Harry Waldron - Corporate IT Security

Kapsersky has received information on a new IM Worm is hitting the Netherlands.  Apparently the worm is spreading with MSN and is spreading with a malformed WMF file called xmas-2006 FUNNY.jpg

Kaspersky Lab Blogs

Please be careful when opening the New Years Greeting links or other seaonal greetings.

There is a "new and improved" edition of the WMF exploit that does not use a WMF extension.  It also varies in size randomly to better evade AV detection.  A code Yellow alert has been issued by the Internet Storm Center.  There is little or no AV protection available, so extra caution should be used.

New exploit released for the WMF vulnerability - YELLOW
http://isc.sans.org/diary.php?storyid=992 

A copy of the actual exploit can be found at FrSIRT for anyone wanting to review the code, but please use caution.  The exploit generates files with the following characteristics:

* with a random size;
* no .wmf extension, (.jpg), but could be any other image extension actually;
* a random piece of junk in front of the bad call; carefully crafted to be larger than the MTU on an ethernet network;
* a number of possible calls to run the exploit are listed in the source;
* a random trailer

A security firm from Belgium offers a testing facility for browsers.  I tested IE 6 (XP SP2 version), Firefox 1.5, and Opera 8.51 and all three passed the test as follows:

The Browser Security Test is finished. Please find the results below:

High Risk Vulnerabilities 0
Medium Risk Vulnerabilities 0
Low Risk Vulnerabilities 0

QUOTE:  Can someone hack into your computer via your browser? How vulnerable you are? Can websites install spyware through your browser?  Scanit's Browser Security Test automatically checks your browser for various security problems. When the test is finished you get a complete report explaining the discovered vulnerabilities, their impact and how to eliminate them.

   Microsoft has issued Security Advisory 912840 for a Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution. As noted in the bulletin they have the highest priority in testing out and providing solutions for the WMF exploits that are currently circulating.  So far, most WMF attacks come from visiting unsafe websites, so follow best practices and "think before you click" in web surfing and never click on links in email or Instant Messenging.

Current recommendations for Malicious WMF Exploits in-the-wild

1. Keep your Anti-Virus and Anti-Spyware software as up-to-date as possible.  For McAfee users should install DAT 4661 or higher now
2. Stay away from any questionable sites and do not open WMF files or links in any environment (e.g., IM, email, web surfing, explorer, etc.).
3. Filter and block WMF files in email or content filtering systems
4. Don't rely just on the WMF extension as Windows metadata processing can process a disguised and renamed extension.  For example, the extension of a WMF file might renamed to GIF and when Windows tries to open it, it may recognize that it's a WMF file originally and try to open it that way.
5. As an extra safety precaution, you can turn off the vulnerable DLL.   The Full Disclosure workaround has downloadable *.REG file that allows toggling shimgvw.dll on and off.  Another option might be to turn off the shimgvw.dll service completely, which will result in a minor loss of functionality.  Turning off this DLL will impact thumbnail previews in Windows Explorer and Windows Fax & Picture viewer, as both will no longer work.  Still you can restore this service later after better protective solutions emerge.

Please click on this link for more information:

Malicious Zero Day Windows Media File Exploits are in-the-wild

Microsoft has issued a security advisory to share initial information on this new unpatched vulnerability which is being exploited in-the-wild.  As Microsoft advises keep your AV and anti-spyware software updated to the latest definitions.  

Microsoft Security Advisory (912840)
Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution
http://www.microsoft.com/technet/security/advisory/912840.mspx

Please be careful with sites that you visit and particularly playing WMF (Windows Media File) using Internet Explorer or other browsers.   I believe Microsoft will prioritize and patch this new vulnerability expediently, so please look for upcoming security advisories, workarounds, and ultimately a patch.  In the mean time, follow best practices in only visiting safe sites and keep your AV protection updated as anti-virus vendors will also prioritize security protection for this new in-the-wild exploit.  Finally, the workaround offered by FrSIRT appears promising, as noted at the bottom. 

  STATUS INFORMATION

INTERNET STORM CENTER - YELLOW ALERT

F-SECURE BLOG - GOOD STATUS INFORMATION

SUNBELT BLOG - GOOD STATUS INFORMATION

  SECUNIA INFORMATION

Microsoft Windows WMF Handling Arbitrary Code Execution
http://secunia.com/advisories/18255/

Secunia Advisory: SA18255   
Release Date: 2005-12-28

Rating: Extremely critical
Impact: System access
Where: From remote
Solution Status: Unpatched

QUOTE: A vulnerability has been discovered in Microsoft Windows, which can be exploited by malicious people to compromise a vulnerable system.  The vulnerability is caused due to an error in the handling of corrupted Windows Metafile files (".wmf"). This can be exploited to execute arbitrary code by tricking a user into opening a malicious ".wmf" file in "Windows Picture and Fax Viewer" or previewing a malicious ".wmf" file in explorer (i.e. selecting the file). This can also be exploited automatically when a user visits a malicious web site using Microsoft Internet Explorer.

Solution:  Do not open or preview untrusted ".wmf" files and set security level to "High" in Microsoft Internet Explorer.

  TREND MICRO INFORMATION

TWO TROJAN HORSE VARIANTS SO FAR

TROJ_WMFXEXE.A

TROJ_WMFMSITS.A

QUOTE: The Windows Picture and Fax Viewer vulnerability is a zero-day exploit that is capable of remote code execution. Zero-day exploits are termed as such because the unpatched vulnerability and its corresponding exploit code are released within the same day. This may pose as a dangerous situation in which a lot of systems may be affected due to the availability of exploit code, and the fact that the vendor has not been given enough time to patch it.

  FRSIRT INFORMATION

Microsoft Windows WMF Handling Remote Code Execution Vulnerability
http://www.frsirt.com/english/advisories/2005/3086

FrSIRT Advisory: FrSIRT/ADV-2005-3086
Rated as : Critical
Remotely Exploitable : Yes
Locally Exploitable : Yes
Release Date : 2005-12-28

Recommended Workaround by FrSIRT: Disable "Windows Picture and Fax Viewer" : on the Start menu, choose Run, and then type "regsvr32.exe /u shimgvw.dll".

  A new MSN "beta" is being offered to lure folks into infecting their existing PCs and MSN environment.  As a best practice, never accept software updates or products by email.  As an example, Microsoft does not distribute any software by email.

Virkel.F: Spoofed as an MSN Messenger beta 8 download

QUOTE: There is no MSN Messenger 8. Not yet anyway.However, there's a new virus going around pretending to be "MSN Messenger 8 Working BETA".  There's two ways to catch it. First, by downloading it from a fake site where it has been supposedly "leaked" ...

During the past week, several spam emails have been received labeled simply as "MERRY CHRISTMAS".  However, the author was an unfamiliar name, so that is one method to quickly spot and avoid these types of messages. 

As a person's name is spoofed in the author field, these messages could appear to be legimitate.  On a couple of these, the author seemed to be a familiar name and I wasn't certain if it was spam until the message was opened.   

Some of these messages were carefully evaluated from a security standpoint.  While most were aggressive advertising messages, some pointed to websites.  Visiting an unknown website can introduce spyware or other malware agents.

Most likely "HAPPY NEW YEAR" messages will be coming.  In addition to spam, many viruses use themes and social engineering approaches centered around holiday greetings. 

Please be careful with all email you encounter, as messages that appear to be safe could be designed to trick folks in infecting their PCs with spyware or viruses.  Keep your AV software and Windows updated to the latest levels of protection.  Finally, as an additional safety precaution, processing email in a plain text mode can help some.

 VMware is a great management product for server consolidation as it creates logical partitions on large corporate servers to run multiple operating systems efficiently.  A critical security update has been issued and system administrators are urged to apply this patch quickly.

VMware ESX Server - Critical update for Cross Site Scripting Issue
http://www.frsirt.com/english/advisories/2005/3084

Advisory ID : FrSIRT/ADV-2005-3084
Rated as : Moderate Risk
Remotely Exploitable : Yes
Locally Exploitable : Yes
Release Date : 2005-12-24

Technical Description: A vulnerability has been identified in VMware ESX Server, which may be exploited by attackers to inject malicious HTML code. This flaw is due to an input validation error in the VMware Management Interface that does not properly validate certain parameters, which may be exploited by attackers to cause arbitrary scripting code to be executed by the user's browser in the security context of an affected Web site.

Affected Products: WMware ESX Server 2.0.x, 2.1.x, 2.5.x

Solution: Apply latest VmWare Patches
http://www.vmware.com/support/kb/enduser/std_adp.php?p_faqid=2001

   Below are some key links that can help strengthen Linux security controls:

Internet Storm Center Article
http://isc.sans.org/diary.php?storyid=962

Introduction to IP Tables
http://www.ip-solutions.net/firewall/servers.html

Advanced Tutorial
http://www.sans.org/rr/special/index.php?id=adaptive_firewalls

Some of my friends at the SpyWare forums, have created an interesting version of the 12 days of Christmas.  May everyone reading this have a wonderful Christmas, Hanukkah, and other special holidays being celebrated at this time.   Here's also hoping that 2006 is the best year ever as we go into a brand new year next week.

SpyWare Forums: The twelve e-mails of Christmas!

On the first day of Christmas my e-mail sent to me; A virus for my PC.

On the second day of Christmas my e-mail sent to me; Two Sasser Worms, and a virus for my PC.

On the third day of Christmas my e-mail sent to me; Three search bars, two Sasser Worms and a virus for my PC.

On the fourth day of Christmas my e-mail sent to me; Four Trojan horses, three search bars, two Sasser Worms and a virus for my PC.

On the fifth day of Christmas my e-mail sent to me; Cool Web Search, four Trojan horses, three search bars, two Sasser Worms and a virus for my PC.

On the sixth day of Christmas my e-mail sent to me; Six WinTools, Cool Web Search, four Trojan horses, three search bars, two Sasser Worms and a virus for my PC.

On the seventh day of Christmas my e-mail sent to me; Seven rootkits, six WinTools, Cool Web Search, four Trojan horses, three search bars, two Sasser Worms and a virus for my PC.

On the eighth day of Christmas my e-mail sent to me; Eight Smitfrauds, seven rootkits, six WinTools, Cool Web Search, four Trojan horses, three search bars, two Sasser Worms and a virus for my PC.

On the ninth day of Christmas my e-mail sent to me; Nine Qoologics, eight Smitfrauds, seven rootkits, six WinTools, Cool Web Search, four Trojan horses, three search bars, two Sasser Worms and a virus for my PC.

On the tenth day of Christmas my e-mail sent to me; Ten BHOs, nine Qoologics, eight Smitfrauds, seven rootkits, six WinTools, Cool Web Search, four Trojan horses, three search bars, two Sasser Worms and a virus for my PC.

On the eleventh day of Christmas my e-mail sent to me; Eleven peper files, ten BHOs, nine Qoologics, eight Smitfrauds, seven rootkits, six WinTools, Cool Web Search, four Trojan horses, three search bars, two Sasser Worms and a virus for my PC.

On the twelfth day of Christmas my e-mail sent to me; A link to http://forums.spywareinfo.com

  A major new phpBB attack is circulating and site administrators should ensure they are on phpBB version 2.0.18 or higher.

phpBB Remote Command Execution and SQL Injection Vulnerabilities
http://www.frsirt.com/english/advisories/2005/2250

Technical Description: Multiple vulnerabilities were identified in phpBB, which could be exploited by remote attackers to execute arbitrary commands or conduct SQL injection and cross site scripting attacks.

Exploit Code example
Please be careful as actual exploit code is present here
http://www.frsirt.com/exploits/20051224.r57phpbb2017.pl.php

Affected Products: phpBB version 2.0.17 and prior

Solution - Upgrade to phpBB version 2.0.18
http://www.phpbb.com/downloads.php

  Several new variants of the Bagle downloader trojan and corresponding email worm have surfaced recently.   These new variants use ZIP files with an individual's name as a social engineering scheme to appear as possibly safe attachments.  Users should avoid opening any email attachment until it has been tested to ensure it safe even on legitimate email correspondence. 

Bagle - McAfee Information

This is a downloader trojan. However, like previous Bagle variants, it is likely that in the near future, the author(s) will post an accompanying EXE file on a remote server, which SPAMs new versions of Bagle (not to addresses harvested on the local system, but to addresses specified in spam lists also on remote web servers). This trojan was mass-spammed in a ZIP attachment and uses peoples names as the filenames:

• Edmund.zip
• Elizabeth.zip
• Fraunces.zip
• Grace.zip
• Henrie.zip
• Jeames.zip

Symantec information is noted below:

	W32.Beagle.DB@mm
	W32.Beagle.DA@mm

Several reports from Sophos are noted below:

A corporate attorney sent the following out to the employees in his company.

1.  The next time you order checks have only your initials (instead of first name) and last name put on them.  If someone takes your checkbook, they will not know if you sign your checks with just your initials or your first name, but your bank will know how you sign your checks.

2.  Do not sign the back of your credit cards.  Instead, put "PHOTO ID REQUIRED."

3.  When you are writing checks to pay on your credit card accounts, DO NOT put the complete account number on the "For" line.  Instead, just put the last four numbers.   The credit card company knows the rest of the number, and anyone who might be handling your check as it passes through all the check-processing channels will not have access to it.

4.  Put your work phone # on your checks instead of your home phone.  If you have a PO Box, use that instead of your home address.  If you do not have a PO Box, use your work address.   Never have your Social Security printed on your checks, (DUH!).  You can add it if it is necessary.  However, if you have it printed, anyone can get it.

5.  Place the contents of your wallet on a photocopy machine.  Do both sides of each license, credit card, etc.  You will know what you had in your wallet and all of the account numbers and phone numbers to call and cancel. Keep the photocopy in a safe place.   Also carry a photocopy of your passport when traveling either here or abroad.  We have all heard horror stories about fraud that is committed on us in stealing a name, address, Social Security number, credit cards.

6.  When you check out of a hotel that uses cards for keys (and they all seem to do that now), do not turn the "keys" in.  Take them with you and destroy them.   Those little cards have on them all of the information you gave the hotel, including address and credit card numbers and expiration dates.  Someone with a card reader, or employee of the hotel, can access all that information with no problem whatsoever.

* * * 

Unfortunately, as an attorney, I have first hand knowledge because my wallet was stolen last month.  Within a week, the thieve(s) ordered an expensive monthly cell phone package, applied for a VISA credit card, had a credit line approved to buy a Gateway computer and received a PIN number from DMV to change my driving record information online.   Here is some critical information to limit the damage in case this happens to you or someone you know:

1.  We have been told we should cancel our credit cards immediately.  The key is having the toll free numbers and your card numbers handy so you know whom to call.   Keep those where you can find them.

2.  File a police report immediately in the jurisdiction where your credit cards, etc., were stolen.  This proves to credit providers you were diligent, and this is a first step toward an investigation (if there ever is one).   However, here is what is perhaps most important of all (I never even thought to do this.)

3.  Call the three national credit reporting organizations immediately to place a fraud alert on your name and Social Security number.  I had never heard of doing that until advised by a bank that called to tell me an application for credit was made over the Internet in my name.   The alert means any company that checks your credit knows your information was stolen, and they have to contact you by phone to authorize new credit.  By the time I was advised to do this, almost two weeks after the theft, all the damage had been done   There are records of all the credit checks initiated by th= e thieves' purchases, none of which I knew about before placing the alert. Since then, no additional damage has been done, and the thieves threw my wallet away this weekend (someone turned it in).   It seems to have stopped them dead in their tracks.

Now, here are the numbers you always need to contact about your wallet and contents being stolen:

1.) Equifax: 1-800-525-6285
2.) Experian (formerly TRW): 1-888-397-3742
3.) TransUnion : 1-800-680-7289
4.) Social Security Administration (fraud line): 1-800-269-0271

   Folks need to treat Instant Messages with the same care and suspicions they would email.  Files or URLs found in Instant Messages can be malicious.  This new IM worm installs a rootkit which can be very difficult for AV software to detect and remove.

Links are noted below

Internet Storm Center Warning

Techweb

IM Logic

QUOTE: A new worm posing as a come-on to a Santa Claus site is traveling across all the major instant messaging networks, a security firm warned Tuesday, and when recipients visit the bogus site, they're infected with a file hidden from sight by a rootkit. IMlogic said that the worm, dubbed "M.GiftCom.All," is circulating on the MSN, AOL, ICQ, and Yahoo instant messaging services, is a "Medium" threat, a relatively rare classification for the Waltham, Mass.-based company. Most IM worms and Trojans listed on its Threat Center receive only a "Low" classification. Like virtually all IM worms, M.GiftCom.All includes a URL in messages it spams out to contacts hijacked from previously-infected PCs

  Computer Security involves a two-part process of protecting resources.  The first component is adding security software and fortifying defenses so that most attacks from the outside can be blocked.  The second step is making certain folks follow the best practices in security, so that they resist traps and social engineering schemes. 

You can think of step one as placing a fence around the chicken coup to keep the fox out.  But if chicken opens the door and lets a disguised fox in, then they've lost the battle.  Thus users should always protect their systems with anti-virus, anti-spyware, and firewall software.  Secondly, they need to "think before they click" and suspect that any email or instant message could pose harm for their systems.   

http://www.viruslist.com/en/analysis?pubid=176195190

Key Topics in the article

Malicious individuals are continuing to improve the capability for the new Dasher Internet worm to spread  more actively to unpatched systems.  We will most likely see more variants attempting to attack any unpatched systems. 

MS05-051 - Dasher.D appears to be more potent than prior variants
http://securityresponse.symantec.com/avcenter/venc/data/w32.dasher.d.html

* Microsoft Windows MSDTC Memory Corruption Vulnerability (as described in the * Microsoft Security Bulletin MS05-051) on TCP port 1025.
* The Microsoft Windows WINS Name Value Handling Remote Buffer Overflow Vulnerability(as described in the Microsoft Security Bulletin MS05-051), using TCP port 42.
* The Microsoft Windows Plug and Play Buffer Overflow Vulnerability (described in Microsoft Security Bulletin MS05-039)
* The Microsoft SQL Server User Authentication Remote Buffer Overflow Vulnerability (described in Microsoft Security Bulletin MS02-056).

Microsoft has greatly improved the security associated with IIS and this DoS exploit is specifically targeted for IIS 5.1 running on Windows XP based systems.  This is most likely a platform used by web development rather than production Internet based servers.

Microsoft IIS 5.1 -  DoS exploit released
http://isc.sans.org/diary.php?storyid=944

Microsoft IIS Malformed URL Potential Denial of Service Vulnerability
http://secunia.com/advisories/18106/

Microsoft IIS 5.1 - FrSIRT advisory
While this link is safe, please be careful with any actual exploit links you find at the FrSIRT site
http://www.frsirt.com/english/advisories/2005/2963

QUOTE: Inge Henriksen has discovered a vulnerability in Microsoft Internet Information Services (IIS), which potentially can be exploited by malicious people to cause a DoS (Denial of Service).  The vulnerability is caused due to an error in the handling of certain malformed URL. This can be exploited to cause the IIS service to crash.

Successful exploitation requires that "[dir]" is a virtual directory that is configured with "Scripts & Executables" execution permissions.Note: IIS will automatically restart after the crash. The vulnerability has been confirmed in IIS 5.1 on a full patched version of Microsoft Windows XP SP2.

Solution: Filter potential malicious characters or character sequences with a HTTP proxy.

Special Note: IIS 5.0 and 6.0 are reportedly not affected.

While the early versions of Dasher are not working well, this new development should be watched as the code to spread this new Internet based worm could be improved in later variants. 

Dasher.B: Sophos information
http://www.sophos.com/virusinfo/analyses/w32dasherb.html

Dasher.A: F-Secure: 
http://www.f-secure.com/weblog/archives/archive-122005.html#00000735

Dasher.A: MS05-051 (MSDTC) Malware / Port 1025
http://isc.sans.org/diary.php?storyid=934

W32/Dasher-B spreads by exploiting the MSDTC (MS05-051) vulnerability.
When run the worm creates the following files :
<Windows system folder>\wins\sqlexp.exe
<Windows system folder>\wins\sqlscan.exe
<Windows system folder>\wins\svchost.exe
Sqlscan.exe is a port scanner, used to search networks for open ports.
Sqlexp.exe and svchost.exe are detected as W32/Dasher-B.

W32/Dasher-B searches a set of pre-defined networks for open ports and attempts to exploit and vulnerable computers it finds. The exploit opens a backdoor on the vulnerable computer and causes it to connect to a remote server for further instructions. At the time of writing the instructions supplied by the remote server cause the exploited computer to download and execute two further programs.

The Trojan horse version is out and there's speculation that an email based version may follow.

McAfee
http://secunia.com/virus_information/25131/bagle.gend1511020/

Symantec
http://www.sarc.com/avcenter/venc/data/w32.beagle.cx@mm.html

Trend
http://secunia.com/virus_information/25129/trojbagle.cd/ 

Trojan Characteristics: This threat is detected as W32/Bagle.gen with the 4651 DAT files, or newer. This is a downloader trojan. However, like previous. Bagle variants, it is likely that in the near future, the author(s) will post an accompanying EXE ...

 Seasonal email attachments, HTML messages, Electronic Greeting Cards, and URL links can potentially contain spyware or viruses.  It's a popular approach and one idea offered by the Internet Storm Center is to send "plain text" messages to our family and friends.  This approach communicates a good personal message and it also promotes security awareness.  As a best practice, I've always advocated sending a real greetings card in lieu of e-cards.  

Best Practices: Send Real Greeting Cards or Plain Text Messages
http://isc.sans.org/diary.php?storyid=933

Please delete all associated email claiming to offer update protection from Kongo31.XRW. McAfee does not send out email notices link this way and you should continue to update through normal channels.

QUOTE:  We've received several reports of emails, warning about a new virus called "Kongo31.XRW" (which doesn't exist).  The email links to a fake McAfee site, hosted in Canada: The download link gets you a file called ak26xrw-patch-installer-win32.exe - which (surprise, surprise!) is infected with Trojan-Downloader.Win32.Hanlo.h

Kongo31.XRW -- False McAfee download links
http://www.f-secure.com/weblog/archives/archive-122005.html#00000733

Kongo31.XRW -- email Example
http://www.f-secure.com/weblog/archives/mcafeecenter.gif

Kongo31.XRW -- Special McAfee warning
http://vil.mcafeesecurity.com/vil/content/v_137511.htm

  Security patches have been issued for both Windows and Internet Explorer.  This update went well on my home PC with no issues and I recommend updating all workstations as soon as possible. 

Windows Update Link
http://www.microsoft.com/windowsupdate/

Microsoft Security Bulletin MS05-054
Cumulative Security Update for Internet Explorer (905915)
http://www.microsoft.com/technet/security/Bulletin/ms05-054.mspx

Impact of Vulnerability: Remote Code Execution
Maximum Severity Rating: Critical

Security Update Replacement: This update replaces the update that is included with Microsoft Security Bulletin MS05-052. That update is also a cumulative update.

Addresses four Vulnerabilities in Internet Explorer:

1. File Download Dialog Box Manipulation Vulnerability (CAN-2005-2829)
2. HTTPS Proxy Vulnerability (CAN-2005-2830)
3. COM Object Instantiation Memory Corruption Vulnerability (CAN-2005-2831)
4. Mismatched Document Object Model Objects Memory Corruption Vulnerability (CAN-2005-1790)

Microsoft Security Bulletin MS05-055
Vulnerability in Windows Kernel Could Allow Elevation of Privilege (908523)
http://www.microsoft.com/technet/security/Bulletin/ms05-055.mspx

Impact of Vulnerability: Elevation of Privilege
Maximum Severity Rating: Important

Addresses the following Vulnerability in Windows:  Windows Kernel Vulnerability - A privilege elevation vulnerability exists in the way that asynchronous procedure calls are processed within the kernel. This vulnerability could allow a logged on user to take complete control of the system (CAN-2005-2827)

  Yesterday, a brand new exploit affecting OLDER versions of Firefox was published. It is important to stay up-to-date on the latest product versions, as security updates are often a critical component of each version update.

Mozilla Firefox "InstallVersion.compareTo" Remote Buffer Overflow Exploit
Please be careful at this site as actual exploit code resides here
http://www.frsirt.com/exploits/20051212.fireburn.php

Original Advisory from July 2005 
http://www.frsirt.com/english/advisories/2005/1075

Remotely Exploitable : Yes
Locally Exploitable : Yes

Affected Products: Mozilla Firefox 1.0.4 and prior, Mozilla Suite 1.7.8 and prior, Thunderbird 1.0.2 and prior

Solution: Upgrade to Mozilla Firefox 1.5 or later versions of the Mozilla Suite and Thunderbird 

http://www.mozilla.org/products/

  Personally, I'm still receiving lots of copies of Sober.x on a daily basis in my personal email accounts.  On an infected PC, Sober.X creates a backdoor that allows it to autoupdate.  Both F-Secure and CERT have issued warnings for new malware updates that will be automatically scheduled on January 6, 2006.     

Secunia - Sober.X (CME-681) Anti-Virus links
http://secunia.com/virus_information/23836/sober.x/

F-Secure details how the URL calculation process works
http://www.f-secure.com/weblog/archives/archive-122005.html#00000729

QUOTE: Sober.Y was the biggest email outbreak of the year. It still is responsbile for around 40% of all the infections we see. This variant is programmed to activate on January 5th, 2006. After this date all the infected machines will regularily try to download and run a file from a website, forever.

So, what URL is the virus using? This is the tricky part. The virus writer knows well that if he uses a single, constant address in the virus body, it will get blocked quickly. So instead, Sober has been using an algorithm to create pseudorandom URLs which will change based on date. These URLs point to free hosting servers typically operating in Germany or in Austria. And 99% of the URLs generated by the virus simply don't exist.

However, the virus author can precalculate the URL for any date, and when he wants to run something on all the infected machines, he just registers the right URL, uploads his program and BANG! It's run globally in hundreds of thousands of machines.

Special CERT warning
http://www.us-cert.gov/current/current_activity.html#soberx

QUOTE:  US-CERT is aware of functionality that could allow the mass-mailing worm known as "W32/Sober.X" to automatically update itself. W32/Sober.X is a bi-lingual (English and German) mass-mailing worm that utilizes its own SMTP engine to propagate. The W32/Sober.X worm began propagating on November 15, 2005 and will attempt to update itself on or around January 5, 2006.

US-CERT strongly recommends that users and administrators implement the following general protection measures:

* Install anti-virus software, and keep its virus signature files up-to-date
* Do not follow unsolicited web links or execute attachments received in email messages, even if sent by a known and trusted source
* Keep up-to-date on patches and fixes for your operating system

A new critical proof-of-concept exploit has been been published for Oracle 9 web based apps.

Oracle 9i Database XDB HTTP Authentication Remote Stack Overflow Exploit
http://www.frsirt.com/exploits/20051208.oracle9i_xdb_http.pm.php
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0727
http://isc.sans.org/

The danger is associated with copy-protection software included on some Sony discs created by a company called SunnComm Technologies. The vulnerability could allow malicious programmers to gain control of computers that have run the software, which is typically installed automatically when a disc is put in a computer's CD drive.

Sony lists 27 CDs with SunnComm MediaMax vulnerability

27 CDs containing SunnComm MediaMax Version 5 Content Protection Software

The difficulties related to a bad copy protection design continue ...

Welomoch - Sony BMG based trojan horse
http://secunia.com/virus_information/24695/welomoch/
http://www.sarc.com/avcenter/venc/data/trojan.welomoch.html

Trojan.Welomoch is a Trojan horse that attempts to utilize XCP software to hide W32.HLLW.Antinny, which it drops on to the compromised computer. The XCP software is installed by inserting certain Sony BMG content-protected music CDs into the computer.

  F-Secure published a great weblog entry sharing an account of cleaning the Crepate multiparte MBR based virus in 1993.   While I've been working with PCs since 1981, this was the year computer viruses began to become more prominent.   This was close to the timeframe the Michangelo virus was prominent in the news and that was the first major virus our company had to defend against.    The article related to Crepate brought back some memories of having to clean and repair systems with MBR based infections: 

Article: Cleaning the Crepate computer virus in 1993

F-Secure Security Bulletin 210 - May 1993