NH&AAlerts

About us
Products
How we work
News/Alerts
Contact info
  • December 4, 2001 - Goner worm has been announced by anti-virus companies as a fast spreading worm and some categorize it as "high risk".   Goner is written in Visual Basic 6, and when activated, will send itself to email addresses taken from the user's Microsoft Outlook Address book or through Internet Relay Chat services. 

    Goner has been reported to contain code to delete firewall and anti-virus information from infected machines.  The attachment must be double-clicked on to work.  This is another reason why we feel it won't be too bad.

    It contains the following language: 

    Subject: Hi
    Body: How are you? When I saw this screen saver, I immediately thought about you. I am in a harry, I promise you will love it!

    Attachment: GONE.SCR

    Norman
    InfoWorld
    F-Secure
    Symantec
    McAfee
    CA

  • November 25, 2001 - Badtrans.B e-mail worm/trojan hits users worldwide.  This worm is spreading by exploiting machines that have not upgraded Internet Explorer.  It does not require the email receiver to open the attachment for it to execute.  We believe this worm will spread wildly as the attachment does not show up with the "paperclip" attachment icon on the e-mail even though it does exist there as an attachment.   The attachment has a name that is randomly selected from three lists: one name and two extensions.   The attachment consists of two main components - Worm and Trojan. The "Worm" component sends infected messages, the "Trojan" component sends out the information (user's info, RAS data, cached passwords, keyboard log) from infected computers to specified email address.  It also keeps a "keylogger" program body in its code (a DLL in \Windows\System directory as Kdll.dll) and installs it into the system while infecting a new machine.  Most anti-virus companies require new updates to detect and clean this worm.  If infected, the worm may attempt to steal confidential information and log keystrokes.  

    F-Secure
    Microsoft
    Symantec
    McAfee
    Trend
    Panda
    Sophos
  • November 13, 2001 - Microsoft reported on November 12, and released a patch for a serious "Cookie Data in IE Can Be Exposed or Altered Through Script Injection" security vulnerability in versions 5.5 and 6.0 of the Web browser Internet Explorer. This vulnerability allows the cookies that are stored in the user's computer to be accessed through a specially crafted URL created for this purpose.  An update patch to both versions of IE is found at the above link.

    Zone Alarm Pro latest version: 2.6.357 allows some Internet addresses (those with the same first 2 IP octets) to be incorrectly identified as local, thus assigning them the lowest security level. This could allow malicious users to carry out attacks.  Bugtraq report is found here.  The free version of Zone Alarm, while not reported specifically, is thought to be vulnerable in a similar manner.
  • October  31, 2001 - Nimda.E worm - This is a copy-cat worm that has been recompiled and, as a result, some anti-virus programs which detected original Nimda did not detect Nimda.E without updates. Filenames used by the original Nimda worm have been renamed.  Nimda.E operates as Nimda.A: a multifaceted network worm using four different propagation methods: 1) Infecting files, 2) Mass mailing, 3) Web worm and 4) LAN propagation.   Anti-virus developers are not unanimous on whether this one will spread effectively but it is listed here as a precaution.

    Trend
    F-Secure
    Symantec
    MSNBC
    USA Today
  • September 18, 2001 - Nimda (admin spelled backwards) worm spreads quickly worldwide - this worm combines functionalities of a mass mailer and a web worm. The worm spreads through both e-mail attachments and by attacking vulnerable web servers in the net. 

    End-users can get infected by either opening an e-mail attachment called README.EXE or by surfing on an infected web site, which might offer the user to download README.EXE. After the end-user has executed the file, the worm will continue to spread in two different ways. First it will send itself out via e-mails directed to addresses found from users e-mail inbox. Secondly it will start to scan random internet addressed trying to locate vulnerable IIS web servers.

    The worm uses several known security holes to spread. One of them enables the e-mail attachment to execute automatically when the e-mail attachment is read on some systems.  Further information about the Nimda worm from anti-virus developers is found below:

    Symantec     fixtool found here
    F-Secure     description of Nimda is found here removal tools are here
     Cybersoft
    Trend     fixtool found here 
    McAfee
    AVP
    Computer Associates     new definitions here, Nimda utilities here
    Microsoft     nice explanation of which patches will fix each vulnerability.
    CERT     and CERT Advisory

    NH&A licensed customers can update their virus definitions at http://www.nha.com/ftp  contact support if you don't have appropriate username/password.

    Nimda uses the Unicode Web Traversal exploit. A patch and information regarding this exploit can be found there. 

    When  Nimda arrives by email, the worm uses a MIME exploit allowing the virus to be executed just by reading or previewing the file. Information and a patch for this exploit can be found there.

    Once infected, your system is used to seek out others to infect over the web. As this creates a lot of port scanning, this can cause a network traffic jam.

    It creates a SYSTEM.INI entry to load the worm at startup:
    Shell=explorer.exe load.exe -dontrunold

    The email messages created by the worm specify a content-type of audio/x-wav with an executable attachment type. Thus when a message is accessed, the attachment can be executed even if the user does not open it and without the user's knowledge.

    It adds JavaScript code to HTML documents, which opens a new browser window containing the infectious email message itself (taken from the dropped file README.EML). When this infected window is accessed (locally or remotely), the machine viewing the page is then infected.

    The virus contains the string : Concept Virus (CV) V.5, Copyright (C) 2001 R.P.China

    Note:  It is recommended that all IIS administrators read and implement the cumulative patch for IIS 4.0 and 5.0 servers.

     

  • August 7, 2001 - CodeRed and SirCam worms spread - The worms are spreading quickly around the Internet.  There are three variants of CodeRed, with the 3rd variant being most harmful due to the trojan that is implanted enabling a hacker to take control of the machine. Information on these worms is found here:

    CodeRed.v3 or CodeRed.C, CodeRed III, W32.Bady.C (includes trojan to enable hacker control of machine):

    Microsoft     (patch to prevent Code Red is here)
    SANS (comprehensive report)
    Security Focus
    eEye Digital (Code Red scanner is here)
    CR2KILL (program to detect and remove link is found here)
    Symantec  (vulnerability program tool is here)
    McAfee
    Computer Associates
    Trend  (removal tool is here)
    F-Secure

    News sources:

    InfoWorld
    CNET
    CNN
    ComputerWorld
    Wired

    Note:  anyone wishing to contribute to the removal of CodeRed.V3 is welcome to create an executable file that will do the steps outlined here.

    CodeRed (TROJ_BADY.A, W32/Bady.worm, CODERED, CODE RED, HBC)

    Symantec
    McAfee
    Trend
    F-Secure

    SirCam (W32.Sircam.Worm@mm, W32/SirCam@mm, Backdoor.SirCam)  Can send out confidential information from your machine.

    Symantec  (SirCam removal program here)
    McAfee (removal tool is here)
    Trend
    F-Secure

    Vulnerability fixes from Microsoft required for CodeRed, all variants:

    "Relative Shell Path" Vulnerability

    Unchecked Buffer in Index Server ISAPI Extension Could Enable Web Server Compromise
  • June 28, 2001 - Flaws leave Cisco's IOS vulnerable - Cisco Systems Inc. on Wednesday revealed that there are several serious security vulnerabilities in its Internet Operating System software, which runs on its popular lines of routers, switches and firewalls.  

    The most serious vulnerability affects all versions of the company's IOS software from release 11.3 forward, which effectively encompasses all of Cisco's mainstream routers and switches. When the HTTP server in the IOS software is enabled and local authorization is in use, an attacker could bypass the authentication function by sending a carefully crafted URL to the server. The attacker then has complete control over the device and is able to see and change its configuration settings.

    http://www.cisco.com/warp/public/707/SSH-multiple-pub.html
    http://www.cisco.com/warp/public/707/IOS-httplevel-pub.html
  • April 25, 2001 - Viruses on Microsoft Web site - Microsoft Product Support Services (PSS) recently discovered that several hotfixes released during the past two weeks were infected with a virus. Here are the most important facts regarding this issue.
    • The affected hotfixes were not accessible to the general public. We have identified the specific customers who downloaded them, and are in the process of contacting these customers and helping with remediation.
    • Only a limited number of hotfixes were infected, all of which were released during the past two weeks. No security patches were infected.
    • The specific virus is a known one that most commercial virus scanners will detect and remove.

    Full text of information from Microsoft is here 
    Interestingly enough Microsoft warns about FunLove a month earlier.
    Symantec information on FunLove virus

  • March 22, 2001 - VeriSign goofs - issuing two digital certificates on Jan. 29 and 30, 2001 to someone posing as a Microsoft employee.  A Microsoft security bulletin MS01-017 issued March 22 states:

    "VeriSign, Inc., recently advised Microsoft that on January 30 and 31, 2001, it issued two VeriSign Class 3 code-signing digital certificates to an individual who fraudulently claimed to be a Microsoft employee. The common name assigned to both certificates is "Microsoft Corporation". The ability to sign executable content using keys that purport to belong to Microsoft would clearly be advantageous to an attacker who wished to convince users to allow the content to run."

    Mahi deSilva, VeriSign's vice president and general manager of applied trust services, is quoted in USA Today as blaming "human error" for the fraudulent certificates, said the company's reputation shouldn't suffer "because we found this problem. We've been very proactive about communicating this problem to the various authorities. We think we've done everything we can to be ahead of the curve here."

    VeriSign has revoked the certificates, and they are listed in VeriSign's current Certificate Revocation List (CRL). However, because VeriSign's code-signing certificates do not specify a CRL Distribution Point (CDP), it is not possible for any browser's CRL-checking mechanism to download the VeriSign CRL and use it. Microsoft is developing an update that rectifies this problem. 

    Versions of the update are being prepared for all Microsoft platforms released since 1995. However, because of the large number of platforms that must be tested, the patches are not available at this writing. Until the update is available, we urge customers to take some or all of the following steps to protect themselves should they encounter hostile code signed by one of the certificates.

    - Visually inspect the certificates cited in all warning dialogues. The two certificates at issue here were issued on 29 and 30 January 2001, respectively. No bona fide Microsoft certificates were issued on these dates. The FAQ and Knowledge Base article Q293817 provide complete details regarding both certificates.

    - Install the Outlook Email Security Update to prevent mail-borne programs from being launched, even via signed components, and install the Office Document Open Confirmation Tool to force web pages to request permission before opening Office documents.

    - Consider temporarily removing the VeriSign Commercial Software Publishers CA certificate from the Trusted Root Store. Knowledge Base article Q293819 provides details on how to do this.

    For additional information about this issue, click the article number below to view the article in the Microsoft Knowledge Base:

    Q293818 Erroneous VeriSign-Issued Digital Certificates Pose Spoofing Hazard
    For additional information about how to revoke these certificates' trusted status, click the article number below to view the article in the Microsoft Knowledge Base:
    Q293816 How to Determine Whether You Have Accepted Trust for Fraudulent VeriSign-Issued Certificates

    Note: NH&A questions the timing of the Verisign's notification of the breach in security to Microsoft.   Note that while VeriSign says they've been proactive, Microsoft says they were advised of the breach in early March that happened Jan 30 and 31.  We were unable to find any notice of this problem on the VeriSign site.

  • March 14, 2001 - Magistr is a dangerous memory resident Win32 worm-virus. It spreads via Internet with infected emails, infects Windows executable files on affected computer (local computer) and is able to spread itself over a local network.

    The virus has an extremely dangerous payload. Depending on different conditions it erases hard drive data, CMOS memory and Flash BIOS data in the same way the Win95.CIH (aka Chernobyl) virus does.

    The virus infects PE EXE files (Win32 executables) in a complex and difficult-to-disinfect way. The virus encrypts its main code with a polymorphic engine and writes itself to the end of the file. To get control in an infected file, the virus patches a program entry code with one more polymorphic routine that passes control to the end of the file to main encrypted virus code.

    The virus itself is about 30Kb long program written in Assembler, and that is very large for a virus written in pure Assembler language. This large size however is caused by virus EXE infection algorithm, email and network spreading routines, polymorphic engines (there are two ones), payload routines and many tricks used by the virus to make its detection and disinfection more difficult.

    When the virus sample is run (from infected message for example, if a user clicks on an infected attachment) the virus installs itself as a component of EXPLORER.EXE (in Windows memory) and then operates in backgroud (being run as EXPLORER's thread). Being active and working in background it scans all files and infects PE executables.

    It also spreads itself with email as an attachment and infects computers over a network. The worm scans email database files of Outlook Express, Netscape Messenger and Internet Mail and News applications, gets email addresses from there and sends itself to these addresses.

    Here are some links that provide information and how to clean up the Magistr worm/virus:

    F-Secure
    Symantec
    McAfee
    Trend
  • March 7, 2001 - "Naked Wife" - Another Visual Basic virus, discovered Tuesday and called W32/Naked@MM, lures potential victims with the subject line "Naked Wife." The message body reads: "My wife never look like that! ;-)". It carries an attachment, NakedWife.exe.

    NakedWife is an e-mail worm that spreads as an attachment called NakedWife.exe. The worm uses MS Outlook Address Book to find e-mail addresses and sends itself to these addresses with the help of MS Outlook application. The worm is a PE executable about 74 kb long written in Visual Basic. The most probable origin is Brasil.

    When the worm is run it shows a dialog box that looks like a ShockWave Flash executable animation's dialog. The dialog looks like with "Jib Jab loading..."

    After the worm sends itself it performs a destructive action. It deletes all *.INI, *.LOG, *.DLL, *.EXE, *.COM and *.BMP files (in that order) in root Windows folder and then deletes all *.INI, *.LOG, *.DLL, *.EXE, *.COM, and *.BMP files in Windows System folder. A system attacked by this worm becomes unusable shortly after that.

    If you receive a message with NakedWife.exe attached, don't run the file (don't click on the attachment), delete the message to avoid infection.

    Here are some links that provide information and how to clean up the Naked Wife worm/virus:

    Sophos
     McAfee
    F-Secure
    Symantec
    Trend
    AVP

  • January, 2001 - KAK worm/virus seems to be spreading as evidenced by e-mail from our customers and friends.  Here are some links that provide information and how to clean up the KAK worm/virus:

    http://service1.symantec.com/SUPPORT/nav.nsf/docid/2000020318071406&src=hot
    http://www.Europe.F-Secure.com/v-descs/kak.shtml
    http://vil.nai.com/vil/virusMethodOfInfection.asp?virus_k=10509

    You will find files with names KAK on your hard drive which will confirm that you have the worm/virus. You will need to delete these as the instructions above indicate. Then get a good anti-virus program

    Virtual Card for You - HOAX - resurfaces despite alot of information that clearly calls this hoax:

    http://chekware.com/hoax/Virtual_Card.htm
    http://www.vmyths.com/
    http://vil.nai.com/VIL/hoaxes.asp
    http://www.symantec.com/avcenter/hoax.html
    http://www.antivirus.com/vinfo/hoaxes/hoax.asp
    http://www.sophos.com/virusinfo/hoaxes/

  • Also check here for virus alerts:

    Symantec
    McAfee
    F-secure
    Sophos

Alerts 2004
Alerts 2003
Alerts 2002
Alerts 2001
Alerts 2000
 Alerts 1999
Alerts 1998

About usProductsHow we workNews/AlertsContact info