IDGNet Virus & Security Watch Friday 22 March 2002

Introduction: * Apache on Win32 arbitrary command update and some worms set to strike Virus News: * Multitudinous names fail to help worm spread * Two variants of recently successful e-mail worms spotted Security News: * Apache on Win32 remote command execution, arbitrary file reading

This issue's topics:

Introduction:

* Apache on Win32 arbitrary command update and some worms set to strike

Virus News:

* Multitudinous names fail to help worm spread

* Two variants of recently successful e-mail worms spotted

Security News:

* Apache on Win32 remote command execution, arbitrary file reading

Introduction:

It has been a fairly quiet week al round, but a bevy of new e-mail worms or new variants of existing ones are poised to strike, so if one or more gets that elusive lucky break in the next few days, it may be the next big story. Some of the likely contenders are described in the virus section. Although Microsoft updated and re-released some existing security bulletins this week, they really are of no great concern and Unix admins will probably still have been busy finding and patching systems and applications possibly affected by last week's big issue - the zlib double-free bug. The only other security story that seems worth raising since we last met is the just-announced flaw in the Apache web servers handling of .BAT and .CMD CGI programs _on Win32 OSes_ which will reputedly be patched in an imminent update. All in all, it may be a nice quiet weekend for our security administrators!

Virus News:

* Multitudinous names fail to help worm spread

A new mass mailing worm seems to have been given more names than it has generated copies of itself. Known by at least four names - Atram, Borzella, Porkis and Storiella - the beast has so far failed to get enough of a foothold to take off. Win32/Atram.A@mm, as it is officially known, sends itself as an executable (.EXE file) attachment with a name randomly selected from three in the virus' code (porkis.exe, pippo.exe or bar.exe) and with an Italian language e-mail message, also randomly selected from three in the virus' code. Hopefully this should limit the appeal of Atram to that portion of suitably injudicious Italian speakers, and click-happy linguists of all hues.

If run, Atram displays a sequence of seven message boxes (in Italian) and copies itself to the Windows installation directory and sets this copy to run at system startup. When that copy runs, it checks it has not mailed itself already and if not, sends itself to all addresses found in the Windows Address Book after waiting for a short period of time (this is not a fixed time period and depends on how busily the machine is being used). As the newsletter was finalized for posting, MessageLabs only reports intercepting one copy...

Computer Associates Virus Information Center

F-Secure Security Information Center

Kaspersky Lab Virus Encyclopedia

Network Associates Virus Information Library

Symantec Security Response

Trend Micro Virus Information Center

* Two variants of recently successful e-mail worms spotted

Rating at 100% more often detected at MessageLabs than Atram (see above), the Yaha.B variant of this mass mailing worm has also just been spotted. As with Atram, this worm seems unlikely to become widespread. However, we said that a couple of weeks back about Gibe, which then made a surprisingly strong and long stand in the 'things that go bump on the net' stakes for the following couple of weeks. Further, the original member in this worm family, Yaha.A, has also been quite successful.

MyLife.B has not been seen by MessageLabs as this issue of the newsletter goes to 'print', but as with Yaha.B its forerunner has been surprisingly 'successful'. Also dubbed Caric and Cari by some antivirus developers, this worm arrives in an e-mail message offering a 'bill caricature' and if the victim runs the attached 'cari.scr', a cartoon sketch of Bill Clinton playing a saxophone is displayed while the worm sends itself, via Outlook, to all contacts in the Outlook address book.

Computer Associates Virus Information Center - Yaha.B

Computer Associates Virus Information Center - MyLife.B

Network Associates Virus Information Library - MyLife.B

Symantec Security Response - Yaha.B

Symantec Security Response - MyLife.B

Trend Micro Virus Information Center - Yaha.B

Security News:

* Apache on Win32 remote command execution, arbitrary file reading

Administrators of Apache web servers running on Win32 OSes should keep an eye open for an imminent update. According to a just-released security advisory Apache on Win32 platforms can pass arbitrary command line parameters to .BAT and .CMD style CGI programs. Creative use of special command line operators allows a remote web browser to tack arbitrary commands onto the end of the server's call to the CGI command. The full security advisory can be read in the Bugtraq message archive (linked below) and claims that the Apache Software Foundation will release an updated version of its popular web server to correct this problem 'later today'.

Vulnerability in Apache for Win32 batch file processing - Bugtraq archive

Join the newsletter!

Error: Please check your email address.

More about ApacheApache Software FoundationBillCA TechnologiesCGICreativeF-SecureKasperskyKasperskyMessageLabsMicrosoftSymantecTrend Micro Australia

Show Comments
[]