'Code Red' for IIS admins, serious Outlook hole and e-mail worm may embarass

SirCam e-mail worm; Deja vu? Another Win32/Leave variant distributed via bogus security bulletin; Serious security hole in Outlook; Code Red worm hits more than 12,000 IIS servers

Yet another fairly quiet week, interms of overall number of issues to be concerned about, but the magnitude of a couple of issues makes up for that. A new worm that exploits a month-old IIS vulnerability has been found and there is strong evidence it has affected over 12,000 machines in the address space it scans for further vulnerable hosts to spread to.

At least Microsoft has had a patch out for that vulnerability for a month -- the other big story is a potentially very dangerous security hole in Microsoft Outlook. An ActiveX control installed with Outlook allows remote arbitrary code execution but is (clearlyt improperly) flagged as 'safe for scripting'. We've also seen some activity, particularly from South American countries, from the SirCam e-mail worm.

Virus News

SirCam e-mail worm

Although apparently not that predominant, there was a brief flurry of interest in the Win32/SirCam e-mail worm earlier this week. A Windows executable mass-mailer, SirCam distributes itself, along with randomly selected document and other files from the 'My Documents' folder of the victims machine. Thus, apart from the embarassment occasioned by distributing a worm, confidential business documents or personal information you'd not wish to share with others may also be sent from your machine. SirCam also exploits a twist in some popular virus scanners -- it extracts itself to the Recycle Bin folder which some folders automatically or by default exclude from their scanning.

Various antivirus vendor descriptions: antivirus.com, ca.com, f-secure.com, viruslist.com, vil.nai.com, sophos.com, sarc.com

Deja vu? Another Win32/Leave variant distributed via bogus security bulletin

Last week we reported that a new variant of the Win32/Leave worm had been placed on the web and its download location referenced via an obfusctaed URL in a e-mail masquerading as a Microsoft security bulletin. Demonstrating further lack of inventiveness (or perhaps proving the old adage relating imitation and flattery), this approach to distributing yet another new Win32/Leave variant was copied again this week. A bogus MS01-039 'security bulletin' has been distributed, linking to a (now removed) copy of yet another new Win32/Leave variant. appears to have been created by altering the MS01-037 bulletin (referenced in the first item in the Security section of this newsletter issue). The Microsoft security bulletins are electronically signed, so this is a timely reminder to check such signatures on those bulletins. As this newsletter is put to bed, there is still no real MS01-039 security bulletin.

Security News

Serious security hole in Outlook

Bulgarian bug hunter Georgi Guninski has uncovered yet another gaping security hole in a popular Microsoft product. Guninski discovered that an ActiveX control installed as part of Outlook 2002 (the version in the confusingly named Office XP) exposed the whole Outlook application object interface. The Microsoft security bulletin downplays this aspect of the bug, tending to emphasize the fact that the hole means a malicious person could mess with the Outlook mail, appointments, other calendar functions, and the like. However, the real issue this raises is that an attacker exploiting this hole could use it to run any program on the attcked machine in the current user's security context.

There is no patch availabe yet, as Guninski is notorious for warning vendors of his findings then going public with them two or three days later. Microsoft maintains (quite reasonably) that that is far from enough time to carefully research, patch and test such vulnerabilities. Various workarounds are mentioned in the Microsoft security bulletin, which will be updated when a patch is available. unfortunately, the exact nature of this problem is not quite clear either from Guninski's announcement of his discovery of the bug or from the Microsoft security bulletin. The latter says that Outlook versions 98, 2000 and 2002 are affected and that the Outlook E-Mail Security Update prevents the problem affecting HTML e-mail. Guninski has subsequently claimed that the e-mail security update does not prevent the exploit working.

Outlook users are well advised to read the security bulletin and apply all the security measures it suggests. Your newsletter compiler suggests that, at a minimum, hardening Internet Explorer's Internet zone against all forms of automatic, unprompted ActiveX code execution is only prudent anyway and should be left in place once the patch for this latest, specific, unsafe Microsoft ActiveX control is released. Aside from that general security precaution, it should be noted that within a couple of days of Guninski publishing the vulnerability and a simple 'proof of concept' web page, a teenage virus writer wrote and released a what he claimed was a virus that used this exploit to do its dirty work.

Fortunately this claimed virus does not work, but it may openly be a matter of time before that is 'fixed'.

- Microsoft security bulletin

Code Red worm hits more than 12,000 IIS servers

A week ago several system administrators noticed some 'odd' network activity that was logged and eventually analysed by security researchers at eEye Digital Security. This odd activity turned out to be sympotomatic of a a new worm, dubbed 'Code Red' that attacks IIS servers via the recently discovered and patched Index Server/Indexing Service buffer overflow, also discovered by eEye researchers and patched by Microsoft, as reported in this newsletter a month ago.

Due to the working of the worm, it is possible to get a fairly good estimate of the number of machines it has targetted and successfully infested by monitoring certain network activity. As of Wednesday this week, the number of machines almost certainly infested with Code Red was over 12,000. If you have not yet checked your public IIS servers for, and fixed as appropriate, the vulnerability documented in the MS010-033 security bulletin, you should do so without further delay.

- Initial, brief eEye analysis

- Detailed analysis posted to bugtraq

- Microsoft security bulletin

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

More about eEye Digital SecurityMicrosoft

Show Comments