myITforum.com, Inc.

Welcome to myITforum.com, Inc. Sign in | Join | Help
in Search

Harry Waldron - My IT Forums Blog

Sharing Security Developments, and Best Practices for corporate and home users

February 2005 - Posts

  • Article - Keeping your Organization's Security Current

    This article shares a number of ideas, shortcuts, and approaches to help in managing the complex and challenging environment related to IT security.

    Article - Keeping your Organization's Security Current
    http://www.windowsecurity.com/articles/Organizations-Security-Current.html

    Key points covered in the article
    Reexamine security philosophy
    Check Your Network for Known Weaknesses
    Attend A Security Training Event
    Key Shortcuts to make the job easier

  • Mytob A/B/C variants - MyDoom and Spybot combination

     This new email threat could be highly disruptive in a network of unpatched Windows workstations or servers.  It is a two part virus that spreads first by email using the MyDoom virus and then launches a Spybot variant in the internal network that would try to spread by the MS04-011 LSASS exploit on port 435. 

    Mytob A/B/C variants - MyDoom and Spybot combination
    http://www.sarc.com/avcenter/venc/data/w32.mytob@mm.html
    http://www.sarc.com/avcenter/venc/data/w32.mytob.b@mm.html
    http://www.sarc.com/avcenter/venc/data/w32.mytob.c@mm.html

    W32.Mytob.@mm is a mass-mailing worm that uses it own SMTP engine to send an email to addresses that it gathers from the Windows Address Book on the compromised computer. The worm also has the ability to open a back door and spread through the network by exploiting the Microsoft Windows Local Security Authority Service Remote Buffer Overflow (described in Microsoft Security Bulletin MS04-011).

    EMAIL FORMAT

    From: Spoofed

    Subject of email:
    hello
    hi
    error
    status
    test
    Mail Transaction Failed
    Mail Delivery System
    SERVER REPORT
    (No Subject)
    (random alphabets)

    Name of attachment:
    Varies with a .bat, .cmd, .exe, .pif, .scr, or .zip file extension

  • Elitper.A - Pretends to be a patch from Microsoft

    So far, this new virus is not widespread and it's easy to avoid through best practices. Microsoft never sends updates by email as users must download them from their website. Attachments should never be opened unless you are certain they are safe.

    Elitper.A - Pretends to be a patch from Microsoft
    http://www.symantec.com/avcenter/venc/data/w32.elitper.a@mm.html
    W32.Elitper.A@mm is a mass-mailing worm that spreads using MAPI and through file-sharing networks. It also lowers Windows security settings by altering the Hosts file to prevent access to antivirus-related Web sites.

    FORMAT OF EMAIL TO AVOID
    From: <spoofed>
    Subject: Fwd:None
    Message Body: Microsoft(c) Lastest Update For CD-ROM
    Attachment: Firewall.exe
    Size of attachment: 9,392 bytes
  • February 2005 - An active month for new virus developments

    ISC Logo

    The Internet Storm Center shares that February 2005 was a very active month for new variants and worm developments.  Almost 100 new viruses were categorized as “2“ or higher by Symantec

    http://isc.sans.org//diary.php?date=2005-02-26

    http://securityresponse.symantec.com/avcenter/vinfodb.html

    Quote: This has been a record week for new virus discovery - at least for me. We yet again saw an infiltration of new activity at one location here in our local area. In looking at todays list on Symantec's web site, in the last week there have been 24 new entries that are rated as a Level 2. In the last month there have been close to 100 new entries with the majority being Level 2 and one of them being Level 3.

  • Trend Micro - Users should update to latest Scan Engine

    Trend Micro

    Symantec, F-Secure, and now Trend have issued patches for the new archieved zip file vulnerabilities, which could be exploited in the future.  All corporate and consumer based Trend products should be updated as soon as possible.

    Trend Micro - Critical Bulletin

  • Firefox 1.01 - Corrects several Security vulnerabilities

      Firefox 1.01 has been released to address several security issues.  Users should unistall the prior version, backup/delete existing profiles, and then install FF 1.01.

    Security Vulnerabilities Fixed in Firefox 1.0.1

    Here's what's new in Firefox 1.0.1:

    • Improved stability
    • International Domain Names are now displayed as punycode. (To show International Domain Names in Unicode, set the "network.IDN_show_punycode" preference to false.)
    • Several security fixes.

    MFSA 2005-29 Internationalized Domain Name (IDN) homograph spoofing
    MFSA 2005-28 Unsafe /tmp/plugtmp directory exploitable to erase user's files
    MFSA 2005-27 Plugins can be used to load privileged content
    MFSA 2005-26 Cross-site scripting by dropping javascript: link on tab
    MFSA 2005-25 Image drag and drop executable spoofing
    MFSA 2005-24 HTTP auth prompt tab spoofing
    MFSA 2005-23 Download dialog source spoofing
    MFSA 2005-22 Download dialog spoofing using Content-Disposition header
    MFSA 2005-21 Overwrite arbitrary files downloading .lnk twice
    MFSA 2005-20 XSLT can include stylesheets from arbitrary hosts
    MFSA 2005-19 Autocomplete data leak
    MFSA 2005-18 Memory overwrite in string library
    MFSA 2005-17 Install source spoofing with user:pass@host
    MFSA 2005-16 Spoofing download and security dialogs with overlapping windows
    MFSA 2005-15 Heap overflow possible in UTF8 to Unicode conversion
    MFSA 2005-14 SSL "secure site" indicator spoofing
    MFSA 2005-13 Window Injection Spoofing

    http://www.mozillazine.org/talkback.html?article=6129

    Full Article Attached Mozilla Firefox 1.0.1 Released

    Thursday February 24th, 2005 -- Mozilla Firefox 1.0.1 has just been released. A minor update, this version fixes a few security holes and some other bugs. If you're using Firefox 1.0, you want this release. The Firefox Release Notes have also been updated and The Burning Edge has an unofficial Firefox 1.0.1 changelog. Download links can be found on the official Firefox product page.

      BUG WHEN MANUALLY KEYING URLs:  If you are experiencing a crash when entering text into the address bar, you can correct the problem by removing the autocomplete.xpt file from your Firefox components directory, for example C:\Program Files\Mozilla Firefox\components. To avoid this crash, do not install a new installer package on top of an older zipped package.

    HOW TO INSTALL (use this approach even if you are on version 1.0)

    http://forums.mozillazine.org/viewtopic.php?t=158083

    CLICK ON EITHER LINK TO DOWNLOAD

       Download

  • Canada - Detailed IT Security Assessment

    Coat of Arms  I thought the report format and detailed assessments were very well done by Canada's IT audit team.  This is one of the best recent assessments I've seen.  It's worth speed reading through for anyone involved in IT security.

    http://www.oag-bvg.gc.ca/domino/reports.nsf/html/20050201ce.html

    Quote: Despite encouraging signs of improvement, the government has made unsatisfactory progress in strengthening information technology (IT) security since our audit in 2002. It has laid a foundation by developing IT security policies and standards, and lead agencies and departments are more involved and committed to IT security. However, two and a half years after revising its Government Security Policy, the government has much work to do to translate its policies and standards into consistent, cost-effective practices that will result in a more secure IT environment in departments and agencies

  • Sysinternals releases Rootkit Revealer detection utility

    http://www.sysinternals.com/ntw2k/freeware/rootkitreveal.shtml

    RootkitRevealer is an advanced root kit detection utility. It runs on Windows NT 4 and higher and its output lists Registry and file system API discrepancies that may indicate the presence of a user-mode or kernel-mode rootkit. RootkitRevealer successfully detects all persistent rootkits published at www.rootkit.com, including AFX, Vanquish and HackerDefender (note: RootkitRevealer is not intended to detect rootkits like Fu that don't attempt to hide their files or registry keys).

  • Sober.K - FBI Press Release

    E-mails purporting to come from FBI are phony.  The FBI takes this matter seriously and is investigating.  Users receiving e-mails of this nature are encouraged to report it to the Internet Crime Complaint Center via http://www.ic3.gov.   

    http://www.fbi.gov/pressrel/pressrel05/022205.htm

     

     

     

  • Sober.K - New variant references the FBI and Microsoft

    I think the virus author used the wrong social engineering scheme, as the FBI is actively investigating this new virus.  Microsoft is also referenced by the latest version of the Sober email worm as well. 

    Sober.K - New variant to watch
    http://secunia.com/virus_information/15563/
    http://vil.nai.com/vil/content/v_131869.htm
    http://www.symantec.com/avcenter/venc/data/w32.sober.k@mm.html
    http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM%5FSOBER%2EK

    WASHINGTON (AP) — The FBI warned Tuesday that a computer virus is being spread through unsolicited e-mails that purport to come from the FBI. ...

    FBI issues warning about computer virus USA Today 

    FBI Warns of E-Mail Virus LinuxInsider.com

    Virus Masquerades as FBI Warning TechNewsWorld

    FBI Email Is Fake, Contains Virus Boost Marketing

     

      Dear Sir/Madam, we have logged your IP-address on more than 40 illegal Websites. Important: Please answer our questions!  The list of questions are attached.

    Yours faithfully,
    M. John Stellford

    ++-++ Federal Bureau of Investigation -FBI-
    ++-++ 935 Pennsylvania Avenue, NW, Room 2130
    ++-++ Washington, DC 20535
    ++-++ (202) 324-3000

      ATTENTION!   Antivirus vendors are warning of a new variant of the Sober virus discovered today that can delete the hard disk.   Protection: Download and read the zipped patch. It's very easy to install!  Thanks for your cooperation!

    --- (c)2005 Microsoft Corporation. All rights reserved
    --- Microsoft Corporation
    --- One Microsoft Way
    --- Redmond, Washington 98052-6399

  • Spyware Removal - Two Comprehensive Cleaning Guides

  • Murray State's recommended 10 step Maintenance Checklist

      

    This is the best overall checklist I've seen for keeping your computer both secure and optimized for performance.

    Murray State's recommended 10 step Maintenance Checklist
    http://campus.murraystate.edu/technical/maintenance/ten_steps.htm

  • Book on Identity Theft: "Your evil Twin"

    This site devoted to promoting this book has some resources to help victims of Identity Theft.

    http://www.youreviltwin.net/

    ABOUT THE BOOK

    Book summary

    Read Chapter 1

    VICTIM RESOURCES

    When you are hit
    with identity theft

    Share your stories

    Identity Theft
    Resource Center

    Federal Trade Commission
    ID theft center 

  • TechNet Security - Making Web Browsing More Secure

    Microsoft TechNet

    February 2005's Security Tip of the month is Excellent

    Making Web Browsing More Secure
    http://www.microsoft.com/technet/community/columns/sectip/st0205.mspx

    You can make Web browsing more secure by doing a few simple things:

    Make sure that Windows XP Service Pack 2 is installed. This service pack increases the security of Microsoft Internet Explorer with pop-up blocking and add-on management.

    Configure your browser’s security settings for safer browsing.

    Configure your browser’s privacy settings to avoid unwanted cookies and pop-up ads.

    Be careful about which Web sites you visit. Sites devoted to illegal or questionable subjects, such as hacker sites, sites for downloading pirated music or software, and pornographic sites are most likely to contain malicious code.

    Enable checking of digital signatures on drivers and other programs you download.

    Do not conduct financial transactions or send private information over the Web unless the site is secure. A secure site is usually indicated by a dialog box or a “lock” icon in the browser’s status or address bar.

    Configure your browser so that it does not automatically download ActiveX controls or run scripts, Java applets, or other code. If you want to be able to run code on some sites, configure the browser to prompt you before doing so.

  • Corporate Users - Recommendations on Virus Warnings

       A member in MyITForums ask for general guidelines in composing virus alert messages to be sent to all employees for a rapidly spreading virus.  

    Occasionally viruses will get into the corporate email system before AV protection is in place. The "rules" below represent some of the factors I have learned after years of doing this.

    Rule #1 - KEEP IT SIMPLE for the users to promote understanding by non-technical folks

    Rule #2 - KEEP IT SHORT as you want it to be read quickly plus it saves bandwidth and space on your email servers. 

    Rule #3 - TELL THEM WHAT TO AVOID and promote good security awareness along the way in a simple way

    Rule #4 - ASK THEM TO REPORT INFECTIONS to the Help Desk, Security department, or Techs rather than trying to clean the virus themselves.

    Rule #5 - SHARE LINKS TO MORE INFO on your Intranet based Security Awareness sites. Hopefully, you have an Intranet Security site (and if not build one as it's one of your best tools)

    Here's an example of a format I'd recommend changing the word EXAMPLE to the specifics relevant for the particular virus:

    quote:

    To: ALL EMPLOYEES
    Subject: Virus Alert: W/32.EXAMPLE.A (avoid EXAMPLE.ZIP attachments)

    Some of our professionals have found copies of W/32.EXAMPLE.A in their email accounts. We have protection from AV-VENDOR in place to now block this rapidly spreading virus.

    Please report all suspicious email attachments to our Help Desk. The attachment to avoid is EXAMPLE.ZIP. If you have accidently selected this, please contact our Help Desk at 999-HELP so we can check your system

    MORE INFORMATION CAN BE FOUND HERE:
    infosecurity.companyintranet.com/ExampleA.htm

    PLEASE PROTECT YOUR COMPANY AND HOME PC THRU BEST PRACTICES:
    infosecurity.companyintranet.com/Virusprevention.htm

  • Choicepoint.com - Press Release on 145,000 affected by Data Theft

    ChoicePoint maintains and sells background files on virtually every adult American.  They extract this information from millions of public and private records. Choicepoint.com issued a detailed press release at their website regarding the identity theft impacting 144,778 citizens across the United States.

    The press release contains a table showing the number of citizens impacted in each state.  In addition to notifying everyone, they have setup a special toll-free support number.  They will be purchasing tri-bureau credit reports and a one year subsciption to the monitoring service.  Finally, they are asking the industry for more assistance on detecting and prosecuting Identity Theft. 

    http://choicepoint.com/news/statement_0205_1.html

    What we know about the crime

    What we are doing to inform and protect Consumers

    What we are doing to minimize the likelihood of future occurrences

  • MS05-002: Trojan.Anicmoo.B

      MS05-002: Trojan.Anicmoo.B

    http://www.symantec.com/avcenter/venc/data/trojan.anicmoo.b.html

    Trojan.Anicmoo.B is a downloader Trojan that exploits the Windows User32.DLL ANI File Header Handling Stack-Based Buffer Overflow Vulnerability (as described in the Microsoft Security Bulletin MS05-002). The Trojan exists as a malformed animated cursor (.ani). The Trojan downloads a copy of SecurityRisk.Downldr.


    Once a malformed .ani file is viewed using Windows Explorer or Internet Explorer, Trojan.Anicmoo.B performs the following actions:

    1. Downloads a file from a hostile domain.
    2. Saves the downloaded file
    3. Terminates its running process.
    4. SecurityRisk.Downldr downloads the file update.txt 
    5. This file contains commands from a remote attacker to perform actions on the compromised computer.
    6. Currently update.txt contains commands to download a Browser Helper Object
     file and register it as a service. The .dll is currently harmless, but it attempts to connect to the sweetbar.com domain without being detected on the compromised computer.

  • MyDoom.BE - Escalated to MEDIUM RISK by McAfee

    This new variant emerged overnight and has quickly been escalated to MEDIUM RISK by McAfee with an emergency release of virus definition files to detect and clean this new threat.

    MyDoom.BE - Escalated to MEDIUM RISK by McAfee
    http://vil.nai.com/vil/content/v_131868.htm

    This variant W32/Mydoom is similar to previous variants, it bears the following characteristics:

    * mass-mailing worm constructing messages using its own SMTP engine
    * harvests email addresses from the victim machine
    * spoofs the From: address
    * contains a peer to peer propagation routine
    * downloads the BackDoor-CEB.F trojan

    From: (spoofed From: header)

    Subject:
    delivered
    hello
    hi
    error
    status
    test
    report
    delivery failed
    Message could not be delivered
    Mail System Error - Returned Mail
    Delivery reports about your e-mail
    Returned mail: see transcript for details
    Returned mail: Data format error

    ATTACHMENT: one of the following extensions: EXE, COM, SCR, PIF, BAT, CMD, ZIP


    -- Update 21st Feb 2005 -- Due to increased prevalence, the risk assessment of this threat has been raised to MEDIUM. The specified DAT files will be released early to address this threat.

    Use the Free AVERT Stinger updated to remove this variant
    http://vil.nai.com/vil/stinger
  • Sober.K Worm - new variant

    AV companies are now evaluating this new variant further.  Hopefully it will continue to stay low-risk. 

    Sober.K Worm - new variant
    http://secunia.com/virus_information/15558/sober.k/
    http://www.sarc.com/avcenter/venc/data/w32.sober.k@mm.html
    http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM%5FSOBER%2EK
    http://www.f-secure.com/v-descs/sober_k.shtml

    Sober.K worm was seeded in e-mails on 21st of February 2005. It is quite similar to the previous variants. Sober.K sends itself as an attachment in e-mail messages with English or German texts.  The worm sends different types of e-mail messages with English and German texts and its file attached. The attachment is a ZIP archive containing the worm's executable. Before spreading the worm scans files with certain extensions on all hard disks to harvest e-mail addresses.

  • Derdero A/B/C - New sophisticated email worm

    Three new variants of this new worm surfaced over the weekend.  It is advanced like MyDoom, Netsky, and other email worms, so this new family is worth monitoring 

    W32.Derdero.A@mm

    W32.Derdero.B@mm

    W32.Derdero.C@mm

    W32.Derdero.A@mm is a mass-mailing worm that uses it own SMTP engine to send email to addresses that it retrieves from the Windows Address Book. The email will have a variable subject and attachment name.  It also attempts to spread through file-sharing programs and infects all .exe files on the C drive.

    Large scale e-mailing: Sends itself to addresses found in the Windows Address Book.
    Deletes files: n/a
    Modifies files: Infects .exe files. Modifies the Hosts file.
    Degrades performance: Slows down computer.
    Causes system instability: Due to the overwriting of .exe programs, many programs will fail to run.
    Releases confidential info: n/a
    Compromises security settings: Attempts to end some security-related processes.

    Subject of email: Varies
    Name of attachment: Varies with a .cmd, .exe, .pif, .scr, or .zip file extension. The file may also have a double-extension ending in one of the previous extensions.
    Size of attachment: n/a
    Time stamp of attachment: n/a
    Ports: n/a
    Shared drives: n/a
    Target of infection: Attempts to spread through file-sharing networks by copying itself to folders which contain the string "shar" in their name.

    EMAIL FORMAT

    From: <Spoofed> - One of following:
    server
    administration
    management
    service
    userhelp

    Subject - One of the following:
    Urgent Update!
    Server Error
    AHKER.C Alert
    URGENT PLEASE READ!
    Detailed Information
    User Information
    New Worm Alert
    Malware Avoidance tips

    Message Body - One of the following:
    Your Email account information has been removed from the system due to
    inactivity. To renew your account information refer to the attachment
    We regret to inform you that your account has been hijacked and used for
    illegal purposes. The attachment has more information about what has
    happened.
    Our Email system has received reports of your account flooding email
    servers. There is more information on this matter in the attachment
    Due to recent internet attacks, your Email account security is being
    upgraded. The attachment contains more details
    Our server is experiencing some latency in our email service. The
    attachment contains details on how your account will be affected.
    A new worm is circulating around. To protect yourself, read the attached
    document
    Please run the urgent patch attached to protect yourself from a new
    worm
    As a service to our users, we have attached a note on avoiding malware.

    Attachment - One of the following:
    Update
    Details
    Information
    Gift
    Word_Document
    Account_Information
    Malware_prevention_tips
    Patch

    Extentions - One of the following:
    .zip
    .scr
    .pif
    .cmd
    .exe
    .doc.pif
    .txt.exe
    .bmp.cmd

  • Microsoft's GhostBuster - New experimental tool to detect Windows Root Kits

      What is a Windows Root Kit?

    http://www.securityfocus.com/news/2879
    http://msmvps.com/harrywaldron/archive/2005/02/19/36425.aspx

    A Windows "root kit" is an assembly of programs that subverts the Windows operating system at the lowest levels, and, once in place, cannot be detected by conventional means.   Also known as "kernel mode Trojans," root kits are far more sophisticated than the usual batch of Windows backdoor programs that irk network administrators today. The difference is the depth at which they control the compromised system. .

      Why is Root Kit Detection Important?

    Unix and Linux based root kits have been present for years and there are some tools available to detect these threats.   However, Windows based root kits are a new paradigm and expected to grow in the future. 

    Because root kits work at the kernel level of the Operating System, they cannot be easily detected by Antivirus or Firewall systems.  For example, they can secretly open a port on the server in a way that the firewall software thinks is closed.  The system administrator or home user may think “all is well“ but the system could be collecting and transmitting information to malicious individuals.

    Detections are made more on an accidental than proactive basis.  For example, the only sign a server or PC might be infected with a root kit is because is it "blue screening".  The industry needs sophisticated detection tools for this high risk security exposure.

      Microsoft's GhostBuster Root Kit Detection Tool

    http://netsecurity.about.com/b/a/146844.htm
    http://www.schneier.com/blog/archives/2005/02/ghostbuster.html

    Ghostbusters is a new innovative CD based checking tool that Microsoft is experimenting with.  It works by booting the system a couple of times from the CD, while comparing the current OS settings with the expected baseline controls of what Windows should be.  This detailed checking process can help find startup processes or substituted executable code that might point to a hidden root kit.  

    Security professionals definitely need a tool they can test out a suspicious server or workstation.  The ability to actually clean the system is less important, as a server or PC should be rebuilt from the ground up if it is infected with a root kit.  Due to the difficulty of detecting rootkits and their expected growth in the Windows environment, I'm hopeful Microsoft will continue their work in this area.

    Microsoft continue work in adding a root kit detection tool to their excellent array of security analysis tools.  A root kit detection tool would be particually helpful to network administrators in researching suspicious activities, especially if this malicious activity increases in the future. 

  • Microsoft on RootKits: Be afraid, be very afraid

      Rootkits are very sophisticated monitoring systems that can hide completely within the framework of Microsoft and Linux Operating Systems.  Developing rootkits requires extensive knowledge of the Operating System, so that rootkits can communicate with kernel transparently.  You can think of rootkits as “Super Spyware”. 

    Currently we are seeing a number of viruses that carry secondary payloads that can sometimes be more dangerous than the original virus.  Thus a virus could carry or download a root kit and install it transparently onto the system.  With few cleaning or detection tools available the root kit could go undetected allowing malicious individuals to monitor system activity or access sensitive data. 

    Microsoft on RootKits: Be afraid, be very afraid
    http://www.computerworld.com/printthis/2005/0,4814,99843,00.html

    QUOTE:  Microsoft Corp. security researchers are warning about a new generation of powerful system-monitoring programs, or "rootkits," that are almost impossible to detect using current security products and could pose a serious risk to corporations and individuals ... The malicious snooping programs are becoming more common and could soon be used to create a new generation of mass-distributed spyware and worms.

  • MyDoom.BC/BD - Escalated to MEDIUM RISK

       Both new variants have been escalated to MEDIUM RISK by McAfee with emergency updates of virus definition files:

      MyDoom.BC
    http://vil.nai.com/vil/content/v_131860.htm

      MyDoom.BD
    http://vil.nai.com/vil/content/v_131861.htm

    This variant W32/Mydoom is similar to previous variants, it bears the following characteristics:

    * mass-mailing worm constructing messages using its own SMTP engine
    * harvests email addresses from the victim machine
    * spoofs the From: address
    * contains a peer to peer propagation routine
    * downloads the BackDoor-CEB.b trojan

    From: (spoofed From: header)

    Subject:
    delivered
    hello
    hi
    error
    status
    test
    report
    delivery failed
    Message could not be delivered
    Mail System Error - Returned Mail
    Delivery reports about your e-mail
    Returned mail: see transcript for details
    Returned mail: Data format error

    ATTACHMENT: one of the following extensions: EXE, COM, SCR, PIF, BAT, CMD, ZIP

  • W32.Doxpar - exploits unpatched security vulnerabilities

      W32.Doxpar - exploits unpatched security vulnerabilities 
    http://www.symantec.com/avcenter/venc/data/w32.doxpar.html
    W32.Doxpar is a network-aware worm that has distributed denial of service and back door capabilities. This new worm spreads by exploiting the following vulnerabilities:

  • Microsoft Windows WINS Association Context Data Remote Memory Corruption Vulnerability on TCP port 42, (as described in the Microsoft Security Bulletin MS04-045)
  • The DCOM RPC vulnerability on TCP port 135, (as described in Microsoft Security Bulletin MS03-026)
  • The Workstation service buffer overrun vulnerability (described in Microsoft Security Bulletin MS03-049) using TCP port 445. Windows XP users are protected against this vulnerability if Microsoft Security Bulletin MS03-043 has been applied. Windows 2000 users must apply MS03-049.
  • Microsoft FrontPage Server Extensions Remote Debug Buffer Overrun Vulnerability on TCP port 80, (as described in the Microsoft Security Bulletin MS03-051)
  • Choicepoint.com - Data theft affects 145,000 nationwide

    While the scope of this has widened, I'm hopeful that only a small fraction of the exposed accounts will be impacted.  I feel given the fiduciary responsibility and absolute liability involved here, that Choicepoint should reimburse all impacted customers in straightening out their credit if they are adversely impacted in any way. 

    Choicepoint.com - Data theft affects 145,000 nationwide
    http://www.msnbc.msn.com/id/6979897/

    Feb. 16, 2005 NEW YORK - Database giant ChoicePoint said late Wednesday that 145,000 consumers nationwide were placed at risk by a recent data theft at the company. Previously, the company had suggested the theft only affected California residents.

    Atlanta-based ChoicePoint maintains and sells background files on virtually every adult American, culled from millions of public and private records. Last week, the firm sent some 35,000 letters to California residents telling them their personal data may have been stolen by criminals who set up fake companies and downloaded information from ChoicePoint. 

    California is the only state that by law requires disclosure of such data leaks, and ChoicePoint initially suggested the theft of information might be limited to that state. Lee said ChoicePoint decided to widen the notification after meeting with law enforcement officials on Wednesday. An additional 110,000 letters will be mailed in the coming days, he said.

  • MyDoom.BB - Escalated to MEDIUM RISK

      MyDoom.BB has been escalated to MEDIUM status in just a few hours by McAfee, Secunia, Symantec, Trend, and other AV vendors.  It's spreading rapidly and users should be careful with email and avoid all attachments.

    MYDOOM.BB -- MEDIUM RISK
    http://secunia.com/virus_information/15463/mydoom.bb/
    http://vil.nai.com/vil/content/v_131856.htm
    http://www.symantec.com/avcenter/venc/data/w32.mydoom.ax@mm.html

    http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MYDOOM.BB

    This variant W32/Mydoom is similar to previous variants, it bears the following characteristics:

    * mass-mailing worm constructing messages using its own SMTP engine
    * harvests email addresses from the victim machine
    * spoofs the From: address
    * contains a peer to peer propagation routine
    * downloads the BackDoor-CEB trojan

    From: (spoofed From: header)

    Subject:
    delivered
    hello
    hi
    error
    status
    test
    report
    delivery failed
    Message could not be delivered
    Mail System Error - Returned Mail
    Delivery reports about your e-mail
    Returned mail: see transcript for details
    Returned mail: Data format error

    ATTACHMENT - one of the following extensions:  EXE, COM, SCR, PIF, BAT, CMD, ZIP

  • Internet Explorer 7.0 Upgrade Planned for Windows XP

       The MSAS and IE 7 announcements from the RSA conference were positive and welcome developments by Microsoft.  Both initiatives will ultimately improve security to end-users. 

    Hopefully IE 7 will also address some of the functionality issues associated with improved compliance with CSS and W3C standards.  An option to provide tabbed browsing and other advanced features would also be beneficial for some users. 

    Microsoft implemented beneficial IE improvements for Windows XP SP2.  I wish them success ahead on this challenging initiative as they provide even more improvements ahead.

    Internet Explorer 7.0 Upgrade Planned for Windows XP
    http://www.eweek.com/article2/0,1759,1764441,00.asp
    http://www.microsoft.com/presspass/press/2005/feb05/02-15RSA05KeynotePR.asp
    http://www.microsoft.com/presspass/features/2005/feb05/02-15Updates.asp
    http://blogs.msdn.com/ie/archive/2005/02/15/373104.aspx

  • MyDoom.BB - New variant emerges

    http://vil.nai.com/vil/content/v_131856.htm

    This variant W32/Mydoom is similar to previous variants, it bears the following characteristics:

    * mass-mailing worm constructing messages using its own SMTP engine
    * harvests email addresses from the victim machine
    * spoofs the From: address
    * contains a peer to peer propagation routine
    * downloads the BackDoor-CEB trojan

    From: (spoofed From: header)

    Subject:
    delivered
    hello
    hi
    error
    status
    test
    report
    delivery failed
    Message could not be delivered
    Mail System Error - Returned Mail
    Delivery reports about your e-mail
    Returned mail: see transcript for details
    Returned mail: Data format error

    ATTACHMENT - one of the following extensions:  EXE, COM, SCR, PIF, BAT, CMD, ZIP

  • MS05-002: Anicmoo Trojan Horse

    This new trojan horse exploits a vulnerability from the January 2005 Microsoft patches.

    MS05-002: Anicmoo Trojan Horse
    http://www.symantec.com/avcenter/venc/data/trojan.anicmoo.html

    Trojan.Anicmoo is a downloader Trojan that exploits the Windows User32.DLL ANI File Header Handling Stack-Based Buffer Overflow Vulnerability (as described in the Microsoft Security Bulletin MS05-002). The Trojan exists as a malformed animated cursor (.ani).

     

  • Bropia.N - MSN Messenger worm - Difficult to clean

    I worked with a user today by email who was infected.  The lsass, regedit, and mstask service manipulations make this one difficult to clean.  As with any virus SAFE MODE is always the recommended cleaning approach and seemed to work. 

    Bropia.N - MSN Messenger worm - Difficult to clean
    http://vil.nai.com/vil/content/v_131746.htm

    This new worm variant propagates through MSN messenger. However, unlike previous variants it does not drop the W32/Sdbot.worm.gen worm. The following processes are disabled on the victim's machine to prevent the user from manually stopping and removing the worm:

    Regedit.exe - registry editor
    Mstask.exe - task manager

More Posts Next page »
Powered by Community Server (Commercial Edition), by Telligent Systems