May 18, 2004 - Current Activity

US-CERT has received reports of scanning activity directed at port 5000/tcp. This port is used by the Microsoft Windows Universal Plug and Play service (UPnP). There are known vulnerabilities in UPnP, for which a patch has been available (Microsoft Security Bulletin MS01-059).

Some of this activity can be attributed to two worms: W32/Bobax and W32/Kibuv. These worms use port 5000/tcp to identify machines running Windows XP (which enables the UPnP service by default), prior to attempting various exploits.

US-CERT strongly encourages users to keep their operating system up-to-date with current security patches, install anti-virus software, and keep its virus signature files up-to-date.

You may also wish to visit the US-CERT computer virus resources page.

US-CERT has received reports of a new worm, referred to as "W32/Sasser". This worm attempts to take advantage of a buffer overflow vulnerability in the Windows Local Security Authority Service Server (LSASS). The vulnerability allows a remote attacker to execute arbitrary code with SYSTEM privileges. More information on this vulnerability is available in Vulnerability Note VU#753212 and Microsoft Security Bulletin MS04-011.

The worm has been reported to propagate by scanning random IP addresses on port 445/tcp for vulnerable systems. When a vulnerable system is found, the worm will exploit this vulnerability, create a remote shell on port 9996/tcp, and start an FTP server on port 5554/tcp. The victim system will then connect back to the attacking system on port 5554/tcp to retrieve a copy of the worm. Systems infected by this worm may notice significant performance degradation.

US-CERT strongly encourages users to install anti-virus software, and keep its virus signature files up-to-date.

You may also wish to visit the US-CERT computer virus resources page.

Exploit code has been publicly released that takes advantage of a buffer overflow vulnerability in the Microsoft Private Communication Technology (PCT) protocol. The vulnerability allows a remote attacker to execute arbitrary code with SYSTEM privileges. More information about the vulnerability is available in TA04-104A and VU#586540.

US-CERT is aware of network activity that is consistent with scanning and/or exploit attempts against this vulnerability. Reports indicate increased network traffic to ports 443/tcp and 31337/tcp. The PCT protocol runs over SSL (443/tcp) and the known exploit code connects a command shell on 31337/tcp. Note that the exploit code could be modified to use a different port or to execute different code.

This vulnerability is remedied by the patches described in Microsoft Security Bulletin MS04-011.

US-CERT is aware of exploitation of a cross-domain scripting vulnerability in the Outlook Express MIME Encapsulation of Aggregate HTML Documents (MHTML) protocol handler. The MHTML protocol handler is installed as part of Outlook Express and uses Internet Explorer (IE) to access mhtml: URLs. Microsoft Windows systems install Outlook Express, IE, and the vulnerable MHTML handler by default.

By convincing a victim to view an HTML document (web page, HTML email), an attacker could execute arbitrary code with the privileges of the user running IE and possibly read or modify content in another web site.

More information about the vulnerability is available in TA04-099A and VU#323070.

This vulnerability appears to be exploited by the Ibiza trojan, W32/Bugbear.E, and various web sites that host malicious URLs and related malware. Exploits also may be identified as BloodHound.Exploit.6. Attackers may distribute malicious URLs in unsolicited email, instant messages, chat rooms, or web forums. Attackers may also distribute exploits in HTML email messages.

This vulnerability is remedied by the patches described in Microsoft Security Bulletin MS04-013. For additional protection against these types of attacks, do not click on unsolicited links and maintain updated anti-virus software.

US-CERT is aware of a new mass-mailing malicious code known as "Sober.F". Sober.F arrives as an email message written in German or English and containing a 42,496-byte email attachment. When a user opens the attachment, Sober.F copies itself to %SYSTEM%\<file>.exe, where <file> is one of: sys, host, dir, expolrer, win, run, log, 32, disc, crypt, data, diag, spool, service, or smss32. It then creates a registry key

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\<filename>

"<filename>" = "%System%\<filename>.exe %1"

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

US-CERT strongly encourages users to install and maintain anti-virus software as well as patch their systems to prevent exploitation of vulnerabilities.

You may also wish to visit the US-CERT's computer virus resources page.

Exploit code has been publicly released that takes advantage of multiple vulnerabilities in various Cisco products. According to the Cisco advisory, these vulnerabilities have been previously addressed and patches or workarounds are available.

US-CERT strongly encourages sites affected by these vulnerabilities to ensure that proper steps have been taken to address these vulnerabilities.

US-CERT is aware of a Trojan known as "Phatbot". Phatbot is an IRC bot with characteristics and functionality similar to Agobot. Only systems running Microsoft Windows have been reported to be infected, however, this malicious code may affect other operating systems. Phatbot can propagate using several methods. It scans for NETBIOS shares and attempts to use common username and password combinations to gain access to the remote machine. Phatbot can also propagate by exploiting unpatched vulnerabilities in the Microsoft Windows operating system including vulnerabilities in WebDAV, DCOM, and the Windows Workstation service. These vulnerabilities may be related to the following Vulnerability Notes:

• VU#117394 - Buffer Overflow in Core Microsoft Windows DLL
• VU#568148 - Microsoft Windows RPC vulnerable to buffer overflow
• VU#254236 - Microsoft Windows RPCSS Service contains heap overflow in DCOM request filename handling
• VU#567620 - Microsoft Windows Workstation service vulnerable to buffer overflow when sent specially crafted network message

It also has the ability to infect a system by taking advantage of the backdoor installed when a system is infected with W32/MyDoom and by exploiting a vulnerability in Dameware.

• W32/Mydoom or W32/Novarg
• VU#909678 - DameWare Mini Remote Control vulnerable to buffer overflow via specially crafted packets

Once a system is infected, Phatbot will attempt to join an existing IRC channel or P2P network. An attacker can control infected systems by issuing commands to this IRC channel or by sending messages to this P2P network. Phatbot contains an extensive list of commands that provide control over the victim's system. Affected systems allow the remote user to have full access to the file system and the ability to execute arbitrary code on the victim's system. Additionally, Phatbot will attempt to terminate a large number of security related processes (i.e, firewall, anti-virus) and also attempts to terminate instances of other Trojans that have already infected the victim's system (i.e., MSBlast, Welchia, Sobig.F).

US-CERT strongly encourages users to install and maintain anti-virus software as well as patch their systems to prevent exploitation of the listed vulnerabilities.

You may also wish to visit the US-CERT's computer virus resources page.

US-CERT continues to receive reports of new variants of the W32/Beagle mass-mailing virus. The most recent variant is W32/Beagle.Z (discovered on April 26th).

W32/Beagle arrives as an attachment to an email message containing a From: address that is spoofed to hide the identity of the sender. The virus is included as an attachment to this email message; often as an executable file (.COM, .CPL, .EXE, .HTA, .SCR, .VBS) or password protected archive file (.ZIP, .RAR) containing the executable file. The password for the archive file is included in the body of the message. To be infected by variants arriving in an archive file, a user must open the .ZIP or .RAR archive, enter the password from the body of the email, extract the .EXE file, and then open it.

Some variants of W32/Beagle are known to open a backdoor on an infected system (2535/tcp, 2556/tcp, 2745/tcp, 6667/tcp, or 8866/tcp) or display a pop-up window containing the text "Can't find a viewer associated with the file".

US-CERT strongly encourages users to install and maintain anti-virus software and exercise caution when handling attachments. Anti-virus software may not be able to scan password protected archive files so users must use discretion when opening archive files and should scan files once extracted from an archive.

You may also wish to visit the US-CERT's computer virus resources page.

US-CERT continues to receive reports of new variants of the W32/Netsky mass-mailing virus. The most recent variant is W32/Netsky.AB (discovered on April 27th).

W32/Netsky arrives as an attachment to an email message containing a From: address that is spoofed to hide the identity of the sender. The Subject and Body of the email message are randomly selected from a fixed list of strings. The attachment has a .PIF file extension with a file name selected from a fixed list of strings. Upon opening the attachment, the virus scans certain files on the user's system collecting email addresses and then attempts to mail itself to all email addresses it found. It has also been reported that certain variants of the virus may do the following:

• Generate audible PC speaker beeps with varying pitches and rhythms.
• Exploit a known vulnerability in Internet Explorer (VU#980499) to automatically execute the infected attachment in certain mail clients.
• Perform a denial of service attack against a list of pre-determined sites if the system clock is between a specific set of dates.
• Evaluate the top-level domain of the email address. It then proceeds to send a message written in the language of that country's top-level domain.
• Open a backdoor on the infected system.

Please see US-CERT Incident Note IN-2004-02 for more information.

US-CERT strongly encourages users to install and maintain anti-virus software. We also encourage users to exercise discretion when opening any email attachment.

You may also wish to visit the US-CERT's computer virus resources page.

US-CERT continues to receive reports of new variants of the W32/MyDoom virus. The most recent variant is W32/MyDoom.H (discovered on March 3rd).

Many of these variants open backdoors on an infected system (on ports 3127/tcp, 3176/tcp or 1080/tcp) which allow the virus to download and execute arbitrary code. Some of the newer variants scan for and use the backdoors on previously infected systems to re-infect the system. These backdoors can also be used by an attacker to gain access to the system.

Some variants search for and may delete files with certain extensions (.mdb, .doc, .xls, .sav, .jpg, .avi, and .bmp).

During certain time periods, some variants may perform a Denial of Service (DoS) attack against certain websites.

The many variants of W32/MyDoom typically arrive as an email message with an attachment. In addition to email propagation, the virus attempts to spread through peer-to-peer file sharing networks by copying itself into directories typically used by file sharing software.

More information on early variants of W32/MyDoom is available in US-CERT Incident Note IN-2004-01 and US-CERT Advisory CA-2004-02.

US-CERT strongly encourages users to install and maintain anti-virus software. We also encourage users to exercise discretion when opening any email attachment.

You may also wish to visit the US-CERT's computer virus resources page.