IDGNet Virus & Security Watch Friday 10th January 2003

This issue's topics: Introduction: * Worms, Windows XP Shell, IPD, multiple SSH & plethora of Unix/Linux patches Virus News: * ExploreZip variant over-hyped? * Singing Avril's praises... * Yaha.K cutting a swathe through PCs Security News: * Critical buffer overflow in Windows XP shell patched * Integrity Protection Driver update fixes two security flaws * Multiple SSH vulnerabilities * Multiple fixes in multiple popular Unix/Linux applications and kernels

This issue's topics:

Introduction:

* Worms, Windows XP Shell, IPD, multiple SSH & plethora of Unix/Linux patches

Virus News:

* ExploreZip variant over-hyped?

* Singing Avril's praises...

* Yaha.K cutting a swathe through PCs

Security News:

* Critical buffer overflow in Windows XP shell patched

* Integrity Protection Driver update fixes two security flaws

* Multiple SSH vulnerabilities

* Multiple fixes in multiple popular Unix/Linux applications and kernels

Introduction:

Welcome back to a new year of bug and virus hunting, patching and all the other things that make IT security a fun job!

This week we have three virus stories and a plethora of system patches and updates, particularly for the Unix and Linux administrators. Windows administrators have a critical patch for all Windows XP machines under their purview, and users of Pedestal Software's IPD have another update to fix a simple bypass of its protection of the contents of the system's 'drivers' directory.

Virus News:

* ExploreZip variant over-hyped?

One of the 'security intelligence' firms warned on Wednesday that it had found a new variant of ExploreZip circulating 'in the wild'. Oddly, only ten copies are reported as having been detected by MessageLabs. As usual, the major antivirus companies whose products did not detect the new variant quickly produced updates that included detection of this new variant, which is really just the original ExploreZip packaged with a different runtime decompressor.

ExploreZip is worrisome because of its nasty, and near-immediate, payload. However, being an 'old school' mass-mailer it does not incorporate any of the auto-execute tricks of more recent - and more 'successful' - mass-mailers. Further, the attachment filtering policies in place on most company mail servers nowadays mean that even if this new variant's attachment is not detected as a known virus, its type (a plain and unobfuscated Windows executable program file) should see its delivery blocked anyway.

It seems this will be a squall in a thimble...

MessageLabs Threat List - messagelabs.com

Computer Associates Virus Information Center

F-Secure Security Information Center

Kaspersky Lab Virus Encyclopedia

Network Associates Virus Information Library

Sophos Virus Info

Symantec Security Response

* Singing Avril's praises...

Another popular culture figure has been used as the bait to lure the unwary into running a virus. Avril Lavigne is used in this way by the new Win32/Lirva viruses, much as earlier viruses have used Jennifer Lopez, Anna Kournikova and Shakira. Several variants have been found in the last few days, and is not uncommon, several names have been used for them - Lirva, Avril, Naith and Avron...

The precise features of each of the variants need not be described here, but all are mass-mailers and can, though do not always, call upon Ms Lavigne in the messages they generate, while some messages suggest the attachment is an urgent security update from Microsoft and yet other messages are also used. Some variants also spread via shared network drives, IRC and the KaZaA P2P network. The HTML e-mail messages the virus generates attempt to exploit the now archaic 'Incorrect MIME Header' vulnerability (described in the MS01-020), allowing the attachment to auto-execute on suitably unpatched machines.

MessageLabs (which calls the virus Naith) reports blocking huge numbers of this virus addressed to its customers, as you can see at the VirusEye link below.

MessageLabs VirusEye - messagelabs.com

Computer Associates Virus Information Center (13969)

Computer Associates Virus Information Center (13981)

Computer Associates Virus Information Center (13982)

F-Secure Security Information Center (lirva)

Kaspersky Lab Virus Encyclopedia (58631)

Network Associates Virus Information Library (lirva)

Sophos Virus Info (w32.avril.a)

Sophos Virus Info (w32.avril.b)

Symantec Security Response (w32.lirva.a)

Symantec Security Response (w32.lirva.c)

Trend Micro Virus Information Center (w32.lirva.a)

Trend Micro Virus Information Center (w32.lirva.c)

* Yaha.K cutting a swathe through PCs

Despite recent attention going to the two viruses above, Win32/Yaha.K has become very widespread in the three weeks or so since it was discovered just before Christmas. Taking a leaf from Klez.H's book, Yaha forges the From: address it its e-mail messages. Although it will not have much success penetrating corporate networks because they commonly block all executable attachments, Yaha seems to have hit a winning formula among home and smaller business users, offering itself as a screensaver. Windows screensavers are essentially just executables renamed to a .SCR extension but it seems typical users are not as suspicious of such files as this fact suggests they should be.

Klez.H, like several other recent 'successful' mass-mailers, has used HTML e-mail messages that exploit the MS01-020 'Invalid MIME Header' vulnerability to auto-execute its attachments on victim machines not patched against this flaw. It is generally believed that use of such tricks greatly improves a mass-mailer's chances of becoming widespread. Although Yaha.K does send HTML e-mail messages, it does not use any of the auto-execute (nor any other) security exploits, yet seems to have been quite successful despite this.

Computer Associates Virus Information Center (13895)

F-Secure Security Information Center (w32.yaha.k)

Network Associates Virus Information Library (w32.yaha.k)

Sophos Virus Info (w32.yaha.k)

Symantec Security Response (w32.yaha.k)

Trend Micro Virus Information Center (WORM_YAKA.K)

Security News:

* Critical buffer overflow in Windows XP shell patched

Microsoft's last security patch for 2002 fixes a buffer overflow in a function of the Windows Shell that extracts custom attribute information from certain types of audio files. This vulnerability can be exploited remotely and could be used, with a carefully crafted audio file, to execute code of an attackers choice on victim machines. All versions of Windows XP are affected - Home, Professional, Tablet PC and Media Center - but no earlier versions of Windows are vulnerable.

Microsoft rightly rates the severity of this vulnerability as critical. All XP users are recommended to obtain and install the patch as soon as practicable.

Microsoft Security Bulletin (MS02-072)

* Integrity Protection Driver update fixes two security flaws

Pedestal Software has released another update to its Integrity Protection Driver (IPD) for NT 4.0, Windows 2000 and XP. IPD v1.4 fixes a problem in the way IPD protected the 'drivers' directory. In short, the previous mechanism could be easily bypassed via directory tree 'remapping' tools such as 'subst'. The fix in v1.4 is to lock each driver file, whether it is loaded or not.

Integrity Protection Driver home page - pedestalsoftware.com

* Multiple SSH vulnerabilities

Rapid7 security researchers released an advisory late last year detailing several vulnerabilities in several implementations of the SSH2 protocol. Most vendors have responded by now, updating affected products or claiming their products are not affected. As there seems to be some disagreement between Rapid7 and some vendors as to the seriousness of problems in any given implementation, and additional vendors whose products were not mentioned in the advisory have commented on their products' vulnerability (or otherwise) to the problems uncovered by Rapid7, the CERT advisory on these issues might also be a good resource for users of products implementing SSH protocols to check.

Rapid 7 Advisory R7-0009 - rapid7.com

CERT Advisory CA-2002-36 Multiple Vulnerabilities in SSH Implementations

* Multiple fixes in multiple popular Unix/Linux applications and kernels

Several popular Unix and/or Linux tools or applications have recently been updated to fix serious security flaws. Included among these are the common Unix printing system (cups), fetchmail, imapd, mod_php, MySQL, openldap, perl, php, squirrelmail and wget. Further, exploitable integer overflows in the Linux and FreeBSD kernels have been found and fixed.

Most of these problems have been fixed in the popular or affected distributions, so check with your distributors for updated packages or with the usual primary sources if you prefer building your own.

Join the newsletter!

Error: Please check your email address.

More about CA TechnologiesCERT AustraliaExploreZipF-SecureKasperskyKasperskyKaZaALinuxMessageLabsMicrosoftMySQLRapid7Rapid 7SophosSSHSymantecTrend Micro Australia

Show Comments
[]