IDGNet Virus & Security Watch Friday 11th October 2002

This issue's topics: Introduction: * Critical OE patch, sendmail Trojanized, Apache patches and more worms Virus News: * Short-lived worm reaches its goal? * The worm turns - new twist to Opaserv * More than 80% of China's computers have been infected Security News: * Patch fixes remotely exploitable buffer overflow in OE 5.5 & 6.0 * Apache fixes XSS in error page handling * Trojaned Sendmail 8.12.6 distribution * Bug allows bypass of smrsh restrictions

This issue's topics:

Introduction:

* Critical OE patch, sendmail Trojanized, Apache patches and more worms

Virus News:

* Short-lived worm reaches its goal?

* The worm turns - new twist to Opaserv

* More than 80% of China's computers have been infected

Security News:

* Patch fixes remotely exploitable buffer overflow in OE 5.5 & 6.0

* Apache fixes XSS in error page handling

* Trojaned Sendmail 8.12.6 distribution

* Bug allows bypass of smrsh restrictions

Introduction:

It came to light this week that another critical security patch, specifically for Outlook Express, was included in both Windows XP SP1 and IE 6.0 SP1 and not previously divulged. This became obvious with the release of the standalone patch which was necessary as the vulnerability also affects IE 5.5. And it was not a good week for the sendmail folk, when it was discovered the latest release of their popular mail server code had been Trojanized on their own servers. A patch is available for another security flaw in a different sendmail product, smrsh and several security patches have been released for Apache.

On the virus front, a new worm may have met its writer's objectives, despite being very short-lived - its single point distribution server was closed within a few hours of its appearance, but that may well have been enough time for it to get what its writer was looking for. Following last week's reporting of the Opaserv worm it was discovered to take advantage of a little-known, but very serious security flaw in Windows 95, 98 and ME. Finally, worrying figures from the world's largest emerging computer market - 80% of China's computers have reportedly been hit by a virus in the last year.

Virus News:

* Short-lived worm reaches its goal?

Despite some media attention, the Fleming (or Rodok or Henpeck) worm was very short-lived. Like several other malicious programs, when run on a victim's machine Fleming posts messages to the MSN Messenger network that attempt to entice other MSN Messenger users to download a program from a web site and run it. In this case, as in the others, the web site serving the program file was quickly closed (or at least the file removed), so the worm had a very brief lifespan.

This may, however, have been enough for the worm's author to get what he wanted. As well as sending MSN Messenger messages as already described, Fleming also downloads a backdoor and DDoS agent program (from the same web site as the main worm program). Perhaps the main aim of the worm though was to steal the CD key of the popular Half-Life and Counter Strike games. This information is stored in the registry and if the main worm finds these values present, it sends another message, via MSN Messenger, presumably to its writer.

Computer Associates Virus Information Center - Win32.Fleming.A

F-Secure Security Information Center - Henpeck

Kaspersky Lab Virus Encyclopedia - Worm.Win32.Fleming

Network Associates Virus Information Library - W32/Fleming.worm

Sophos Virus Info - W32/Rodok-A

Symantec Security Response - Henpeck

Trend Micro Virus Information Center - Rodok.A

* The worm turns - new twist to Opaserv

Opaserv, one of the two viruses reported last week, turned out to be more interesting than originally thought. Over the weekend following its initial discovery and the reporting of it in last week's issue of the newsletter, it was noted in several places that Opaserv kept re-infecting many machines, despite good passwords having been set on their shares as part of the cleanup process.

Closer examination of the worm's network spreading code showed that Opaserv was, in fact, attempting to exploit an old share-level password check vulnerability on Windows 95, 98 and ME machines. Users of those OSes should thus double-check that they have the patches linked from the MS00-072 security bulletin installed.

Microsoft Security Bulletin MS00-072

(We have only listed the Opaserv descriptions that were updated to

describe the password exploit by newsletter 'press time'.)

Computer Associates Virus Information Center - Win32.Opaserv.A

Network Associates Virus Information Library - W32/Opaserv.worm

Symantec Security Response - W32.Opaserv.Worm

Trend Micro Virus Information Center - Worm_Opaserv.A

* More than 80% of China's computers have been infected

If a recent report from the National Computer Virus Emergency Response Centre in China is to be believed (and we can't imagine why the Chinese - or anyone - would fabricate such a story), approximately 84% of Chinese computers have suffered at least one computer virus infection in the last year. More details in the Reuters report, linked below.

China Says Viruses Infect 80 Percent of Computers

Security News:

* Patch fixes remotely exploitable buffer overflow in OE 5.5 & 6.0

Microsoft has released a patch that repairs a buffer overflow in the S/MIME parsing code of Outlook Express 5.5 and 6.0. This vulnerability could be remotely exploited by an attacker sending a specially malformed message to an OE user. When such a message is read by OE, the buffer overflow could be triggered and code of the attacker's choice run on the host machine with the privileges of the user running OE. Microsoft rates the severity of this threat as 'critical' for workstation machines (best practice dictates that typical end-user actions such as reading e-mail and browsing the web should not be performed via interactive logins on servers).

Users of OE 5.5 or 6.0 should obtain and install the patch linked from the Microsoft security bulletin as soon as is practicable. However, the patch was included in IE6.0 SP1 and Windows XP SP1, so if you have already installed either service pack - as you should by now if using those products - you need not get the standalone patch. Microsoft claims that Outlook is not affected by this vulnerability. Earlier versions of OE may be affected but are no longer supported.

Microsoft Security Bulletin MS02-058

* Apache fixes XSS in error page handling

Apache 1.3.27 and 2.0.43 releases fix a cross-site scripting flaw in the default 404 error page and a few other security flaws. Build a new version from the patched source or grab pre-built binaries from the Apache distribution sites, or check with your OS vendor for an updated package if your OS ships Apache.

Apache HTTP Server Distributions - apache.org

Apache SSI Cross Site Scripting Vulnerability - securityfocus.com

* Trojaned Sendmail 8.12.6 distribution

Trojanized copies of the source code of the most recent version of the popular Unix e-mail server sendmail were placed on central sendmail distribution servers around 28 September. On 6 October the files sendmail.8.12.6.tar.Z and sendmail.8.12.6.tar.gz on the ftp.sendmail.org server were found to have been Trojanized. The same files, distributed via http, had not been modified. Anyone who uses sendmail and downloaded 8.12.6 during that timeframe is especially strongly encouraged to check the PGP signatures, although that should be standard practice anyway. Many sites mirror the sendmail distribution and the contents of all these should also be treated with suspicion - again, checking the sendmail PGP signatures for the distribution is your means to determine whether you have the real McCoy or an imposter version.

The Trojanized code installs a backdoor, with the access permissions of the person building sendmail from the Trojan distribution, onto the _build machine_. It appears this remote access Trojan takes no measures to be run at startup, so a simple precautionary measure should you have built sendmail during the suspect period is to down and restart the box that ran the build. The machine running the newly built version of sendmail is only backdoored if it is also the build machine.

sendmail.org's FTP server is still out of service while the break-in is investigated, but the unaltered source is available via http.

CERT Advisory CA-2002-28 Trojan Horse Sendmail Distribution

* Bug allows bypass of smrsh restrictions

Two vulnerabilities in smrsh (Sendmail Consortium’s Restricted Shell) can allow bypassing the restrictions that should be imposed by smrsh. The gory details are in the copy of iDefense's security advisory stored on sendmail's web site, which also has a patch.

Sendmail smrsh bypass vulnerabilities - sendmail.org

24 Sep 2002 patch to smrsh.c - sendmail.org

Join the newsletter!

Error: Please check your email address.

More about ApacheCA TechnologiesCERT AustraliaF-SecureiDefenseKasperskyKasperskyMessengerMicrosoftMSNNational ComputerPGPReuters AustraliaSophosStrikeSymantecTrend Micro Australia

Show Comments

Market Place

[]