Worms, worms, worms and important Outlook e-mail updates

Gnutella file-sharing worm; MyBabyPic e-mail worm; New variant of VBS/San discovered; Update for Outlook/Outlook Express vCard component and more

Worms are back (or perhaps that is "still") in the news this week. A new worm, Win32/Gnuman, uses the Gnutella peer-to-peer file sharing network, spoofing as a server and offering itself in answer to all search queries it sees. Also, a more "traditional" e-mail worm received some attention and is worth being wary of because of its file deleting payloads and we cover a variant of the VBS/San virus mentioned in last week's newsletter.

On the security front, it has been a fairly quiet week for users of Microsoft OSes, as one of the two security bulletins from the Redmond giant is a fairly low-key affair for most users. However, whilst the

vCard handling flaw is more pressing, the prospect of having to update all Outlook and Outlook Express users' machines can be delayed if filtering .VCF attachments at the e-mail gateway is both acceptable and easily implemented. There are also important security updates for Sun's Java runtime environment and the common Linux sudo utility.

Virus News

Gnutella file-sharing worm

Despite repeated use of the phrase "proof of concept" to describe it, Win32/Gnuman is not the first worm targeted at the Gnutella network. That "honour" belongs to a much more mundane worm known as VBS/GWV, but why should much of the media allow an inconvenient fact like that

detract from such attention-grabbing headlines?

In reality, Gnuman does not represent a significant threat, though its approach should see it being more successful than VBS/GWV. Unlike the simple script VBS/GWV, Gnuman is an executable and when run, sets itself up as Gnutella node hosted on its victim's machine. This server responds to every search request it sees with the exact search string with ".exe" appended to it. Thus, if a Gnutella users searched for "Britney Spears MP3" any Gnuman nodes that saw the request would respond saying they had a file named "Britney Spears MP3.exe". This still seems like a fairly naive replication mechanism, hoping that Gnutella searchers will download what will mainly be fairly obviously "odd" seeming hits. But then, many "experts" reckoned VBS e-mail attachments just wouldn't be run either and that didn't stop LoveLetter...

If someone does download and run the bogus search result Gnuman offers to the network, Gnuman copies itself to the Windows Startup folder as GSPOT.EXE and sets the hidden file attribute. Thus, Gnuman's server is run at each successive systam start.

With their usual contempt for users, Win32/Gnuman was given pretty much every name imaginable, and given a different one by nearly every antivirus developer. Some consensus on Gnuman has been reached, but as this was decided after several vendors made press-releases, far from all the vendors have changed the names used by their products.

As corporate users are unlikely to participate in such an open and "risky" file-sharing network as Gnutella, this should be no risk to a well-run and secured corporate network.

Various antivirus vendor descriptions:

Viruslist.com, cai.com, vil.nai.com, sophos.com, antivirus.com

MyBabyPic e-mail worm

Yet another e-mail worm - MyBabyPic - has hit the headlines, although it seems to have had fairly limited distribution thus far. MyBabyPic sends e-mail messages with a Subject: line of "My baby pic !!!", a message saying "Its my animated baby picture !!" and attachment named mybabypic.exe. If the attachment is run, a badly doctored and animated image of naked baby boy is displayed. Sadly, the nature of this "animated picture" is likely to see many users manually forward it to several of their friends and workmates anyway, but that is not necessary...

Regardless of how long the animation is displayed for, a few minutes later the worm mass-mails itself via Outlook (not Outlook Express) to every address in all the address lists the user has access to. Aside from this, MyBabyPic has several other, time- and date-based payloads, such as deleting and/or overwriting files and accessing web sites.

Various antivirus vendor descriptions:

viruslist.com, cai.com, vil.nai.com, sophos.com, symantec.com, antivirus.com

New variant of VBS/San discovered

Further to last week's announcement of the apparent attempts of the virus' writer to deliberately spread VBS/San and VBS/Valentin, a new variant of the former, known as VBS/San.B, has been discovered. If

anything, this variant seems to be as common, if not more so, than the original VBS/San.A variant, although neither are of anything like plague proportions. As VBS/San spreads "silently" via the same same security flaw that allowed JS/Kak to become one of the most common viruses ever, it would be prudent to ensure that your antivirus measures are updated to detect VBS/San.B, as some vendor's detection of the original does not also detect this new variant.

Security News

Update for Outlook/Outlook Express vCard component

Just after the newsletter compiler posted off last week's issue, news arrived of the release of an update for Microsoft's Outlook and Outlook Express e-mail clients. The update fixes a buffer overflow in a software component used by both products when processing vCard (.VCF) attachments. Specifying which patch you need depends on the version of Internet Explorer installed on your machine, as the affected component is actually part of Outlook Express and is used by Outlook when it installed. If Outlook is installed on a machine where Outlook Express has not been installed (it can be omitted by customizing IE's installation options) Outlook determines the IE version then installs the matching version of the (missing) Outlook Express component.

Confused? This is also explained in the Microsoft security bulletin, linked below. Although vCards ("virtual cards" or "electronic business cards") are normally seen as attachments to e-mail, and we all know to be wary of "unknown attachments and attachments from unknown correspondents", many users are accustomed to accepting them because they should be "just data". Further, the ease with which Outlook (Express) Contacts lists can be updated by dragging a vCard attachment to the Contacts icon in Outlook means that many users are familiar with using vCards and unlikely to perceive them as potentially threatening.

However, the security researcher who recently re-discovered this buffer overflow has published a sample exploit proving that arbitrary code can be run via this vulnerability (more details of this can be seen in the @Stake advisory, linked below).

All users of Outlook and Outlook Express should seriously consider installing this update as soon as practicable, or take other suitable actions (such as filtering .VCF attachments at Internet e-mail


- @Stake security advisory

- Microsoft Security Bulletin

Event Viewer snap-in update for Windows 2000

Microsoft has released an update for the Event Viewer snap-in for Windows 2000 to fix a buffer overflow vulnerability. This flaw could result in arbitrary code executing with the rights of the user running the Event Viewer. The vulnerability arises from an unchecked buffer in the Event Viewer and affects the machine where the Event Viewer is running which is not necessarily the machine whose event logs are being viewed.

Normal security precautions mean this should not be exploitable remotely as an attacker should not have write access to the event logs of machines inside your network and users should not be attaching to machines outside to view their event logs. The patch for this vulnerability will be included in SP3 for Windows 2000 and unless you have to deal with the event logs of potentially "hostile" users, delaying its installation until SP3 ships may be an acceptable risk.

More details are available from the Microsoft security bulletin linked below.

- Microsoft Security Bulletin

Failure to apply old patches results in compromised systems

The IIS Unicode vulnerabilities (called "the Web Server File Request Parsing vulnerability" by Microsoft) discussed in several newsletters last year, are still being used to compromise NT and Windows 2000

servers on the Internet. The SANS Institute has noted several instances in the last few days, and suspects that many more machines are involved.

Links to the SANS report (and a rather old Microsoft security bulletin for the paranoid) below.

- SANS IIS Unicode Bug report

- Microsoft Security Bulletin

sudo updates for various Unixes/Linuxes

The sudo package, which is used to allow "ordinary users" superuser privileges but only for certain commands, was found to have a buffer overflow. This could be locally exploited, and may allow an ordinary user to gain root privileges.

If you use sudo, check the package's home site (linked below) for update details or check with your vendor for an update to version 1.6.3p6.

- sudo home page

Sun releases Java runtime update

Sun Microsystems has released updates to its Java Runtime Environment to fix a security flaw. Under some circumstances, Java applets may be able to run some unauthorized commands. Sun reports that this is not believed to affect Netscape Navigator or Microsoft Internet Explorer.

Users of Windows, Solaris and Linux production releases of, variously, the JDK, SDK and/or JRE are recommended to check the Sun security bulletin for information about the affected versions and available updates. The bulletin also has Sun's advice on the minimum version numbers of the various releases of those product you should be running.

- Sun security bulletin

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

More about GnutellaLinuxMicrosoftSANS InstituteSun MicrosystemsThe SANS InstituteUnicode

Show Comments