Abacus Home
Contact   |  Site Map   |  Privacy

 
Abacus Home
About Abacus
Overview
Staff
Certifications
Partners
Contact
Services
Overview
Accounting Systems
Networking
News
Latest News
Security Alerts

Security Alerts

News -> Security Alerts

8/11/2003

W32.Sobig.f Worm

Sobig.F [F-Secure], W32/Sobig.f@MM [McAfee], WORM SOBIG.F [Trend], W32/Sobig-F [Sophos], Win32.Sobig.F [CA], I-Worm.Sobig.f [KAV]

Security Level - Critical

W32.Sobig.F@mm is a mass-mailing, network-aware worm that sends itself to all the email addresses it finds on an infected computer.  If you receive an email with the following characteristics delete it.  If you have already opened the attachment please contact an Abacus consultant to help remove the virus from your system. 

The email message will have the following characteristics:

From: Spoofed address (which means that the sender in the "From" field is most likely not the real sender). The worm may also use the address admin@internet.com as the sender.
Subject:

  • Re: Details
  • Re: Approved
  • Re: Re: My details
  • Re: Thank you!
  • Re: That movie
  • Re: Wicked screensaver
  • Re: Your application
  • Thank you!
  • Your details

Body:

  • See the attached file for details
  • Please see the attached file for details.

Attachment:

  • your_document.pif
  • document_all.pif
  • thank_you.pif
  • your_details.pif
  • details.pif
  • document_9446.pif
  • application.pif
  • wicked_scr.scr
  • movie0045.pif

Please contact any Abacus consultant if you have questions or concerns.

 

8/11/2003

MS Blast Worm

W32.Blaster.Worm (Symantec),W32/Lovsan.worm (McAfee), WORM_MSBLAST.A (Trend Micro),Win32.Posa.Worm (CA),Lovsan (F-secure), MSBLASTER,Win32.Poza

Security Level - Critical

A new internet worm named "MS Blast" is on the loose.  This worm takes advantage of an exploit in the MS RPC DCOM subsystems on all Windows 2000 and Windows XP operating systems.  The exploit is documented in  Microsoft Security Bulletin MS03-026 "Buffer Overrun in RPC Interface Could Allow Code Execution".

Abacus recommends that TCP port 135 and UDP port 135 should be blocked on all perimeter networks as well as on all personal firewalls.  Additionally, TCP port 593 and all outbound requests to port 69 should be blocked as well to prevent infection.

If you suspect infection, please check for the existence of registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run with a value of 'msblast.exe'.  If this exists, delete the value as well as the file.  The value 'msblast.exe' may also exist in a key named 'windows auto update'.

There may also be a file named 'TFTP2576' in the System32 directory.

Microsoft has posted updates to correct the vulnerability.

Please contact any Abacus consultant if you have questions or concerns.

 

7/28/2003

W32/Mimail.A-mm
Security Level - High

  • An email may arrive from an infectious computer with the attachment "message.zip"
     
  • Possible firewall alerts that the files "FOO.EXE" or "VIDEODRV.EXE" are attempting to access the Internet
     
  • Creation of the file "VIDEODRV.EXE" into the Windows folder
     

Actions -

  • Virus is embedded within an HTML file named message.html, which is within a file message.zip, and is related to the threat JS/CodeBase-tr

     
  • When the file message.zip is opened and the file message.html is extracted and opened, the computer may become infected by an embedded binary file within the HTML file

     
  • Message.html contains instructions which implement exploitation code related to the threat JS/CodeBase-tr in order to decode and initiate an embedded binary - the binary file is first written as FOO.EXE and then copied to the Windows folder as "VIDEODRV.EXE" and then executed

     
  • VIDEODRV.EXE is compressed with a file size of at least 17,144 bytes however may be larger due to concatenation of script code by the HTML file

     
  • VIDEODRV.EXE contains instructions to create an email message in the following format -

    Priority: 2 (high)
    From: admin@ (domain name)
    Subject: your account (random string)
    Body:
    Hello there,
    I would like to inform you about important information regarding your
    email address. This email address will be expiring.
    Please read attachment for details.
    ---
    Best regards, Administrator
    Attachment: message.zip
     

  • VIDEODRV.EXE contains instructions to create a high priority email message in the following format -

    From: admin@ (domain name)
    Subject: your account (random string)
    Body:
    Hello there,
    I would like to inform you about important information regarding your
    email address. This email address will be expiring.
    Please read attachment for details.
    ---
    Best regards, Administrator
    Attachment: message.zip
     

  • The virus then will attempt to use Internet SMTP servers to send this email to all contacts listed in the Windows address book

     
  • The virus modifies the registry to load itself when Windows restarts -

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
    CurrentVersion\Run\
    Videodrv = %Windowspath%\Videodrv.exe
     

  • The virus also may write copies of itself as additional files to the local machine -

    %Windowspath%\exe.tmp
    %Windowspath%\zip.tmp

 

4/3/2003

W95.Tenrobot
Security Level - Moderate

W95.Tenrobot is a trojan that allows hackers to have remote access to Windows 95 computers via IRC connections.  This virus appends itself to files and will reside in memory once executed.  File sizes will grow by about 8192 bytes if infected.

Once activated, the trojan virus will attempt to connect to irc.efnet.pl (located at 217.17.33.10) on port 6667.  If your organization has a firewall, be sure the needed filters are in place to prevent this connection.

Removal of this virus on Windows NT, 2000 and XP should be a simple matter of using an up to date virus signature on your anti-virus program.  Under Windows 95, 98 and Me, you will have to utilize a boot disk and then attempt a repair of the infected files.

 

1/23/2003

SQL Server 2000 worm - W32.Slammer Worm
Security Level - Critical

Read details about this worm at  Microsoft TechNet.

This is an Internet worm that propagates via UDP port 1434.  It targets SQL Server 2000 and does not appear to have any destructive payload.  Utilizing a previously announced vulnerability that was addressed by Microsoft Security Bulletin MS02-039 on July 24, 2002, the worm attacks SQL 2000 and attempts to propagate itself internally as well as externally.  This could lead to a Denial of Service attack.

The two methods to defend against this attack are to be sure your firewall is blocking UDP port 1434 as well as patch the SQL 2000 Server with Microsoft Security Bulletin MS02-061 patch or SP3 for SQL 2000.

At this time Abacus Information Systems has not certified SP3 on SQL 2000.  We are working diligently to ensure proper functionality of all applications and services after this major patch is applied.  However, we do recommend to apply at least Microsoft Security Bulletin MS02-061 patch and that clients review their firewall policies.

If your systems are infected with this virus, please contact an Abacus consultant immediately for detailed information on how to restore system integrity.
Check for patches often as they help plug security holes and system stability.

Abacus Home | About Abacus | Services | News
Contact | Site Map | Privacy

Copyright © 2002 Abacus Information Systems, Incorporated