TUCoPS :: Malware :: n-153.txt

New Worms and Helpful Computer Users (CIAC N-153)


             __________________________________________________________

                       The U.S. Department of Energy
                   Computer Incident Advisory Capability
                           ___  __ __    _     ___
                          /       |     /_\   /
                          \___  __|__  /   \  \___
             __________________________________________________________

                             INFORMATION BULLETIN

                      New Worms and Helpful Computer Users

September 18, 2003 22:00 GMT                                      Number N-153
______________________________________________________________________________
PROBLEM:       A new worm named Swen appeared this morning masquerading as a 
               patch for a Microsoft Windows patch. The spread of the worm is 
               being helped along by computer users who dutifully install the 
               patch (worm) and pass it on. 
PLATFORM:      Windows 
DAMAGE:        Helpful users install and pass on the worm. 
SOLUTION:      1. Keep your antivirus software up to date. 
               2. Do not execute attachments that you are not expecting. 
               3. Do not install patches received as e-mail attachments. 
______________________________________________________________________________
VULNERABILITY  The risk is HIGH. Current viruses and worms install backdoors 
ASSESSMENT:    in systems that allow remote intruders to take over and use 
               those systems. Usage includes spying, industrial espionage, 
               e-mail spamming, creation of porno sites, proxy servers, etc. 
______________________________________________________________________________
LINKS: 
 CIAC BULLETIN:      http://www.ciac.org/ciac/bulletins/n-153.shtml 
 BACKGROUND:         http://www.computerworld.com/securitytopics/ 
                          security/story/0,10801,84214,00.html 
                     http://office.microsoft.com/assistance/Preview.aspx?
                          AssetID=HA010550011033&CTT=6&Origin=EC010553071033
______________________________________________________________________________

A new worm named W32.Swen.A@mm appeared this morning masquerading as a patch 
for a Microsoft vulnerability. The e-mail appears to come from security at 
Microsoft and has an attached executable file that is supposed to be a patch 
for the vulnerability. In fact, the patch is the virus and double clicking 
on the patch installs the virus on your system.

A few copies managed to get into at least one site before e-mail virus 
scanners were updated. While this in itself is not noteworthy (we see new 
worms appearing almost daily) we would like to reiterate to DOE computer users
three security items.

    1. Keep your antivirus scanners up to date.
    2. Do not execute attachments you are not expecting especially if those 
       attachments are executables.
    3. Do not install patches or updates sent as attachments to e-mail 
       messages.

Keep Your Antivirus Scanners Up To Date
=======================================

Anitvirus scanners must be kept up to date. You should update your scanners 
on a weekly basis to insure that you have the most up-to-date virus 
definitions. If you hear of a new virus making the rounds, update your 
antivirus definitions immediately before reading mail or downloading any 
files. Most scanners can be set to automatically update themselves on a 
regular schedule. Don’t depend on corporate antivirus scanners to protect you
as new malicious code can sneak by them before new scan signatures are 
available. 

Do Not Execute Attachments You Don’t Expect
===========================================

One of the most common methods for the current viruses and worms to spread is 
as e-mail attachments. If you get an attachment from someone, even someone you
know, don’t simply double click on it to see what it is. Virus scanners can 
miss things or be out of date for a while such as the when a new worm hits so 
you must be on the alert for malicious code that gets past them.

Before opening an attachment, determine if it is a document or picture, or if 
it is an executable file, batch file, or script file. On Windows systems the 
file type is determined by the file extension. The extensions for files that 
can execute code are:

.ade, .adp, .bas, .bat, .chm, .cmd, .com, .cpl, .crt, .exe, .hlp, .hta, .inf,
.ins, .isp, .js, .jse, .lnk, .mdb, .mde, .msc, .msi, .msp, .mst, .pcd, .pif, 
.reg, .scr, .sct, .shs, .url, .vb, .vbe, .vbs, .wsc, .wsf, .wsh

(See the following article for more information on these types: 
http://office.microsoft.com/assistance/preview.aspx?
  AssetID=HA010550011033&CTT=6&Origin=EC010553071033 
To see file extensions, you must turn off the explorer option “Hide extensions
for known file types.” 

To turn it off, 

    1. Open a file explorer window.
    2. Choose Tools, Folder Options, View tab.
    3. Uncheck Hide file extensions for known file types.
    4. Click OK.

Some malicious code tries to hide the file type by using a double extension. 
For example, mypictures.jpg.exe appears to be a picture file (.jpg). This is 
especially true if “Hide file extensions for known file types” is checked, in 
which case you will only see the .jpg extension. Be sure you can see 
extensions and look at the right-most extension as that is the one that is the
true file type. Look also at the icon as it is determined by the file type and 
the application used to open that file.

The .lnk file type is always hidden, even when you uncheck “Hide file 
extensions for known file types.” Look at the icon displayed for the file. If 
it is a .lnk file the icon has a square box containing a bent arrow 
superimposed on the lower-left corner of the icon. For example, the following 
icon is a link to a spreadsheet. 

<<n-153.jpg>>
 
You can also right click on the file and select properties. On the General tab
the Type of File is Shortcut. Normally, .lnk files are links to other files 
but if they are executable code instead of a link, they run when double 
clicked.

Do Not Install Patches and Updates Received Via E-mail Attachments
==================================================================

Software vendors, antivirus vendors, and incident response teams (such as 
CIAC) do not send patches as attachments to e-mail messages. All will send 
messages describing the problem and then provide an online link where you can 
go to get and verify a patch or update. Be sure you check the link to be sure 
it is really the company you want to get the patch from. Better yet, type the 
url for the company yourself instead of clicking on the link. We have seen 
links in fraudulent messages that look like the following:

    http://www.paypal.com@az.ru

You might think that this is a link to www.paypal.com but it is not. In this 
case, www.paypal.com is the username at the az.ru site. 

Conclusions
===========

As we stated in the beginning, a new worm has been seen that is entering sites
via an e-mail attachment. While this is not a unique event, it is a good time
to review what you should do when you receive a file with an attachment. 

  Remember:

    1. Keep your antivirus up to date.
    2. Don’t run attachments you are not expecting.
    3. Don’t install patches and updates that are e-mail attachments.

______________________________________________________________________________

CIAC, the Computer Incident Advisory Capability, is the computer
security incident response team for the U.S. Department of Energy
(DOE) and the emergency backup response team for the National
Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
National Laboratory in Livermore, California. CIAC is also a founding
member of FIRST, the Forum of Incident Response and Security Teams, a
global organization established to foster cooperation and coordination
among computer security teams worldwide.

CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
can be contacted at:
    Voice:    +1 925-422-8193 (7x24)
    FAX:      +1 925-423-8002
    STU-III:  +1 925-423-2604
    E-mail:   ciac@ciac.org

Previous CIAC notices, anti-virus software, and other information are
available from the CIAC Computer Security Archive.

   World Wide Web:      http://www.ciac.org/
   Anonymous FTP:       ftp.ciac.org

PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
communities receive CIAC bulletins.  If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum of
Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained via WWW at http://www.first.org/.

This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.

LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)

N-144: Microsoft Visual Basic Buffer Overrun Vulnerability
N-145: Microsoft Access Snapshot View Buffer Overrun Vulnerability
N-146: Apache 2.0.47 Release Fixes Security Vulnerabilities
N-147: Hewlett Packard Potential Security Vulnerability B.11.11 DCE
N-148: Sun Security Issue Involving the Solaris sadmind(1M) Daemon
N-149: Sendmail 8.12.9 Prescan Bug
N-150: Red Hat Updated KDE packages fix security issues
N-151: OpenSSH Buffer Management Error
N-152: Real Networks Streaming Server Vulnerability



TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH