December 21, 2004 - Current Activity

US-CERT is aware of a new worm known as "Santy" that is exploiting web servers with Hypertext Preprocessing (PHP) enabled and running phpBB bulletin board software. US-CERT is continuing to investigate and will publish more complete analysis as information becomes available.

It is reported that phpBB 2.0.11 is not affected by this issue. It is recommended that sites running PHP and phpBB consider upgrading to the most recent, stable versions to mitigate the threat of this worm.

You may also wish to visit the US-CERT's computer virus resources page.

US-CERT has received reports of a new variant of the Zafi virus referred to as "W32/Zafi.D" or "W32.Erkez.D@mm". It arrives as an attachment to an email containing a holiday greeting message. Upon opening the attachment, the virus scans certain files on the user's system collecting email addresses, then attempts to mail itself to all e-mail addresses it found. It will also display an error message "Error in packed file!".

In addition to email propagation, the virus attempts to spread through peer-to-peer file sharing networks by copying itself as either 'winamp 5.7 new!.exe' or 'ICQ 2005a new!.exe' into certain folders on the user's system.

US-CERT strongly encourages users to install anti-virus software and keep its virus signature files up-to-date.

You may also wish to visit the US-CERT's computer virus resources page.

Twelve months since the W32/Sober mass-mailing virus first appeared on the Internet, US-CERT continues to see new variants appearing and many variants (new and old) continuing to spread. Many variants of W32/Sober are known to use their own SMTP engine to spread through email.

The most recent variant is W32/Sober.I (discovered on November 19th). This variant arrives as an email message with the following characteristics:

• Spoofed From address
• A Subject line that may be in either English or German and is selected from a predetermined list.
• Body text that may be in either English or German and is selected from a predetermined list.
• Attachment with a .BAT, .COM, .PIF, .SCR, or .ZIP file extension

US-CERT strongly encourages users to install anti-virus software, and keep its virus signature files up-to-date.

You may also wish to visit the US-CERT's computer virus resources page.

Nine months since the W32/MyDoom mass-mailing virus first appeared on the Internet, US-CERT continues to see new variants appearing and many variants (new and old) continuing to spread. Many variants of W32/MyDoom are known to open a backdoor and use their own SMTP engine to spread through email. This virus has also been identified as W32/Bofra by some vendors.

Recent reports to US-CERT indicate that the W32/MyDoom variants propagate and communicate on TCP ports 1639, 1640, and 6667. The variants recently discovered on November 8th and 9th of 2004 may attempt to exploit an IFRAME vulnerability in Microsoft Internet Explorer, described in VU#842160. These variants may arrive as an email message with the following characteristics:

• Spoofed From address
• A Subject line containing one of the following:
• Hi!
• <blank>
• <random characters>
• Confirmation
• funny photos :)
• hello
• hey!
• Body text containing a URL that leads to a malicious site.

Upon clicking on the URL, the user will visit a web page that attempts to exploit VU#842160. At the current time there are no patches to address this vulnerability. Users should consider implementing the workarounds described in VU#842160.

As a general rule, US-CERT recommends filtering all types of network traffic that are not required for normal operation by using a firewall, IPsec policies, or similar technology. If this is impractical, sites should consider blocking both inbound and outbound traffic to the ports listed above at both the host and network level, depending on network requirements.

If access cannot be blocked for all external hosts, US-CERT recommends limiting access to only those hosts that require it for normal operation.

Additionally, US-CERT strongly encourages users not to follow unknown links, even if sent by a known and trusted source. Users are encouraged to install and maintain anti-virus software and exercise caution when handling attachments. Anti-virus software may not be able to scan password protected archive files, so users must use discretion when opening archive files and should scan files once extracted from an archive.

You may also wish to visit the US-CERT's Computer Virus Resources page for additional information.

Nine months since the W32/Bagle mass-mailing virus first appeared on the Internet, US-CERT continues to see new variants appearing and many variants (new and old) continuing to spread. Many variants of W32/Beagle are known to open a backdoor on an infected system, which can lead to further exploitation by remote attackers.

The most recent variant is W32/Bagle.AV (discovered on October 29th). This variant arrives as an email message with the following characteristics:

• Spoofed From address
• A Subject line containing one of the following:
• Re:
• Re: Hello
• Re: Hi
• Re: Thank you!
• Re: Thanks :)
• Body text containing one of the following:
• :)
• :))
• Attachment containing a filename of Price, price, or joke with a .COM,.CPL,.EXE, or .SCR file extension

US-CERT strongly encourages users to install and maintain anti-virus software and exercise caution when handling attachments. Anti-virus software may not be able to scan password protected archive files so users must use discretion when opening archive files and should scan files once extracted from an archive.

You may also wish to visit the US-CERT's computer virus resources page.

US-CERT is aware of exploitation of a JPEG parsing vulnerability in the Microsoft GDI+ library. By convincing a victim to view a specially crafted JPEG image with a program that uses the GDI+ library, an attacker could execute arbitrary code with the privileges of the victim. Affected programs include Microsoft Internet Explorer, Office, Outlook, Outlook Express, and Windows Explorer. An attacker could exploit this vulnerability to install malicious code which might permit access to your computer.

More information about the vulnerability is available in VU#297462.

Microsoft has released patches for this vulnerability in Microsoft Security Bulletin MS04-028. Microsoft also suggests reading email in plain text mode to reduce the risk associated with the HTML email attack vector. Note that this workaround will prevent HTML formatted email messages from displaying properly.

US-CERT continues to receive reports of a worm known as "W32/Sasser". This worm attempts to exploit a buffer overflow vulnerability in the Windows Local Security Authority Service Server (LSASS). The vulnerability allows a remote attacker to execute arbitrary code with SYSTEM privileges. More information on this vulnerability is available in Vulnerability Note VU#753212 and Microsoft Security Bulletin MS04-011.

The worm has been reported to propagate by scanning random IP addresses on port 445/tcp to identify vulnerable systems. When a vulnerable system is found, the worm will exploit the LSASS vulnerability, create a remote shell on port 9996/tcp, and start an FTP server on port 5554/tcp. The victim system will then connect back to the attacking system on port 5554/tcp to retrieve a copy of the worm. Systems infected by this worm may notice significant performance degradation.

US-CERT strongly encourages users to install anti-virus software, and keep its virus signature files up-to-date.

You may also wish to visit the US-CERT computer virus resources page.

US-CERT is aware of exploitation of a cross-domain scripting vulnerability in the Outlook Express MIME Encapsulation of Aggregate HTML Documents (MHTML) protocol handler. The MHTML protocol handler is installed as part of Outlook Express and uses Internet Explorer (IE) to access mhtml: URLs. Microsoft Windows systems install Outlook Express, IE, and the vulnerable MHTML handler by default.

By convincing a victim to view an HTML document (web page, HTML email), an attacker could execute arbitrary code with the privileges of the user running IE and possibly read or modify content in another web site.

More information about the vulnerability is available in TA04-099A and VU#323070.

This vulnerability appears to be exploited by the Ibiza trojan, W32/Bugbear.E, and various web sites that host malicious URLs and related malware. Exploits also may be identified as BloodHound.Exploit.6. Attackers may distribute malicious URLs in unsolicited email, instant messages, chat rooms, or web forums. Attackers may also distribute exploits in HTML email messages.

This vulnerability is remedied by the patches described in Microsoft Security Bulletin MS04-013. For additional protection against these types of attacks, do not click on unsolicited links and maintain updated anti-virus software.

Please see US-CERT Incident Note IN-2004-02 for more information.

US-CERT strongly encourages users to install and maintain anti-virus software. We also encourage users to exercise discretion when opening any email attachment.

You may also wish to visit the US-CERT's computer virus resources page.