The Santy Worm
The Santy worm exploits an input validation flaw in the phpBB
Remote URLDecode function to infect systems and deface
Web servers. It attempts to go to Google, searching for "viewtopic.php"
to find potential victims, and it then attempts to exploit
this vulnerability by trying to upload and execute a Perl
script. If it succeeds, Santy copies itself into the victim
system as a file named "m1h02OF" and then overwrites
files that have certain extensions, such as .htm, .jsp, .php,
.asp, .shtm, and .phtm, replacing the content with the following
message:
This site
is defaced!!
NeverEverNoSanity WebWorm generation x
"x" is a number that this worm uses to keep track
of systems that it has infected.
The following versions of phpBB are vulnerable:
phpBB Group phpBB 2.0.0
phpBB Group phpBB 2.0.1
phpBB Group phpBB 2.0.2
phpBB Group phpBB 2.0.3
phpBB Group phpBB 2.0.4
phpBB Group phpBB 2.0.5
phpBB Group phpBB 2.0.6
phpBB Group phpBB 2.0.7
phpBB Group phpBB 2.0.8
phpBB Group phpBB 2.0.9
phpBB Group phpBB 2.0.10
Upgrading to the newest version of phpBB, version 2.0.11,
is the best countermeasure against this worm. Download updates
from here. Note also that
Google has made changes in its search engine to prevent its
use by this worm.
Top
Shoho
Worm
W32.Shoho@MM,
or Shoho for short, is an email worm written in Visual Basic.
The worm spreads by sending itself in the form of an email
attachment, Readme.txt <many blank spaces> .pif, to
email addresses from local (hard disk) files with these extensions:
*.eml, *.wab, *.dbx, *.mbx, *.xls, *.xlt, and *.mdb. The worm
has a destructive payloadit deletes all files in the
current directory. It can also delete files in the Windows
root directory after rebooting.
Other
Shoho aliases: I-Worm.Welyah, W32/Shoho.a@MM, W32/Shoho.b@MM,
W32/Shoho.c@MM
Identifying
marks:
-
Subject:
"Welcome to Yahoo! Mail"
Body: "Welcome to Yahoo! Mail"
Attachment: "readme.txt <many blank spaces> .pif"
For
more information, go to Symantec's
profile of the Shoho worm.
Top
The Slammer
Worm
A new worm, the Slammer Worm, is infecting multitudes of
Windows systems that run Microsoft SQL Server 2000. This worm
exploits multiple vulnerabilities in the Resolution Service
of Microsoft SQL Server 2000, causing rogue code to execute
on victim systems (possibly allowing an attacker to gain complete
control) and/or resulting in denial of service. As an interim
precautionary measure, incoming and outgoing SQL Server traffic
is currently being blocked at entrances to networks here at
the Lab. Windows system administrators need to immediately
check servers to see if Microsoft SQL Server 2000 is running
by entering the "net start" command at the command
prompt. If "MSSQLServer" is listed in the output,
this server is running. If it is not needed, it is important
to stop it and then reset its start-up type of "Disabled"
by going to the Services snap-in. If Microsoft SQL Server
2000 needs to run, be sure to patch the vulnerabilities that
Slammer is exploiting. Click here
for patch and more information.
If your system has been infected, all you need to do to eradicate
Slammer is to reboot the infected system. Click here
for more information about recovering infected systems.
After you think you have the Slammer Worm under control and
have either cleaned and patched the vulnerable servers or
isolated them from the network until they could be fixed,
you might have begun to see re-infection attempts. This traffic
has been traced to desktop machines rather than servers. Desktop
machines as well as some servers become infected and then
spread the infection, presenting another major problem because
it is so completely unexpected.
In addition to Microsoft SQL Server, Microsoft Data Exchange
(MSDE) is also vulnerable to infection. Many Microsoft applications
and third-party applications use MSDE; and most do not advise
the user of their reliance on MSDE. The Web site SQLSecurity.com
provides a list of applications that may install MSDE/SQL
Server. Each of the applications listed below may cause the
OS Platform they are installed on (regardless of which it
is) to be vulnerable to the Slammer Worm and similar malicious
code:
–Microsoft Biztalk Server
–Visual Studio.NET
–.NET Framework SDK
–Application Center Server
–Microsoft Visio 2000
–Microsoft Project
–McAfee Centralized Virus Admin
–FlipFactory
–Lyris Listserver
–ASP.NET Web Matrix Tool
–Office XP Developer Edition
–MSDN Universal and Enterprise Edition
–Microsoft Visual FoxPro 7.0
–Compaq Insight Manager
–Dell OpenManage
–HP Openview Internet Services Monitor
–Websense
–Megatrack from BLUEMEGA
–Veritas Backup Exec ver 9.0
–WebBoard
–Chubb security system
–Microsoft Office 2000/XP
–Crystal Reports Enterprise 8.5
–MonTel (a PABX admin tool)
–HelpMaster Pro
–Hailstorm
–McAfee Epolicy Orchestrator
–GFI S.E.L.M
–SecureScanNX - Vigilante
–ASSET v1.01 - NIST
–Centennial Discovery
–SalesLogix
–Helpstar (Helpdesk)
–http://www.realestate.intuit.com/
–Microsoft's Age of Mythology
–Tumbleweed Secure Guardian
–World Secure
–PowerQuest Deploy Center 5
–ControlCenter ST
–Trend Micro Damage Cleanup Server 1.0
–Compaq Insight Manager v7
–Patchlink Patch Management System
–Microsoft SharePoint Portal Server
Top
The Slapper Worm
The Slapper worm (also known as the Linux.Slapper, Apache/mod_ssl,
and ELF_SLAPPER worm) targets Apache Web servers running on
Linux hosts in which a buffer overflow condition in OpenSSL
exists. Slapper connects to port 80 on each system it attacks
and then sends a GET request to determine whether the Web
server is Apache. If so, it then uses uuencode to ship its
source code to the /tmp directory within the target system
over port 443 (the port used by the Secure Sockets Layer [SSL]).
It decodes the file containing the source code and then compiles
this code using the gcc compiler. Next it executes shell code
on the victim system and then starts attacking other systems,
targeting others within the same class B address space. Slapper
makes each exploited system listen on one of a number of UDP
ports (and in one case, a TCP port) for further instructions.
The Slapper code also contains instructions that can launch
a distributed denial of service (DDoS) attack.
Several variants of Slapper have surfaced. Variant A, the
first version of Slapper, listens on UDP port 2002. Variant
B listens on UDP port 1978; gathers information about each
infected system and sends it to a designated address; and
infects files within each compromised system, attempting to
delete them (although due to programming errors, it is usually
unsuccessful in doing so). Variant C listens on UDP port 4156
(and sometimes also on TCP port 1052), sends two source files,
and disguises the processes it invokes by giving them innocuous
names such as “httpd.”
If this worm infects your system, you’ll need to disconnect
your system from the network and then manually clean it by
removing all files that Slapper has installed. Be sure to
install the appropriate patch that prevents Slapper infections;
click here
for information concerning how to obtain this patch.
Top
The Sluter-A Worm
The Sluter-A worm (also known as WORM_SLUTER.A, W32/Sluter.worm,
Win32/Sluter.A, Worm.Win32.Sluter, and W32.Randex.B) scans
remote systems for unprotected shares and shares protected
by weak passwords. If a share that it finds is unprotected,
it connects to the share and then copies itself into the system
as msslut32.exe. If the share is passworded, Sluter-A uses
a small dictionary of possible passwords to try to gain access
to the share. If successful, it copies itself into the system
(also as msslut.exe). Once it copies itself, it adds a value
(Superslut = msslut32.exe) to the Registry of the infected
system (the actual path is HKLM\Software\Microsoft\Windows\CurrentVersion\Run),
so that it starts whenever the system boots. Click here
for clean-up procedures for systems infected by Sluter-A.
Top
Swen Worm
(Win32.Swen.A)
As if we haven't seen enough Windows worms lately, a new
one, the Swen (Win32.Swen.A) worm has been spreading over
the Internet. Its primary means of infecting systems is through
a bogus Microsoft security bulletin that announces a "September
2003 Cumulative Patch" for Internet Explorer, Outlook,
and Outlook Express. The attachment to this message is the
worm; opening and executing it causes a system to become infected.
The Swen worm also spreads via KaZaA (which is not allowed
here at Berkeley Lab) and Internet Relay Chat (IRC). If you
get a message that purports to be a Microsoft security bulletin,
just delete it; do not forward it to others. Remember that
Microsoft does not distribute patches via email! And be sure
to keep your system's anti-virus software up to date.
Top
The Sysbug.A Trojan
Horse
Sysbug.A is a Windows Trojan horse program that is spread
as an email attachment to a message with the subject, “RE[2]:
Mary,” and with text beginning “Hello my dear
Mary.” The message refers to an attachment that allegedly
contains pictures of a couple involved in sexual activity.
The attachment is named “Private.zip”; the message
also indicates that this attachment contains an executable
named “wendynaked.jpg.exe.” If anyone opens the
attachment, that person’s system becomes infected. The
Sysbug.A program is copied to the system installation folder
(the name of which varies from one Windows system to another).
The Trojan creates another file, svc.sav, in this directory,
as well as a file in the path C:\temp35.txt; however, neither
of these files is malicious. To enable this program to start
every time the system it has infected boots, it adds a value,
SystemDebug, to:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
in the infected system’s Registry.
Sysbug.A infections should not be taken lightly. This program
gleans a variety of information from systems that it infects
and sends it to remote systems. It also allows unauthorized
back door access to any system on which it resides, enabling
any hacker who knows that a machine has this Trojan installed
to remotely control the system.
Cleaning infected systems is not difficult. Simply delete
sysdeb32.exe, svc.sav, and c:\temp35.txt, and also delete
the SystemDebug value from the Run key in the Registry.
Top
|