IDGNet Virus & Security Watch Friday 28 March 2002

Introduction: * Squid DoS patch, update for NT patch manager, low profile worms Virus News: * Polyglot worm fails to fire * More life in the worm than expected Security News: * Generous file share permissions fixed in Service Pack Manager 2000 * Squid patches another security problem

This issue's topics:

Introduction:

* Squid DoS patch, update for NT patch manager, low profile worms

Virus News:

* Polyglot worm fails to fire

* More life in the worm than expected

Security News:

* Generous file share permissions fixed in Service Pack Manager 2000

* Squid patches another security problem

Introduction:

It has been another quiet week. Compounded with being a short week and newsletter compiler having to get copy in a little earlier in the day than usual as well, it is a light read today. There were no Microsoft security bulletins and no other major products with patches for serious security flaws. An exploitable remote denial of service in Squid that is possibly also a remote execution of arbitrary code problem would normally be serious news, but in this case it requires highly specialist access to a DNS server the targeted machine resolves some network names from, so the likelihood of it being exploited is greatly diminished.

We have mentioned the HFNetChk service pack and hotfix checker for NT, Windows 2000 and XP, but there are other products with similar features, In this issue we note that an update to Service Pack Manager 2000 has been released. Apart from announcing the fix for current users of this product, this may also act as an introduction to the product for those looking for an automated patch checker and installer that can keep machines around the company network up to date. Finally, a couple of e-mail worms get a mention in the virus news section -- one for its novel features (even though they may reduce its effectiveness) and the other for slightly greater success than we predicted for it last week.

Virus News:

* Polyglot worm fails to fire

First spotted in the Czech Republic late last Friday, the Cervivec worm enjoyed some localized success in Central Europe, but has not spread extensively. This may be due, in part, to the rather unusual distribution method it employs. Although it is basically a common self-mailing worm, it depends solely on the contact database of the standard ICQ client to obtain the e-mail addresses to which it sends itself. Obviously, victim machines without ICQ installed are not much use in assisting the worm's spread.

Apart from this unusual reliance on the ICQ contacts database, Cervivec has a few other new or otherwise notable features. First, it distributes itself not as a straight executable attachment to an e-mail message but as an attached ZIP archive containing the worm's program file. Further, the Subject: line and simple message in the worm's e-mail messages are chosen from eight languages depending on the 'Spoken Languages' field of contact database entry of each targeted user, defaulting to English if no language preference is set. Finally, if a recipient of one of its messages unpacks the ZIP attachment and runs the worm program inside, a rather interesting visual payload - as promised in the worm's e-mail message - is displayed while the worm is busy installing itself. Several of the antivirus developer descriptions linked below have screen shots of this effect.

Computer Associates Virus Information Center

F-Secure Security Information Center

Kaspersky Lab Virus Encyclopedia

Network Associates Virus Information Library

Sophos Virus Info

Symantec Security Response

Trend Micro Virus Information Center

* More life in the worm than expected

Last week we suggested, hopefully, that the then just-discovered new MyLife.B worm variant would not take off. Although not a major event approaching anything like Melissa or LoveLetter levels, or the more recent (and persistent) SirCam, Klez and BadTrans, MyLife.B managed to quickly outstrip its predecessor reaching about 50% more detections than MyLife.A at MessageLabs over the weekend.

Which reminds your newsletter compiler ... newer readers of the list may have seen passing references to MessageLabs and wondered who or what it is. MessageLabs is a UK-based, but internationally operating, e-mail service provider. As part of its service, it virus scans all e-mail coming into its customers' sites and fortunately, for some of us, provides public access to the summarized real-time (and some historical) virus prevalence data gathered from this activity. Three commercial virus scanners plus a heavily heuristics-based scanner developed in-house at MessageLabs are used for the virus detection work.

If you hear a news story or an e-mail rumour about a new, or reputed, virus that is said to be spreading like wild-fire, MessageLabs' statistics pages are a good first port of call to see if it really is being seen in large numbers (though be aware their customer base is somewhat UK-, and then European-, heavy). If you have not already, you may want to bookmark either or both the following MessageLabs prevalence statistics pages...

Running 24 hour, and current month, prevalence stats - messagelabs.com

Messagelabs.com ThreatList

Security News:

* Generous file share permissions fixed in Service Pack Manager 2000

Gravity Storm Software's centralized service pack and hotfix management software, Service Pack Manager 2000, has been found to leave some shares with over-generous access permissions. The latest update is claimed to fix this problem.

Readers of 'the Watch' ('watchers' perhaps?) may already be familiar with Shavlik Technologies' HFNetChk, the free version of which Microsoft distributes. Gravity Storm's Service Pack Manager fulfils similar requirements, but can also manage patch distribution and installation. As with HFNetChk there is a free, 'lite' version as well as the fully supported version.

Gravity Storm Software homepage

HFNetChk home page - microsoft.com

* Squid patches another security problem

An obscure bug in Squid's internal DNS-handling code can be exploited by an unscrupulous DNS server administrator to crash Squid or possibly even have arbitrary code executed on the popular caching Web proxy server. All version 2.x releases up to and including 2.4.STABLE4 are affected. Squid is packaged with many popular Linux distributions and those vendors already, or soon will, have updated packages available. Alternatively, and for Squid users on other platforms, the source can be obtained from the Squid distribution sites and be rebuilt.

Security Update Advisory SQUID-2002:2 - squid-cache.org

Join the newsletter!

Error: Please check your email address.

More about CA TechnologiesF-SecureICQKasperskyKasperskyLinuxMessageLabsMicrosoftShavlikShavlik TechnologiesSophosSymantecTrend Micro Australia

Show Comments
[]