com/avcenter/venc/data/w32.mytob@mm.html

Trend Micro (WORM_MYTOB.A): http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM%5FMYTOB%2EA

Panda (Mytob.A): http://www.pandasoftware.com/virus_info/encyclopedia/overview.aspx?IdVirus=60550&sind=0

Here is another member of the Mytob family that has the characteristics of a mass e-mailer and a network aware worm.  It makes me wonder if someone is trying to perfect this blended threat until it spreads as fast as other viruses, like Nimda or Mydoom.

Symantec Security Response - W32.Mytob.C@mm

W32.Mytob.C@mm
Category 2
Discovered on: February 28, 2005
Last Updated on: February 28, 2005 10:39:02 AM

W32.Mytob.C@mm is a mass-mailing worm that uses it own SMTP engine to send an email to addresses that it gathers from the Windows Address Book on the compromised computer.
The worm also has the ability to open a back door and spread through the network by exploiting the Microsoft Windows Local Security Authority Service Remote Buffer Overflow (described in Microsoft Security Bulletin MS04-011).

This worm is very ugly.  Hackers seem to be getting more and more vicious everyday. 

Symantec Security Response - W32.Spybot.KHC

W32.Spybot.KHC
Category 2
Discovered on: February 28, 2005
Last Updated on: February 28, 2005 10:33:04 AM

W32.Spybot.KHC is a worm that has distributed denial of service and back door capabilities. The worm spreads to network shares protected by weak passwords and by exploiting vulnerabilities.
Note: Virus definitions dated prior to February 28, 2005 may detect this threat as W32.Spybot.Worm.

Once W32.Spybot.KHC is executed, it performs the following actions:

1. Creates a copy of itself as %System%\pingppac.exe.
   
   Note: %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
   
   
2. Adds the value:
   
   "PPPOEO" = "pingppac.exe"
   
   to the registry subkeys:
   
   HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
   HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
   RunServices
   HKEY_CURRENT_USER\Software\Microsoft\OLE
   
   so that it is executed when Windows starts.
   
   
3. Modifies the value:
   
   "EnableDCOM" = "N"
   
   in the registry subkey:
   
   HKEY_LOCAL_MACHINE\Software\Microsoft\OLE
   
   to disable DCOM.
   
   
4. Modifies the value:
   
   "restrictanonymous" = "1"
   
   in the registry subkey:
   
   HKEY_LOCAL_MACHINE\CurrentControlSet\Control\Lsa
   
   to modify access to network shares.
   
   
5. Opens a back door by connecting to an IRC channel on the server def.pj34r.us, through TCP port 8080.
   
   
6. Listens for commands that allow the attacker to perform the following actions:
   
   
   • Download and execute files
   • List, stop, and start processes and threads
   • Launch ACK, SYN, UDP, and ICMP denial of service attacks
   • Perform port redirection
   • Send files over IRC
   • Send email using its own SMTP engine
   • Start a local HTTP, FTP, or TFTP server
   • Search for files on the compromised computer
   • Log keystrokes
   • Access network shares and copy itself to those network shares
   • Scan the network for vulnerable computers by means of port scanning
   • Capture screenshots, data from the clipboard, and footage from webcams
   • Visit URLs
   • Flush the DNS and ARP caches
   • Open a command shell on the compromised computer
   • Start a SOCKS4 proxy server
   • Add and delete network shares and disable DCOM
   • Reboot the compromised computer
   • Intercept packets on the local area network
   • Retrieve the currently logged on user's Windows password from memory
   • Send net send messages
   • Delete registry loading points from other programs and malware
     
     
7. Scans for computers vulnerable to one or more of the following exploits:
   
   
   • The DCOM RPC vulnerability (described in Microsoft Security Bulletin MS03-026) using TCP port 135.
   • The Microsoft Windows Local Security Authority Service Remote Buffer Overflow (described in Microsoft Security Bulletin MS04-011).
   • The Workstation Service Buffer Overrun vulnerability (described in Microsoft Security Bulletin MS03-049) using TCP port 445. Windows XP users are protected against this vulnerability if Microsoft Security Bulletin MS03-043 has been applied. Windows 2000 users must apply MS03-049.
   • The UPnP NOTIFY Buffer Overflow vulnerability (described in Microsoft Security Bulletin MS01-059).
   • The DameWare Mini Remote Control Server Pre-Authentication Buffer Overflow vulnerability (described in CAN-2003-0960.)
   • The VERITAS Backup Exec Agent Browser Remote Buffer Overflow Vulnerability (as described here)
   • The Microsoft SQL Server User Authentication Remote Buffer Overflow Vulnerability (described in Microsoft Security Bulletin MS02-056), using UDP port 1434.
   • The Microsoft Windows SSL Library Denial of Service Vulnerability (described in Microsoft Security Bulletin MS04-011).
     
     
8. Spreads through back doors opened by variants of the Beagle, Sasser, and Mydoom worms, and by variants of Backdoor.NetDevil, Backdoor.Subseven, Backdoor.Kuang, and Backdoor.Optix.
   
   
9. Steals the CD keys associated with a number of computer games.
   
   
10. Spreads to randomly generated IP addresses by copying itself to network shares. The worm attempts to use the following list of passwords to access the network shares: (See Symantec’s site for details)

THE John Hann has admitted he made a mistake. 

I think I need to lie down somewhere…..  ;-)

Looks like this new virus family is expanding.  Hopefully this will stay a low level threat.

Symantec Security Response - W32.Mytob.B@mm

W32.Mytob.B@mm
Category 2
Discovered on: February 28, 2005
Last Updated on: February 28, 2005 06:06:21 PM

W32.Mytob.B@mm is a mass-mailing worm that uses it own SMTP engine to send an email to addresses that it retrieves from the Windows Address Book on the infected computer.

The worm also has W32.Spybot.Worm functionalities such as a IRC Back door and the capability to spread through the network by exploiting the Microsoft Windows LSASS Buffer Overrun Vulnerability (described in Microsoft Security Bulletin MS04-011).

W32.Mytob.B@mm differs from W32.Mytob@mm as follows:

* File size

SANS - Internet Storm Center -New Viruses This Week

Handler on Duty: Deb Hale

Updated February 26th 2005 16:20 UTC

New Viruses This Week
This has been a record week for new virus discovery - at least for me. We yet again saw an infiltration of new activity at one location here in our local area. Upon investigation we found 3 new files that had characteristics similar to other Spybot worms that have been detected. Upon scan with Symantec Enterprise Edition v9 with current definitions nothing was detected. However running them through virustotal.com they were detected by a small number (2 or 3) as some form of worm. I submitted the files to Symantec for evaluation and have received no information back from them so apparently they have not yet had a chance to analyze them.

Of course, a lot of them are remakes of old players such as Mydoom and Spybot, however it doesn't minimize the impact of the damage that can be done.
Interestingly enough, the location that had the, yet to be identified files on their computers also had, as we discovered this week, an active SubSeven server (on a workstation) loaded with "questionable photographic images" (if you get mey drift) and zip files of some popular games.
We are continuing our investigation of this and will share any info with you that can be shared. Stay tuned.

A new virus has emerged that has characteristics of the Mydoom and Spybot family of viruses and also exploits MS04–011 to spread across networks.  Note that this is currently listed as a Mydoom variant by McAfee.

http://secunia.com/virus_information/15733/mytob/

http://www.sarc.com/avcenter/venc/data/w32.mytob@mm.html

http://www.f-secure.com/v-descs/mytob_a.shtml

http://vil.nai.com/vil/content/v_132094.htm

Info from Symantec’s website:

W32.Mytob@mm is a mass-mailing worm that uses it own SMTP engine to send an email to addresses that it retrieves from the Windows Address Book on the infected computer.

The worm also has W32.Spybot.Worm functionalities such as a IRC Back door and the capability to spread through the network by exploiting the Microsoft Windows LSASS Buffer Overrun Vulnerability (described in Microsoft Security Bulletin MS04-011).

When W32.Mytob@mm runs, it does the following:

1. Copies itself as %System%\msnmsgr.exe.
   
   Note: %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
   
   
2. Adds the value:
   
   "MSN=msnmsgr.exe"
   
   to the registry subkeys:
   
   HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
   HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
   HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   HKEY_CURRENT_USER\Software\Microsoft\OLE
   HKEY_CURRENT_USER\SYSTEM\CurrentControlSet\Control\Lsa
   
   so that W32.Mytob@mm runs every time Windows starts.
   
   
3. Connects to an IRC channel at irc.blackcarder.net on port 6667 and listens for commands that allow the remote attacker to perform the following actions:
   
   
   • Download files
   • Execute files
   • Delete files
   • Update itself
   • Get uptime information
     
     
4. Scans for computers vulnerable to the LSASS Windows vulnerability on TCP port 445 (described in Microsoft Security Bulletin MS04-011).
   
   
5. Searches for the email addresses in files that have the following extensions:
   
   
   • .wab
   • .adb
   • .tbb
   • .dbx
   • .asp
   • .php
   • .sht
   • .htm
     
     The worm avoids sending itself to email addresses containing the following strings:
     
     
   • .edu
   • .gov
   • .mil
   • accoun
   • acketst
   • admin
   • anyone
   • arin.
   • avp
   • be_loyal
   • berkeley
   • borlan
   • bsd
   • bugs
   • certific
   • contact
   • example
   • feste
   • fido
   • foo.
   • fsf.
   • gnu
   • gold-certs
   • google
   • gov.
   • help
   • hotmail
   • iana
   • ibm.com
   • icrosof
   • icrosoft
   • ietf
   • info
   • inpris
   • isc.o
   • isi.e
   • kernel
   • linux
   • listserv
   • math
   • mit.e
   • mozilla
   • msn.
   • mydomai
   • nobody
   • nodomai
   • noone
   • not
   • nothing
   • ntivi
   • page
   • panda
   • pgp
   • postmaster
   • privacy
   • rating
   • rfc-ed
   • ripe.
   • root
   • ruslis
   • samples
   • secur
   • sendmail
   • service
   • site
   • soft
   • somebody
   • someone
   • sopho
   • submit
   • support
   • syma
   • tanford.e
   • the.bat
   • unix
   • usenet
   • utgers.ed
   • webmaster
   • you
   • your
     
     
6. Attempts to email itself out using its own SMTP engine. The email will have the following characteristics:
   
   From: Spoofed
   
   Subject:
   One of the following:
   
   
   • hello
   • hi
   • error
   • status
   • test
   • Mail Transaction Failed
   • Mail Delivery System
   • SERVER REPORT
   • (No Subject)
   • (random alphabets)
     
     
   Message:
   One of the following:

• The attachment name may also contain one of the following lines:
• The message cannot be represented in 7-bit ASCII encoding and has been
• sent as a binary attachment.
• Mail transaction failed. Partial message is available.
• test
• The message contains Unicode characters and has been sent as a binary
• attachment.
• (No body)
• (Randam data)
  
  
Attachment:
May contain one of the following:


• body
• data
• doc
• document
• file
• message
• readme
• test
• (random alphabets)
  
  with one of the following extensions:
  
  
• .bat
• .cmd
• .exe
• .pif
• .scr
• .zip
  
  If the attachment is a .zip file, a copy of the worm will have a second extension, which will be one of the following:
  
  
• doc
• txt
• htm
• html

This kind of thing just rips me up.  Lets all keep an eye out for Jessica, since MyITforum readers are all over the world, maybe one of us will see something important to the case.

CNN.com - Search on for Florida girl who vanished from home - Feb 25, 2005

Search on for Florida girl who vanished from home
Father, grandparents plead for information about 9-year-old
Friday, February 25, 2005 Posted: 9:37 AM EST (1437 GMT)

Jessica Marie Lunsford, 9, has been missing since early Thursday.

(CNN) -- A massive search by dozens of police, FBI agents and community volunteers is on Friday for a 9-year-old girl who disappeared from her Florida home early Thursday.

Jessica Marie Lunsford -- who is 4-feet-11-inches tall, weighs 70 pounds and has light brown hair -- was last seen wearing a pink nightgown. Police say she vanished from her home in the coastal community of Homosassa where she lives with her father and grandparents.

Her father Mark Lunsford and grandparents Ruth and Archie Lunsford held an emotional news conference in front of their home Friday morning to plead for information on Jessica's whereabouts.

"I really need as much help as I can right now," Mark Lunsford said as he fought back tears. "I ask you to please help me find my daughter and bring her home."

SANS - Internet Storm Center Update on PHP worm spreading

 Handler on Duty: toby

Updated February 25th 2005 00:48 UTC

Update on PHP worm spreading

Regarding the report of a new PH worm that we mentioned yesterday.
It is based heavily on the PhpInclude code on K-OTiK's site. It appears to be a variant of the ASW worm and is being used to drop an IRC bot that is connecting to a server in Brazil. Google has been notified. The worm doesn't appear to be identified by many AV vendors yet however the bot is: (from VirusTotal) 

Antivirus Version Update Result
AntiVir 6.29.0.16 02.24.2005 no virus found
AVG 718 02.22.2005 PERL/ShellBot
BitDefender 7.0 02.24.2005 Backdoor.Perl.Shellbot.B
ClamAV devel-20050130 02.24.2005 Trojan.Perl.Shellbot.C
DrWeb 4.32b 02.24.2005 no virus found
eTrust-Iris 7.1.194.0 02.24.2005 no virus found
eTrust-Vet 11.7.0.0 02.24.2005 Perl.Shellbot.A
Fortinet 2.51 02.25.2005 no virus found
F-Prot 3.16a 02.24.2005 Unix/ShellBot.C
Ikarus 2.32 02.24.2005 Backdoor.Perl.Shellbot.A
Kaspersky 4.0.2.24 02.25.2005 Backdoor.Perl.Shellbot.a
NOD32v2 1.1007 02.23.2005 Perl.Shellbot.A
Norman 5.70.10 02.22.2005 no virus found
Panda 8.02.00 02.24.2005 no virus found
Sybari 7.5.1314 02.25.2005 Perl.Shellbot.A
Symantec 8.0 02.24.2005 IRC.Backdoor.Trojan 

I can’t stand Robby Gordon, maybe this will knock him down a notch…

NASCAR.com - Gordon, Rudd hit hardest by Speedweeks fines - Feb 23, 2005

Gordon, Rudd hit hardest by Speedweeks fines
In all, 15 violations brought penalities to 11 individuals
From Press Release
February 23, 2005
03:29 PM EST (20:29 GMT)

DAYTONA BEACH, Fla. -- NASCAR announced Wednesday that 15 penalties -- including 11 fines totaling $102,000 -- have been issued to Nextel Cup Series teams resulting from rule violations during the Budweiser Shootout and Daytona 500 race weeks at Daytona International Speedway.

Two of those penalties were issued to Robby Gordon Motorsports, including the most severe fine -- $50,000 for crew chief Bob Temple -- because of an unapproved intake manifold on the No. 7 Chevrolet discovered during the initial Daytona 500 inspection process on Feb. 11.

Jim Smith, Robby Gordon's car owner, was penalized 25 car owner championship points. The No. 7 was in violation of Section 12-4-A (actions detrimental to stock car racing) and Section 12-4-Q (car, car parts, components, and/or equipment that do not conform to NASCAR rules).

Gordon currently has no driver championship points, because the No. 7 failed to make the Daytona 500 field. Smith, however, earned 31 owner points at Daytona. Per the Nextel Cup Series rule book, a car owner receives points based on qualifying results, if their car fails to actually qualify for a starting field.

Trend Micro quietly released a new scan engine to take care of a vulnerability in the the ARJ archive file format parser.  Thanks to Eric Johansen at MalwareBlog.com for bringing it to my attention.

Quotes from the advisory state:

The ARJ archive file format is too flexible especially in the file name field in the local header. This file name is stored as a null-terminated string and limited only by the overall size of the local header (local header size is stored as a 16-bit value and is limited to 2,600 bytes only).

If the file name exceeds the maximum allocated size, the VSAPI scan engine still copies this file name into a 512-byte buffer, overwriting the succeeding data structure. One of the fields in the said data structure is a pointer to another data stucture. The next instruction after the copying of the file name is an assignment instruction to a member of the structure that is referred to by the overwritten pointer. The said routine causes an illegal memory access.

Thus, it is possible to create a specially-crafted ARJ archive file that overwrites data after the allocated 512-byte buffer. This specially-crafted file could possibly execute an arbitrary code.

The ISS advisory can be seen here:

http://xforce.iss.net/xforce/alerts/id/189

Mitigating Factors

Under normal circumstances, the operating system restricts the length of file names. Thus, an attacker who wishes to trigger this vulnerability would have to create a specially-crafted ARJ archive file, which requires ARJ file format knowledge and file manipulation skills.

Solution

Upgrade your scan engine to VSAPI 7.510 or higher. For your specific product, go here.

The full bulletin can be found here: Vulnerability in VSAPI ARJ parsing could allow Remote Code execution

SANS - Internet Storm Center - PHP Worm spreading

Updated February 24th 2005 02:02 UTC (Handler: Michael Haisley)

PHP Worm spreading
We have received reports that yet another variant of the phpworm has started to spread, from the beginning analysis it appears that current antivirus vendors do not recognize this variant. Note that we have not received many reports of this worm spreading.

I just started wearing one of these yellow wrist bands today, after my wife and I saw Lance Armstrong talk about his foundation on Oprah (I originally watched the episode because Sheryl Crow was on there too  ;-) ). 

There has been a lot of cancer on my side of the family over the years, including my brother Brian, who lost his battle almost three years ago.  I found the idea behind this foundation inspirational because they promote the idea of fighting to live.  Here is an excerpt from their Manifesto:

We believe in life.
Your life.
And that you must not let cancer take control of it.
We believe in your right to live without pain and, if it comes to it, your right to die with dignity.
We believe in energy: channeled and fierce.
We believe in focus: getting smart and living strong.
Because we’re passionate about helping you live every minute of your life with every ounce of your being.

We know you don’t need pity.
You need information. Fast.
We kick in the moment you get the news that changes your life.
With the hard, the practical, the pragmatic.
Information is power.
Knowledge is strength.
This is the Lance Armstrong Foundation.
We’re about the hard stuff.
Like knowing the first doctor you talk to is not God.
Like finding the nerve and getting the number to get a second opinion.
And a third or even a fourth, if that’s what it takes.
It’s about finding out about clinical trials.
It’s your life.
You will have it your way.

For more information check out: Lance Armstrong Foundation - Cancer Survivorship Education, Resources & Programs

I had this pop-up to install on my machine at home as well.  No problems so far…

SANS - Internet Storm Center - Windows XP SP2 Patch released

Windows XP SP2 Patch (Update at 04:13:23 UTC Feb 23 2005)

In a late entry for today, Microsoft released a patch for Windows XP SP2 systems to address an issue, which could cause a computer to stop responding if certain firewall or antivirus programs are installed (which products is unknown at this time). This issue will typically result in a blue screen with a stop error message of "Stop 0x05 (INVALID_PROCESS_ATTACH_ATTEMPT)". The following Knowledge Base article was mention on the Full Disclosure, bugtraq, and ntbugtraq lists last week, but there was not a general announcement by Microsoft about its release. It is surmised that this is because the patch is not exactly a security patch. Instead it was more of a hotfix for the stop condition/blue screen scenario and is not covered by the standard security bulletins.

Since the initial chatter last week about the patch, MS has apparently pushed the patch up a level to be a more critical patch without a security bulletin which may be forthcoming. So imagine my surprise when my computer announces that it has downloaded a critical patch and is ready to install. (What? It isn't MS Patch Tuesday...oh wait...it is a tuesday here still and MS did release a critical patch...so i guess it is after all. ARGH!)

So those with automatic updates or going to windows update should start seeing this patch today. ***This problem may also exist in Windows 2003 server but a patch has yet to be released. ***

For more information on it, please see: http://support.microsoft.com/kb/887742
-- Scott Fendley adding a bit for Joshua Wright (the Handler On Duty)

Symantec Security Response - Trojan.Anicmoo.B

Trojan.Anicmoo.B
Category 1
Discovered on: February 22, 2005
Last Updated on: February 22, 2005 02:01:50 PM

Trojan.Anicmoo.B is a downloader Trojan that exploits the Windows User32.DLL ANI File Header Handling Stack-Based Buffer Overflow Vulnerability (as described in the Microsoft Security Bulletin MS05-002). The Trojan exists as a malformed animated cursor (.ani). The Trojan downloads a copy of SecurityRisk.Downldr

Not who I wanted to win by a long shot, but at least Dale Jr. was able to rally up to third.  On to California!!

NASCAR.com - Gordon rallies to win third Daytona 500 - Feb 20, 2005

Gordon rallies to win third Daytona 500
Stewart dominates, but late fade sends him to seventh
February 20, 2005
08:18 PM EST (01:18 GMT)

DAYTONA BEACH, Fla. (AP) -- Jeff Gordon grabbed the lead from Dale Earnhardt Jr., then held off Kurt Busch and Earnhardt in extra laps to win his third Daytona 500 on Sunday.

One of the wildest finishes in the 47-year history of NASCAR's biggest race saw four lead changes in the last nine laps. Earnhardt, the defending champion, came from as far back as 30th to grab a late lead, only to watch four-time series champion Gordon pass him seconds before a caution flag waved with three laps to go.

The race went three laps beyond the scheduled 200-lap distance, with Gordon hanging on over two final laps of green-flag racing to beat Busch by two car-lengths.

"Oh, my goodness, what an amazing day," a jubilant Gordon said. "Three, baby!"

He is the fifth driver to win three or more Daytona 500s, joining Richard Petty (7), Cale Yarborough (4) and Bobby Allison and Dale Jarrett (3).

Michael Waltrip high-fives members of his crew after edging Dale Earnhardt Jr. to win the first race of the Gatorade Duel. Credit: CIA Stock Photo Posted Friday, February 18, 2005 7:59 AM by cmosby | with no comments Filed under: NASCAR NASCAR.com - NASCAR threatens to bench Johnson, Harvick - Feb 17, 2005 NASCAR.com - NASCAR threatens to bench Johnson, Harvick - Feb 17, 2005 NASCAR threatens to bench Johnson, Harvick Multi-car wreck in second race sends top drivers to back By Marty Smith, NASCAR.COM February 17, 2005 08:57 PM EST (01:57 GMT) DAYTONA BEACH, Fla. -- The year-long on-track feud between Jimmie Johnson and Kevin Harvick officially came to a head Thursday, and NASCAR made it clear that they've officially had enough. No penalties were levied for the multicar accident that took out Johnson, Harvick, Mark Martin, Joe Nemechek and Rusty Wallace, and also involved Scott Riggs and Dave Blaney. But the drivers, crew chiefs and team owners were summoned to the NASCAR transporter for a stern talking-to from president Mike Helton. NASCAR spokesman Jim Hunter said that if Johnson and Harvick don't resolve their differences immediately, they could be spectators for an upcoming event. "If they get into it again, there could be some severe penalties -- like missing a race," Hunter said.  Jimmie Johnson (48) spins after contact with Kevin Harvick (29) during the second 150-miler on Thursday. Credit: AP Posted Friday, February 18, 2005 7:51 AM by cmosby | with no comments Filed under: NASCAR New MyDoom variant behavior diagram Trend Micro has a pretty good graphic showing the behavior of the latest MyDoom variant included in their description of the virus. Posted Thursday, February 17, 2005 5:08 AM by cmosby | with no comments Filed under: Security and Anti-Virus Cleaning tools available for new MyDoom variant Symantec and McAfee has released cleaning tools overnight for the latest fast spreading MyDoom variant.  These cleaners also look to be designed to detect and remove the backdoor trojans that this virus installs on infected machines.  However, depending on how long a machine is infected will determine how much damage is done and whether you will need to do a “wipe and redo”. Symantec’s Tool: http://securityresponse.symantec.com/avcenter/venc/data/w32.mydoom@mm.removal.tool.html McAfee’s Stinger Tool: http://vil.nai.com/vil/stinger/     Posted Thursday, February 17, 2005 5:03 AM by cmosby | with no comments Filed under: Security and Anti-Virus WORM_MYDOOM.BB - Renamed Mydoom variant goes to Medium Risk at Trend Micro Someone is paying attention, Trend Micro renamed their listing of the new MyDoom variant to match McAfee’s and it is now rated at Medium risk by them as well.  WORM_MYDOOM.BB http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM%5FMYDOOM%2EBB Posted Wednesday, February 16, 2005 8:31 PM by cmosby | with no comments New MyDoom variant spreading very fast - hold on to your seats Listings for the new MyDoom variant are poping up on multiple vendors websites, with several of them already rating the virus at Medium to High risk.  On top of it all the Virus Name Game is full force it seems. Here is what I have seen so far: W32/Mydoom.bb@MM (McAfee, Medium) http://vil.nai.com/vil/content/v_131856.htm W32.Mydoom.AX@mm (Symantec, Level 3) http://www.sarc.com/avcenter/venc/data/w32.mydoom.ax@mm.html Win32.Mydoom.AU (CA, High) http://www3.ca.com/securityadvisor/virusinfo/virus.aspx?id=41813 WORM_MYDOOM.M (Trend Micro, Low) http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM%5FMYDOOM%2EM Hold on everyone, my virus sense is tingling... Posted Wednesday, February 16, 2005 8:11 PM by cmosby | with no comments Filed under: Security and Anti-Virus USATODAY.com - DC Comics blazing a superhero trail back to big screen All I can say is, its about time!!! USATODAY.com - DC Comics blazing a superhero trail back to big screen DC Comics blazing a superhero trail back to big screen By Scott Bowles, USA TODAY LOS ANGELES — For a decade, this has been a one-comic-book town. If you wanted to bring a superhero to the big screen, it was Marvel Comics or nothing. Based on Hellblazer: Keanu Reeves' character fights the powers of hell in Constantine, opening Friday. Warner Bros. But now DC Comics is seeking a comeback after foundering with campy '90s Batman and '80s Superman sequels and last year's Catwoman flop. This time, DC Comics is showcasing a hero with a lower profile. Based on the obscure comic book Hellblazer, which centers on a chain-smoking, cancer-ridden demon hunter, Constantine opens Friday armed with something the comic-book publisher hasn't seen in years: fan excitement. The Internet is abuzz about DC's upcoming fare: •Batman Begins, starring Christian Bale, opens June 17. •Superman Returns, with X-Men director Bryan Singer at the helm, is due in June 2006. •The Flash is expected to sprint to theaters next year with Blade's David Goyer writing and directing. • Joss Whedon (Buffy the Vampire Slayer) is in talks to do Wonder Woman. •The Bourne Supremacy's Paul Greengrass will direct the crime story The Watchmen. •Matrix creators Andy and Larry Wachowski are producing V for Vendetta, due Nov. 5, about a crime fighter. Posted Wednesday, February 16, 2005 7:04 PM by cmosby | with no comments Filed under: Geek Stuff New Mydoom variant - MyDoom.bb - raised to Medium risk Harry Waldron posted info about the new MyDoom variant on his blog earlier today.  Since then, this variants threat level has been raised to Medium risk by McAfee. http://vil.nai.com/vil/content/v_131856.htm http://secunia.com/virus_information/15463/mydoom.bb/ Posted Wednesday, February 16, 2005 6:38 PM by cmosby | 1 comment(s) Filed under: Security and Anti-Virus UPX parsing engine heap overflow vulnerability and Symantec Client Security - Workarounds available This is a little bit clearer on what is and is not vulnerable than the last doc I looked at.  Go to the main link for information on removing this vulnerability. UPX parsing engine heap overflow vulnerability and Symantec Client Security UPX parsing engine heap overflow vulnerability and Symantec Client Security Situation: You have heard about the UPX parsing engine heap overflow vulnerability. You want to know whether your Symantec Client Security product is vulnerable and how to mitigate the vulnerability if it is. Solution: Affected versions For a complete list of all Symantec products affected by the vulnerability, read the official Symantec statement on the Symantec Security Response Web site. The latest builds of all of the Symantec Client Security products are unaffected by the vulnerability. Symantec Client Security 2.0 and Symantec AntiVirus Corporate Edition 9.0 Symantec Client Security 2.0 and Symantec AntiVirus Corporate Edition 9.0 are not affected by the vulnerability. It was previously reported that the original shipping build of Symantec Client Security was vulnerable. While the shipping build did contain the vulnerable Dec2EXE.dll engine file and later builds did not, the vulnerable file is not called by Symantec AntiVirus, and is never loaded. Because the Dec2EXE.dll file is never loaded into memory, the build is not vulnerable. Symantec Client Security 1.0 and Symantec AntiVirus Corporate Edition 8.0 The vulnerability of Symantec Client Security 1.0 and 1.1 depends on the version of Symantec AntiVirus Corporate Edition included. The vulnerability of each of the versions of Symantec AntiVirus Corporate Edition is as follows: Build Comment Vulnerable? 8.1.0.825a Initial shipping build No 8.1.1.314a MR1 Yes 8.1.1.319 MR2 Yes 8.1.1.323 MR3 Yes 8.1.1.329 MR4 Yes 8.1.1.336 MR5 Yes 8.1.1.366 MR6 No Build Comment Vulnerable? 8.0.0.9374 Initial shipping build No 8.0.0.9378 N/A No 8.0.1.425 MR1 No 8.0.1.429c MR2 No 8.0.1.434 MR3 Yes 8.0.1.437 N/A Yes 8.0.1.446 MR4 Yes 8.0.1.457 MR5 Yes 8.0.1.460 MR6 Yes 8.0.1.464 MR7 Yes 8.0.1.471 MR8 Yes 8.0.1.501 MR9 No Mitigation There are three ways to remove the UPX vulnerability in Symantec Client Security or Symantec AntiVirus: Upgrade to a build that is not affected by the vulnerability Disable the vulnerable decomposer engine by using the nodec2exe.exe tool Disable the vulnerable decomposer engine manually by editing a configuration file Posted Wednesday, February 16, 2005 4:36 PM by cmosby | 1 comment(s) Filed under: Security and Anti-Virus, Patch Management Sci Fi Wire -- Straczynski Ends Trek Campaign That lasted a long time… Sci Fi Wire -- The News Service of the Sci Fi Channel Straczynski Ends Trek Campaign A day after calling for a letter-writing campaign by fans who wanted to see his version of Star Trek produced, Babylon 5 creator J. Michael Straczynski posted a follow-up message to the same newsgroup retracting his statement. "[B]elay everything I just said," Straczynski wrote. "In the 24 hours between the time I composed the prior note, and sent it, and it made its way through the moderation software, two things happened." The two things that changed Straczynski's mind were a tip from a trusted source at Paramount, which owns the rights to the Star Trek franchise, that the studio is "giving the Trek TV world a rest" for a year or two, and an offer to run a series premiering in the fall of 2006, which Straczynski has accepted. In Straczynski's words, the Trek campaign is now "kind of moot." The writer/producer apologized to fans and assured them that he hasn't abandoned the project completely. "We can reconvene a year or two down the road to see where this takes us," he said. "But in the interim ... my apologies for waking everybody up in the middle of the night." Posted Wednesday, February 16, 2005 12:55 PM by cmosby | with no comments Filed under: Geek Stuff More Posts Next page »   Copyright - www.myITforum.com, Inc. - 2007 All Rights reserved.