 |
|
| Volume:
2002 |
Issue:
273 |
July
20, 2002 |
| In
this Issue: |
• Virus Warning
• Vulnerability Updates
|
| Virus
Warnings |
| Name of the virus |
W32.Lavehn.A@mm |
| Discovery Date |
July 20, 2002 |
| Description |
W32.Lavehn.A@mm is a mass-mailing worm
that sends itself to all addresses in the Microsoft
Outlook Address Book. The email message has
the following characteristics:
Subject: ADMISION 2003 Attachment: Unheval.exe
The worm deletes from the infected computer
all files that have the extensions .xls, .doc,
.mdb, .mp3, .rpt, or .dwg.
|
| Aliases |
Bloodhound.W32.VBWORM
|
| Alert |
Low |
| Fix information/ Recovery |
http://www.symantec.com/
avcenter/venc/data/w32.lavehn.a@mm.html |
| Name of the virus |
W32/Holar@MM |
| Discovery Date |
July 20, 2002 |
| Description |
This mass-mailing worm spreads via email,
MSN Messenger, and network shares. It arrives
as an attachment (54,784 bytes) with a .PIF extension. The filename
is chosen by selecting
the filename (without the extension) of a file in
the My Documents directory on the infected
system. The subject of the message is the
same as the filename without the extension.
The worm exploits the "Incorrect MIME Header
Can Cause IE to Execute E-mail Attachment vulnerability in Microsoft
Internet Explorer
(ver 5.01 or 5.5 without SP2)", to
automatically execute the virus on
vulnerable systems.
|
| Aliases |
-- |
| Alert |
Low |
| Fix information/ Recovery |
http://vil.mcafee.com/
dispVirus.asp?virus_k=99572 |
| Name of the virus |
W32/Surnova-D |
| Discovery Date |
July 20, 2002 |
| Description |
W32/Surnova-D is a worm that spreads using
the KaZaA network software installation and
the MSN instant messenger utility. The worm
will initially copy itself to the Windows folder
with one of the following filenames:
Alles-ist-vorbei.exe Desktop-shooting.exe
Hello-Kitty.exe BigMac.exe Cheese-Burger.exe Blaargh.exe
W32/Surnova-D will also attempt to send
itself to contacts in the infected user's
Messenger contact list. The worm will arrive
with one of the following messages:
Hehe, check this out :-) Funny, check it out
(h) LOL!! See this :D LOL!! Check this out :)
Hehe, this is fun :-)
The worm also creates a text file in the
Windows folder with a name consisting of
randomly generated digits. The text file contains
the text:
W32.Supernova - Ban religion
Religion = War Religion = Based on fairytales
Wars based on fairytales? Ban religion,
welcome to the
truth
|
| Aliases |
W32.Supova |
| Alert |
Low |
| Fix information/ Recovery |
http://www.sophos.com/
virusinfo/analyses/w32surnovad.html |
| Vulnerability
Updates |
| Name of the Vulnerability
|
Common Desktop Environment
(CDE)
ToolTalk RPC database server (rpc.ttdbserverd)
does not adequately validate file descriptor arguement to _TT_ISCLOSE()
|
| Discovery date |
July 20, 2002 |
| Description |
The Common Desktop Environment (CDE)
ToolTalk RPC database server does not
adequately validate a client-supplied argument, allowing attackers
to overwrite certain locations
in memory with zeros. This vulnerability could be exploited in a
number of ways, potentially allowing attackers to: cause a denial
of service, remotely delete arbitrary files, remotely create arbitrary
directories, and potentially execute arbitrary
code or commands.
A component of CDE, the ToolTalk architecture allows applications
to communicate with each
other via remote procedure calls (RPC) across different hosts and
platforms. The ToolTalk RPC database server manages connections
between ToolTalk applications. CDE and ToolTalk are
installed and enabled by default
on many common UNIX platforms. ToolTalk
clients can close a ToolTalk database by issuing
an RPC request
to the database server. During this process,
a call is made to the procedure _TT_ISCLOSE(),
and a file descriptor argument supplied by the
client is used to reference a memory structure that contains information
about the requested
ToolTalk database. A memory
location within the structure is set to zero
(0L), ostensibly closing the requested database.
The ToolTalk database server does not check
the range of the file descriptor, so it is possible
to reference a location in memory that is outside
the region that contains valid database
information. As a result, a specially crafted
RPC call can cause specific memory locations
in the ToolTalk database server process
space to be set to zero. By issuing such a
call, and also by controlling the contents of
memory through
other means, attackers could exploit this vulnerability in a number
of different ways.
|
| Impact of Vulnerability |
An attacker can remotely
deleting arbitrary files
and remotely creating arbitrary directory entries. In addition, attackers
might be able to crash the ToolTalk RPC database server, denying service
to legitimate users. It could be possible for attackers to execute
arbitrary code and commands |
| Exposed System Component |
Vendor: Caldera, Compq, HP, IBM, Sun Microsystems,
Xi Graphics.
|
| Workaround/Solutions |
Apply a patch ( not yet available )
Disable rpc.ttdbserverd
Block or Restrict Access
More info available at: http://www.kb.cert.org/vuls/id/975403
|
| Virus
Warnings |
| Name of the virus |
W32.Lavehn.A@mm |
| Discovery Date |
July 20, 2002 |
| Description |
W32.Lavehn.A@mm is a mass-mailing worm
that sends itself to all addresses in the Microsoft
Outlook Address Book. The email message has
the following characteristics:
Subject: ADMISION 2003 Attachment: Unheval.exe
The worm deletes from the infected computer
all files that have the extensions .xls, .doc,
.mdb, .mp3, .rpt, or .dwg.
|
| Aliases |
Bloodhound.W32.VBWORM
|
| Alert |
Low |
| Fix information/ Recovery |
http://www.symantec.com/
avcenter/venc/data/w32.lavehn.a@mm.html |
| Name of the virus |
W32/Holar@MM |
| Discovery Date |
July 20, 2002 |
| Description |
This mass-mailing worm spreads via email,
MSN Messenger, and network shares. It arrives
as an attachment (54,784 bytes) with a .PIF extension. The filename
is chosen by selecting
the filename (without the extension) of a file in
the My Documents directory on the infected
system. The subject of the message is the
same as the filename without the extension.
The worm exploits the "Incorrect MIME Header
Can Cause IE to Execute E-mail Attachment vulnerability in Microsoft
Internet Explorer
(ver 5.01 or 5.5 without SP2)", to
automatically execute the virus on
vulnerable systems.
|
| Aliases |
-- |
| Alert |
Low |
| Fix information/ Recovery |
http://vil.mcafee.com/
dispVirus.asp?virus_k=99572 |
| Name of the virus |
W32/Surnova-D |
| Discovery Date |
July 20, 2002 |
| Description |
W32/Surnova-D is a worm that spreads using
the KaZaA network software installation and
the MSN instant messenger utility. The worm
will initially copy itself to the Windows folder
with one of the following filenames:
Alles-ist-vorbei.exe Desktop-shooting.exe
Hello-Kitty.exe BigMac.exe Cheese-Burger.exe Blaargh.exe
W32/Surnova-D will also attempt to send
itself to contacts in the infected user's
Messenger contact list. The worm will arrive
with one of the following messages:
Hehe, check this out :-) Funny, check it out
(h) LOL!! See this :D LOL!! Check this out :)
Hehe, this is fun :-)
The worm also creates a text file in the
Windows folder with a name consisting of
randomly generated digits. The text file contains
the text:
W32.Supernova - Ban religion
Religion = War Religion = Based on fairytales
Wars based on fairytales? Ban religion,
welcome to the
truth
|
| Aliases |
W32.Supova |
| Alert |
Low |
| Fix information/ Recovery |
http://www.sophos.com/
virusinfo/analyses/w32surnovad.html |
| Vulnerability
Updates |
| Name of the Vulnerability
|
Common Desktop Environment
(CDE)
ToolTalk RPC database server (rpc.ttdbserverd)
does not adequately validate file descriptor arguement to _TT_ISCLOSE()
|
| Discovery date |
July 20, 2002 |
| Description |
The Common Desktop Environment (CDE)
ToolTalk RPC database server does not
adequately validate a client-supplied argument, allowing attackers
to overwrite certain locations
in memory with zeros. This vulnerability could be exploited in a
number of ways, potentially allowing attackers to: cause a denial
of service, remotely delete arbitrary files, remotely create arbitrary
directories, and potentially execute arbitrary
code or commands.
A component of CDE, the ToolTalk architecture allows applications
to communicate with each
other via remote procedure calls (RPC) across different hosts and
platforms. The ToolTalk RPC database server manages connections
between ToolTalk applications. CDE and ToolTalk are
installed and enabled by default
on many common UNIX platforms. ToolTalk
clients can close a ToolTalk database by issuing
an RPC request
to the database server. During this process,
a call is made to the procedure _TT_ISCLOSE(),
and a file descriptor argument supplied by the
client is used to reference a memory structure that contains information
about the requested
ToolTalk database. A memory
location within the structure is set to zero
(0L), ostensibly closing the requested database.
The ToolTalk database server does not check
the range of the file descriptor, so it is possible
to reference a location in memory that is outside
the region that contains valid database
information. As a result, a specially crafted
RPC call can cause specific memory locations
in the ToolTalk database server process
space to be set to zero. By issuing such a
call, and also by controlling the contents of
memory through
other means, attackers could exploit this vulnerability in a number
of different ways.
|
| Impact of Vulnerability |
An attacker can remotely
deleting arbitrary files
and remotely creating arbitrary directory entries. In addition, attackers
might be able to crash the ToolTalk RPC database server, denying service
to legitimate users. It could be possible for attackers to execute
arbitrary code and commands |
| Exposed System Component |
Vendor: Caldera, Compq, HP, IBM, Sun Microsystems,
Xi Graphics.
|
| Workaround/Solutions |
Apply a patch ( not yet available )
Disable rpc.ttdbserverd
Block or Restrict Access
More info available at: http://www.kb.cert.org/vuls/id/975403
|
|
|
|
