Virus Warnings from January 2001
______________________________________________________________
[Jump to Amiga] [Jump to Windows] [Jump to Mac]
[Jump to Linux] [Jump to Misc]
______________________________________________________________
Amiga
Date: January 27, 2001
Platform: Amiga
Warning About: NO Virus/Trojan In The "CK-Bombfire" File
Report From: Virus Help Denmark
* Release Note: There is NO virus/trojan in the "CK-Bombfire" file, as
users can read on tour warning page, it is a bug in xvs.library. Alex
will release a new update of xvs this weekend (I hope)......
* Click here for Latest Amiga xvs.library
Date: January 26, 2001
Platform: Amiga
Warning About: Amiga TCP Trojan Has Been Found
Report From: Virus Help Team Denmark (VHT-DK)
* Release Note: At this time only Safe v14.7 (file name Safe147.lha), can
detect the trojan and remove the tojan from memory, and within a few
days, by the "xvs.library".
* Click here for VHT-DK Virus Warning vht-dk94
* Click here for Safe v14.7 Program
Date: January 23, 2001 * See Update dated Jan 27th
Platform: Amiga
Warning About: DKG-Blum Virus on Amiga Active CD 17
Report From: Amiga.org
* Release Note: There is a virus on Amiga Active CD 17. The file
AACD17:AACD/Demos/Spoletium3/Demo/2.CamelKaos-Bombfire/CK-Bombfire.exe
is infected with the DKG-Blum virus. This virus is detected with version
33.24 of xvs.library, but that library wasn't released until two days
after AACD17 was mastered.
* Click here for Amiga Active's Statement on Amiga Active CD 17
* Click here for Amiga.org Posts on Amiga Active CD 17 has a virus
* Click here for Latest Amiga xvs.library
Top of Page
Windows
Date: January 31, 2001
Platform: MS Windows 2000
Patch Available: Tool and Patch Available to correct Hotfix
Packaging Anomalies
Report From: MicroSoft TechNet Security
* Release Note: Microsoft has released a tool and patch that allow
customers to diagnose and eliminate the effects of anomalies in the
packaging of hotfixes for English language versions of MS Windows 2000.
Under certain circumstances, these anomalies could cause the removal
of some hotfixes, which could include some security patches, from a
Windows 2000 system.
* Click here for MS Security Bulletin MS01-005
* Click here for FAQ about vulnerability and the patch
Date: January 31, 2001
Platform: PC
Warning About: Bymer Worm
Aliases: Worm_Bymer_a, Worm.Bymer, Worm.RC5
Variant: Bymer.A, Bymer.B
Report From: F-Secure
* Release Note: During autumn 2000 there appeared 2 worms that drop RC5
clients on computers they infect. The F-Secure report has descriptions
of both of these worms. You can also use a free version of F-Prot for
DOS to remove Bymer worm from an infected system. It is a requirement
to perform disinfection from pure DOS.
* Click here for Report on Bymer Worm
Date: January 31, 2001
Platform: PC
Warning About: RC5 Client Program
Aliases: Distributed Net, RC5 Client
Report From: F-Secure
* Release Note: There is no virus by this name. Distributed.net is an
organization that distributes a client that can be used to calculate
huge calcutions when a large number of machines is running the client.
Some users have created trojan horses to drop this client to unsuspect-
ing users, effectively using their machine for their own needs.
* Click here for Report on RC5 Client Program
Date: January 31, 2001 * Updated
Platform: PC
Warning About: Navidad.b Worm
Aliases: I-Worm.Navidad, W32/Watchit.intd, I-Worm_Navidad,
W32/Navidad
Report From: F-Secure
* Release Note: Navidad is an Internet worm. It spreads itself as
NAVIDAD.EXE attachment to e-mail messages sent from an infected
computer. The original worm sample that we received has a bug that
makes an infected system inoperable after infection - no EXE files
could be started.
* Click here for Report on Navidad.b Worm
Date: January 31, 2001
Platform: PC Win32
Warning About: MTX Worm
Aliases: IWorm_MTX, I-Worm.MTX, Matrix
Report From: F-Secure
* Release Note: The MTX worm has three components - worm, virus and
backdoor. It spreads under Win32 systems - the virus component infects
Win32 executable files, attempts to send e-mail messages with infected
attachments and installs the backdoor component to download and spawn
"plugins" on an affected system.
* Click here for Report on MTX Worm
Date: January 31, 2001 * Updated
Platform: PC Win32 Systems
Warning About: Hybris Worm
Aliases: IWorm_Hybris, I-Worm.Hybris
Report From: F-Secure
* Release Note: Hybris is an Internet worm that spreads itself as an
attachment to email messages. The worm works under Win32 systems only.
The worm contains components (plugins) in its code that are executed
depending on what worm needs, and these components can be upgraded
from an Internet Web site. The major worm versions are encrypted with
semi-polymorphic encryption loop.
* Click here for Report on Hybris Worm
Date: January 31, 2001
Platform: MS Windows 95
Warning About: CIH Virus
Aliases: PE_CIH, CIHV, SPACEFILLER, VIN32, CHERNOBYL,
TSHERNOBYL, TSERNOBYL
Report From: F-Secure
* Release Note: CIH virus infects Windows 95 and 98 EXE files. After an
infected EXE is executed, the virus will stay in memory and will infect
other programs as they are accessed.
* Click here for Report on CIH Virus
Date: January 31, 2001
Platform: PC
Warning About: AOL Trojan
Aliases: AOL.Trojan, AOL.PWSTEAL
Report From: F-Secure
* Release Note: These are not viruses but trojan horses, made
specifically to work under the America On-Line front-end system.
These AOL trojans can be successfully disinfected with a fresh
version of FSAV and the latest updates for it.
* Click here for Report on AOL Trojan
Date: January 31, 2001
Platform: PC
Warning About: Qaz Worm
Aliases: Worm.Qaz, Worm_Qaz
Report From: F-Secure
* Release Note: This is network worm with backdoor capabilities, which
spreads itself under Win32 systems. The worm was reported in-the-wild
in July-August, 2000. The worm itself is Win32 executable file and
about 120K long, written in MS Visual C++.
* Click here for Report on Qaz Worm
Date: January 31, 2001
Platform: PC
Warning About: NetBus Trojan
Aliases: Netbus.153, Netbus.160, Netbus.170
Report From: F-Secure
* Release Note: NetBus is not a virus, but it is considered to be a
trojan. It is also quite widespread and used frequently to steal data
and delete files on peoples machines. Netbus allows a hacker to access
data and gain control over some Windows functions on remote computer
system.
* Click here for Report on NetBus Trojan
Date: January 31, 2001
Platform: PC
Warning About: SubSeven Backdoor
Aliases: Backdoor-G, Backdoor.SubSeven, Sub7
Report From: F-Secure
* Release Note: The SubSeven backdoor was first discovered in May, 1999.
First samples of this backdoor were not packed, but later some packed versions
appeared which were not easy to detect with contemporary anti-virus
programs. The backdoor is usually distributed under different names via
newsgroups and e-mails.
* Click here for Report on SubSeven Backdoor
Date: January 31, 2001
Platform: PC
Warning About: PrettyPark Worm
Aliases: Pretty Park, I-Worm.PrettyPark
Report From: F-Secure
* Release Note: The 'PrettyPark' also known as 'Trojan.PSW.CHV' is an
Internet worm, a password stealing trojan and a backdoor at the same
time. It was reported to be widespread in Central Europe in June 1999.
There was also an outbreak of this worm in March 2000.
* Click here for Report on PrettyPark Worm
Date: January 31, 2001
Platform: PC Win32 Systems
Warning About: Kriz Virus
Aliases: Win32_Kriz, Win32.Kriz, W32/Kriz
Report From: F-Secure
* Release Note: Kriz is a memory resident polymorphic virus. It replicates
under Win32 systems and infects PE EXE files (portable executables) with
EXE and SCR extensions.
* Click here for Report on Kriz Virus
Date: January 31, 2001
Released: January , 2001
Platform: Windows Production and Solaris(TM) Reference Releases
Warning About: Class Loading Vulnerability in Sun Java (TM) Runtime
Environment
Report From: CIAC
* Release Note: The Java (TM) Runtime Environment can fail to securely
confine the activity of an untrusted Java class. In particular, an
untrusted Java class might be able to call into a disallowed area.
* Click here for Bulletin Number L-032
Date: January 30, 2001
Platform: Microsoft Internet Information Server 4.0 and 5.0
Patch Available: Variant of "File Fragment Reading via .HTR" Vulnerability
Report From: MicroSoft TechNet Security
* Release Note: Microsoft has released a patch that eliminates a security
vulnerability in Microsoft Internet Information Service. The vulnerability
could allow enable an attacker, under very unusual conditions, to read
fragments of files from a web server.
* Click here for MS Security Bulletin MS01-004
* Click here for FAQ about vulnerability and the patch
Date: January 30, 2001
Released: January 29, 2001
Platform: PC Windows
Warning About: Mip Virus
Aliases: Archivo, Win32.HLLO.Mip
Report From: F-Secure
* Release Note: The 'Win32.HLLO.Mip' is a Windows-based overwriting virus
created with Visual Basic 6.
* Click here for Report on Mip Virus
Date: January 28, 2001
Platform: PC
Warning About: X97M.Laroux.JG Virus
Report From: Norton / Symantec Security Updates
* Release Note: X97M.Laroux.JG is a macro virus that infects Microsoft
Excel spreadsheets. On infected systems, X97M.Laroux.JG replicates by
copying itself, line by line, to Microsoft Excel spreadsheets when
they are opened. The virus has a payload that triggers on the 25th of
every month. Read the complete report for Removal Instructions.
* Click here for Report on X97M.Laroux.JG Virus
Date: January 28, 2001
Platform: PC
Warning About: W97M.Toy.A Virus
Report From: Norton / Symantec Security Updates
* Release Note: The W97M.Toy.A macro virus infects the Microsoft Word
Normal.dot template and uses that template to spread. It also uses mIRC
to send itself to other users. It will spread using mIRC only if it finds
the Mirc32.exe file on drive C. Read the complete report for Removal
Instructions.
* Click here for Report on W97M.Toy.A Virus
Date: January 28, 2001
Platform: PC with VB5 or higher
Warning About: Flor Trojan
Report From: Network Associates
* Release Note: This is a memory resident trojan written in Visual Basic.
The VB5 (or higher) runtime files are required for this program to
function. Once the program is loaded into memory, every 60 seconds, it
attempts to copy itself to two different folders. Additionally, the trojan
attempts to go to a URL in the http://www3.cybercities.com domain. Read
the complete report for Method Of Infection and Removal Instructions
* Click here for Report on Flor Trojan
Date: January 28, 2001
Released: January 26, 2001
Platform: PC
Warning About: Eight941 Virus
Aliases: Eight
Report From: F-Secure
* Release Note: When an infected document is opened or closed, the virus
infects the global template. After that, it infects all documents that
are closed or opened. Beside replication, W97M/Eight941.A adds a password
protection to all documents that are opened in Word when it infects. The
password is: 8941
* Click here for Report on Eight941 Virus
Date: January 28, 2001
Released: January 25, 2001
Platform: PC with AOL Client Software
Warning About: Cool Trojan
Aliases: Trojan.Cool, Trojan.AOL.Cool, Mine, Trojan/Mine
Report From: F-Secure
* Release Note: Trojan.AOL.Cool is a trojan that affects AOL client
software and steals information from AOL users. Also according to
reports it can spread itself to other AOL users (we can't confirm
that so far). The trojan usually arrives in e-mail message with a
subject 'Hey You' and MINE.EXE file attached. When that attachment
is run, the trojan installs itself 3 times (all its files have hidden
attributes)
* Click here for Report on Cool Trojan
Date: January 28, 2001
Released: January 25, 2001
Platform: PC
Warning About: Ethan Word Macro Virus
Aliases: Ethana
Report From: F-Secure
* Release Note: W97M/Ethan is a Word macro virus that replicates under
Word 97. It was found in the wild in Northern Europe in January 1999.
Ethan is a simple macro virus, consisting of a single macro less than
50 lines long. It infects Word's NORMAL.DOT template and documents by
prepending it's code to a module in the document.
* Click here for Report on W97M/Ethan Virus
Date: January 26, 2001
Platform: MS Windows
Warning About: W32/Shorm Worm
Aliases: Worm.Shorm (AVP)
Report From: Network Associates
* Release Note: This is an Internet worm which attacks specific IP
addresses using a target list downloaded from a (now defunct) website.
This worm is not believed to be of any threat due to its inability to
retrieve the target list. Read the complete report for Method Of
Infection and Removal Instructions
* Click here for Report on W32/Shorm Worm
Date: January 25, 2001
Platform: Windows
Warning About: W97M/Ethan Virus
Aliases: Ethana
Report From: F-Secure
* Release Note: W97M/Ethan is a Word macro virus that replicates under
Word 97. It was found in the wild in Northern Europe in January 1999.
Ethan is a simple macro virus, consisting of a single macro less than
50 lines long. It infects Word's NORMAL.DOT template and documents by
prepending it's code to a module in the document.
* Click here for Report on W97M/Ethan Virus
Date: January 25, 2001
Platform: Windows
Warning About: Universe Worm
Aliases: I-Worm.Universe, IWorm_Universe, Unis
Report From: F-Secure
* Release Note: Universe is a complex modular worm written by Benny of the
29a virus group. The versions of this worm we've seen do not work. Thus,
this worm does not pose any threat at this time. The worm attempts to
download additional modules (plugins) which change its functionality.
Some of the modules are capable of spreading the worm over e-mail and
to IRC channels.
* Click here for Report on Universe Worm
Date: January 25, 2001
Platform: Windows
Warning About: Mcon Worm
Aliases: Sorry, TTFLOADER
Report From: F-Secure
* Release Note: VBS/Mcon is a worm that spreads via open network shares
and mIRC.
* Click here for Report on Mcon Worm
Date: January 24, 2001
Released: January 22, 2001
Platform: MS Windows 98, 95, NT 4.0 and NT 2000
Warning About: Fastream FTP++ Directory Traversal Vulnerability
Report From: Security Focus
* Release Note: Fastream FTP++ Server is a client and server application
used to download and upload files between computers on the internet.
Fastream FTP++ Server is subject to a directory traversal.
* Click here for Advisory on Fastream FTP++ Vulnerability
Date: January 24, 2001
Platform: MS Windows 98
Warning About: W98.Universe.Worm
Report From: Norton / Symantec Security Updates
* Release Note: Universe worm is a new creation by the virus writer,
Benny/29A. This worm has similarities to the Hybris worm written by
Vecna. Universe worm is not known to be in the wild and appears to
contain a few small bugs, as well as conceptual issues that makes it
less likely to operate correctly. Virus definitions are pending.
* Click here for Report on W98.Universe.Worm
Date: January 24, 2001
Platform: Microsoft Windows NT 4.0
Patch Available: Winsock Mutex Vulnerability
Report From: MicroSoft TechNet Security
* Release Note: Microsoft has released a patch that eliminates a security
vulnerability in MS Windows NT 4.0. The vulnerability could allow a
malicious user to run a special program to disable an affected computers
network functioality.
* Click here for MS Security Bulletin MS01-003
* Click here for FAQ about vulnerability and the patch
Date: January 23, 2001
Platform: Microsoft Windows 98, 95, NT 4.0, NT 2000
Warning About: Fastream FTP++ Denial of Service Vulnerability
Report From: Security Focus
* Release Note: Fastream FTP++ Server is a client and server application
used to download and upload files between computers on the internet.
Faststream FTP++ is subject to a denial of service.
* Click here for Advisory on Fastream FTP++ Vulnerability
Date: January 23, 2001
Platform: Microsoft Word97 Documents and Templates
Warning About: W97M/TheSec.A Macro Virus
Report From: Network Associates
* Release Note: This is a macro virus for Word97 documents and templates.
This virus exists in the module "TheSecond". This virus contains a
word-switching payload during printing of documents containing a Russian
surname. Read the complete report for Method Of Infection and Removal
Instructions
* Click here for Report on W97M/TheSec.A Macro Virus
Date: January 23, 2001
Released: January 22, 2001
Platform: Microsoft PowerPoint 2000
Patch Available: PowerPoint File Parsing Vulnerability
Report From: MicroSoft TechNet Security
* Release Note: Microsoft has released a patch that eliminates a security
vulnerability in Microsoft. PowerPoint 2000. The vulnerability could
allow a user to construct a PowerPoint file that, when opened, could
potentially run code on the readers system .
* Click here for MS Security Bulletin MS01-002
* Click here for FAQ about vulnerability and the patch
Date: January 22, 2001
Released: January 19, 2001
Platform: Microsoft Windows NT 2000
Warning About: Windows 2000 EFS Temporary File Retrieval Vulnerability
Report From: Security Focus
* Release Note: EFS is the encrypted file system package designed to
secure sensitive information. It is included with the Windows 2000
Operating System, distributed and maintained by Microsoft Corporation.
A problem in the package could allow the recovery of sensitive data
encrypted by the EFS.
* Click here for Advisory on Win2000 EFS Vulnerability
Date: January 19, 2001
Platform: Macintosh and Windows Versions of Microsoft Office
Warning About: Melissa.W Virus / Worm
Aliases: Melissa-X, Macro.Word97.Melissa.w, W2001MAC/Melissa.W-mm
Mid/Melissa-X, ANNIV, ANNIV.DOC, W2001MAC/Melissa.W
Report From: F-Secure and Symantec Security Updates
* Release Note: Melissa.W is a version of one of the most widespread
viruses in history, Melissa.A. This version was named Melissa.W. It's
not really a new version of the virus - the format of the infected file
has changed, and several antivirus programs are still unable to handle
this new file format. F-Secure started receiving reports about this new
version of Melissa, this time spreading in a file called Anniv.doc.
W97M.Melissa.W is a Word 97 macro virus that has a payload to email
itself using MS Outlook. The subject of the e-mail is "Important
Message From username".
* Click here for F- Secure Report on Melissa.W
* Click here for Symantec Report on Melissa.W
Date: January 18, 2001
Released: January 17, 2001
Platform: Microsoft Windows9x/ME
Warning About: DUNpws.ep Trojan
Aliases: Barrio Trojan
Report From: Network Associates
* Release Note: This is a password stealing trojan affecting Windows9x/ME.
When run, the trojan installs itself into the Windows System directory
and creates a registry key value to enable the program to load at
startup. Read the complete report for Method Of Infection and Removal
Instructions.
* Click here for Report on DUNpws.ep Trojan
Date: January 18, 2001
Released: January 16, 2001
Platform: Microsoft Win9x/ME
Warning About: W95/Halen Virus
Report From: Network Associates
* Release Note: This virus was discovered by AVERT WebImmune on January
16, 2001. This is an encrypted, appending PE file infector virus,
affecting Win9x/ME systems. Read the complete report for Method Of
Infection and Removal Instructions.
* Click here for Report on W95/Halen Virus
Date: January 18, 2001
Released: January 17, 2001
Platform: Windows 95, 98, NT / Macintosh
Warning About: Melissa Virus
Aliases: Simpsons, Kwyjibo, Kwejeebo, Mailissa
Variant: Many Variants - Read Report
Report From: F-Secure
* Release Note: W97M/Melissa works with MS Word 97, Word 2000 and MS
Outlook 97 or 98 e-mail client. Melissa can infect Windows 95, 98, NT
and Macintosh users. If the infected machine does not have Outlook or
internet access at all, the virus will continue to spread locally within
the user's own documents.
* Click here for Report on Melissa Virus
Date: January 18, 2001
Released: January 16, 2001
Platform: PC Windows
Warning About: Demiurg Virus
Aliases: W32/Demiurg, Demig.16354
Report From: F-Secure
* Release Note: When activated the virus infects and copies files. After
system restart the infected file is loaded into memory, the virus traps
several file access functions and infects other files.
* Click here for Report on Demiurg Virus
Date: January 16, 2001
Released: January 15, 2001
Platform: Microsoft Operating Systems
Warning About: Microsoft MSHTML.DLL Crash Vulnerability
Report From: Security Focus
* Release Note: MSHTML.DLL is the shared library for parsing HTML in
Internet Explorer and related applications. It may be possible for an
attacker to crash this library remotely and cause a denial of service
with special Jscript code. Microsoft has acknowledged this bug and it
should be fixed in the next service pack.
* Click here for Advisory on MS MSHTML.DLL Crash Vulnerability
Date: January 16, 2001
Released: January 15, 2001
Platform: MS Windows 95 / 98 / NT 4.0 / NT 2000
Warning About: Microsoft Windows Media Player .WMZ Arbitrary
Java Applet Vulnerability
Report From: Security Focus
* Release Note: A vulnerability has been reported in Microsoft Windows
Media Player 7 which is exploitable through Internet Explorer and Java.
* Click here for Advisory on Media Player Applet Vulnerability
Date: January 16, 2001
Released: January 15, 2001
Platform: MS Windows 95 / 98 / NT 4.0 / NT 2000
Warning About: Veritas Backup Denial of Service Vulnerability
Report From: Security Focus
* Release Note: Veritas Software Backup 4.5 is a data protection software
by Veritas. Backup is subject to a denial of service.
* Click here for Advisory on Veritas Backup Vulnerability
Date: January 16, 2001
Platform: MS Windows
Warning About: Davinia Worm
Aliases: LittleDavinia, JS/Davinia, W97M/Davinia, VBS/Davinia
Variant: Davinia.A
Report From: F-Secure
* Release Note: Davinia is an Internet worm, that is able to spread
without an attachment. Instead, the worm attempts to connect to a web
site and download part of its code.
* Click here for Report on Davinia Worm
Date: January 14, 2001
Released: January 12, 2001
Platform: Microsoft Windows
Warning About: Backdoor-JZ Trojan
Report From: Network Associates
* Release Note: This, UPX packed, trojan opens TCP/IP port 30005 on a
victim's machine. An attacker can then open, execute and delete files
on the user's local system. They can also shutdown windows, and send
out pings. Read the complete report for Method Of Infection and
Removal Instructions and AVERT recommendations.
* Click here for Report on Backdoor-JZ Trojan
Date: January 14, 2001
Released: January 12, 2001
Platform: Systems Where VBScript is installed, such as IE5
or Visual Studio.
Warning About: VBS/Davinia Worm
Aliases: HTML/LittleDavinia (Panda), LD.doc, LittleDavinia.vbs
Report From: Network Associates
* Release Note: McAfee AVERT has received information that a script
Internet worm may be circulating as the name LITTLEDAVINIA.VBS or
possibly LD.DOC. Read the complete report for Method Of Infection.
* Click here for Report on VBS/Davinia Worm
Date: January 14, 2001
Released: January 13, 2001
Platform: Linux, Solaris, HP-UX, Windows and SCO.
Updates To: Borland InterBase Product
Report From: Linux Daily News
* Release Note: Borland announced the availability of a patch that will
fix a potential security issue within the InterBase product, versions
4.0 through 6.0. The patch is available for Linux, Solaris, HP-UX,
Windows and SCO.
* Click here for LWN Security Note to Borland InterBase Product
Date: January 13, 2001
Platform: MS Windows
Warning About: W97M.Invert.B Virus
Report From: Norton / Symantec Security Updates
* Release Note: This is a macro virus that infects Microsoft word
template, and infects different files in different directories
depending on the date of the month. Read the complete report for
Removal Instructions and how to Restore Files if applicapable.
* Click here for Report on W97M.Invert.B Virus
Date: January 12, 2001
Platform: PC Win32 and DOS / MS Windows 2000
Warning About: W32.Demiurg.16354 Virus
Aliases: W32.Demiurg.16354.dr, X97M.Demiurg.A, Demiurg.16354,
Demiurg.16354.Bat
Report From: Norton / Symantec Security Updates
* Release Note: This is a Win32 virus that infects certain files, then
this virus creates a file in the XLStart folder. Norton AntiVirus
detects the Excel file as X97M.Demiurg.A. The virus uses this Excel
file to recreate itself. The original virus is about 17 KB in size.
This virus also infects Kernel32.dll on Windows 2000 systems. Read the
complete report for Removal Instructions and how to Restore Files if
applicapable.
* Click here for Report on W32.Demiurg.16354 Virus
Date: January 12, 2001
Platform: PC
Warning About: VBS.Sorry.D Worm
Aliases: VBS.Fonts.C, Mcon, TTFLoader
Report From: Norton / Symantec Security Updates
* Release Note: VBS.Sorry.D is a variant of VBS.Sorry.A. It is a Visual
Basic Script worm that copies itself to several folders on a computer
hard drive and on network drives. The worm also drops an mIRC configura-
tion file that searches for computers infected with the SubSeven Trojan.
It then copies itself and executes on computers that it finds are
infected with the SubSeven Trojan. This worm was previously named
VBS.Fonts.C. Read the complete report for Removal Instructions and how
to Restore Files if applicapable.
* Click here for Report on VBS.Fonts.C / VBS.Sorry.D Worm
Date: January 12, 2001
Platform: Microsoft Office 2000, Windows 2000, and Windows Me
Patch Available: Web Client NTLM Authentication Vulnerability
Report From: MicroSoft TechNet Security
* Release Note: Microsoft has released a patch that eliminates a
security vulnerability in a component that ships with MS Office 2000,
Windows 2000, and Windows Me. The vulnerability could, under certain
circumstances, allow a malicious user to obtain cryptographically
protected logon credentials from another user when requesting an
Office document from a web server.
* Click here for MS Security Bulletin MS01-001
* Click here for FAQ about vulnerability and the patch
Date: January 11, 2001
Released: January 10, 2001
Platform: MS Windows
Warning About: W32/Hermes@MM Internet Worm
Aliases: I-Worm.Hermes
Report From: Network Associates
* Release Note: This is a 32bit Internet worm for Windows operating
systems. This worm was coded in Visual Basic 6, and requires VB6
runtime library files in order to run. The worm has been compressed
with UPX. It is not known to be in the wild. Read the complete report
for Method Of Infection and Removal Instructions
* Click here for Report on W32/Hermes@MM Internet Worm
Date: January 11, 2001
Platform: Microsoft Windows
Warning About: Neworld Virus
Variant: Newold.A
Report From: F-Secure
* Release Note: PHP/Neworld is a virus written with PHP. PHP/Neworld.A
infects all files with ".php", ".html", ".htm" and ".htt" in
"C:\Windows" directory.
* Click here for Report on Neworld Virus
Date: January 11, 2001
Platform: Microsoft Windows
Warning About: Pirus Virus
Variant: Pirus.A
Report From: F-Secure
* Release Note: PHP/Pirus is the first virus written with PHP. PHP is
a server side scripting language for web servers.
* Click here for Report on Pirus Virus
Date: January 11, 2001
Released: January 10, 2001
Platform: Microsoft Windows
Warning About: BleBla Worm
Aliases: Romeo-and-Juliet, Romeo, Juliet, Verona, IWorm_Blebla,
I-Worm.Blebla
Report From: F-Secure
* Release Note: BleBla is a worm spreading via Internet. It was
discovered in Poland on November 16th, 2000. The worm appears as an
email message, and when an infected message is opened, the HTML part
of it is executed.
* Click here for Report on BleBla Worm
Date: January 09, 2001
Released: January 08, 2001
Platform: Linux kernel 2.3 / MS Win98 / Win95 / MS NT 4.0 / MS NT 2000
Warning About: StorageSoft ImageCast IC3 DoS Vulnerability
Report From: Security Focus
* Release Note: StorageSoft ImageCast IC3 is an imaging application
which migrates a replication of an existing desired hard drive to
a target drive. All settings, tasks and resources are configured in
the ImageCast Control Center (ICCC). ImageCast IC3 is subject to a
denial of service.
* Click here for Advisory on ImageCast Vulnerability
Date: January 09, 2001
Released: January 08, 2001
Platform: Sun Solaris / Linux / MS Windows NT / IBM AIX / HP HP-UX
Warning About: IBM HTTP Server AfpaCache DoS Vulnerability
Report From: Security Focus
* Release Note: IBM HTTP Server contains AfpaCache directive which
turns the Fast Response Cache Accelerator function on or off. IBM
HTTP Server is subject to a denial of service. Requesting multiple
malformed HTTP GET requests will cause the consumption of kernel
memory and eventually lead to a denial of service.
* Click here for Advisory on IBM HTTP Server Vulnerability
Date: January 09, 2001
Platform: Microsoft Win32 Systems
Warning About: Hybris Internet Worm
Aliases: IWorm_Hybris, I-Worm.Hybris
Report From: F-Secure
* Release Note: Hybris is an Internet worm that spreads itself as an
attachment to email messages. The worm works under Win32 systems
only. The worm contains components (plugins) in its code that are
executed depending on what worm needs, and these components can be
upgraded from an Internet Web site.
* Click here for Report on Hybris Internet Worm
Date: January 09, 2001
Platform: Microsoft Win9x Systems
Warning About: Zhymn Virus
Aliases: USSRHymn
Report From: F-Secure
* Release Note: Zhymn is a dangerous memory resident Win9x virus about
20K in length, and written in Assembler. The virus infects PE EXE
files, by writing its code to the middle of a file.
* Click here for Report on Zhymn Virus
Date: January 09, 2001
Platform: PC
Warning About: Wyx Boot Virus
Aliases: Preboot
Report From: F-Secure
* Release Note: Wyx is a not dangerous memory resident encrypted boot
virus. The virus code consists of two disk sectors. The virus infects
the MBR of the hard drive, the C: drive boot sector and boot sector
on floppy disks.
* Click here for Report on Wyx Boot Virus
Date: January 09, 2001
Platform: Microsoft Windows
Warning About: Navidad Worm
Aliases: I-Worm.Navidad, W32/Watchit.intd, I-Worm_Navidad,
W32/Navidad
Report From: F-Secure
* Release Note: Navidad is an Internet worm. It spreads itself as
NAVIDAD.EXE attachment to e-mail messages sent from an infected
computer.
* Click here for Report on Navidad Worm
Date: January 08, 2001
Platform: Microsoft Outlook
Warning About: Jean Worm
Aliases: Santa, I-Worm.Santa, Xmas
Variant: Jean.A@mm
Report From: F-Secure
* Release Note: Jean.A spreads to first 50 recipients written in
MS Outlook address book.
* Click here for Report on Jean Worm
Date: January 07, 2001
Released: January 05, 2001
Platform: MS Windows
Warning About: PHP/NewWorld Virus
Aliases: Neworld.PHP, PHP.Newworld
Report From: Network Associates
* Release Note: This is the second known PHP virus to be discovered.
PHP is a server-side scripting language used to generate dynamic Web
page content. When a script containing the virus is run, it may display
a particular message, as described in the report. This script virus is
coded to look for particular files. If the files are not read-only,
they are considered viable to the script virus. Read the complete
report for Method Of Infection and Removal Instructions
* Click here for Report on PHP/NewWorld Virus
Date: January 07, 2001
Released: January 03, 2001
Platform: MS Windows
Warning About: BleBla Worm
Report From: F-Secure
* Release Note: BleBla is a worm spreading via Internet. It was
discovered in Poland on November 16th, 2000. The worm appears as an
email message that has HTML formal and 2 attached files: MyJuliet.CHM
and MyRomeo.EXE.
* Click here for Report on BleBla Worm
Date: January 07, 2001
Released: January 02, 2001
Platform: MS Windows
Warning About: Tqll Worm
Aliases: New Year worm
Variant: Tqll.A
Report From: F-Secure
* Release Note: VBS/Tqll is a worm written with Visual Basic Script.
This worm is partially encrypted with a simple encryption.
* Click here for Report on Tqll Worm
Date: January 04, 2001
Released: January 03, 2001
Platform: MS Windows 98 / 95 / NT 4.0 / NT 2000
Warning About: Media Player Javascript URL Vulnerability
Report From: Security Focus
* Release Note: Windows Media Player is an application used for digital
audio, and video content viewing. It can be embedded in webpages as
an ActiveX control. It is possible to execute a javascript URL from
within the Windows Media Player ActiveX control embedded in HTML.
An attacker exploiting this vulnerability can read files on the users
filesystem and reportedly execute arbitrary programs on the victim
host.
* Click here for Advisory on Javascript URL Vulnerability
Date: January 04, 2001
Released: January 03, 2001
Platform: Windows Scripting Host (part of Internet Explorer 5)
Warning About: New Script VBScript Virus
Report From: Network Associates
* Release Note: This is a heuristic detection which indicates that a
file is probably a new VBScript virus or Internet worm. Ensure that
you are using the latest engine and DAT file and send a sample to
AVERT if it is still detected as New Script. The Symptoms varies.
Read the complete report for Method Of Infection and Removal
Instructions
* Click here for Report on New Script
Top of Page
Macintosh
Date: January 19, 2001
Platform: Macintosh and Windows Versions of Microsoft Office
Warning About: Melissa.W Virus / Worm
Aliases: Melissa-X, Macro.Word97.Melissa.w, W2001MAC/Melissa.W-mm
Mid/Melissa-X, ANNIV, ANNIV.DOC, W2001MAC/Melissa.W
Report From: F-Secure and Symantec Security Updates
* Release Note: Melissa.W is a version of one of the most widespread
viruses in history, Melissa.A. This version was named Melissa.W. It's
not really a new version of the virus - the format of the infected file
has changed, and several antivirus programs are still unable to handle
this new file format. F-Secure started receiving reports about this new
version of Melissa, this time spreading in a file called Anniv.doc.
W97M.Melissa.W is a Word 97 macro virus that has a payload to email
itself using MS Outlook. The subject of the e-mail is "Important
Message From username".
* Click here for F- Secure Report on Melissa.W
* Click here for Symantec Report on Melissa.W
Date: January 18, 2001
Released: January 17, 2001
Platform: Windows 95, 98, NT / Macintosh
Warning About: Melissa Virus
Aliases: Simpsons, Kwyjibo, Kwejeebo, Mailissa
Variant: Many Variants - Read Report
Report From: F-Secure
* Release Note: W97M/Melissa works with MS Word 97, Word 2000 and MS
Outlook 97 or 98 e-mail client. Melissa can infect Windows 95, 98, NT
and Macintosh users. If the infected machine does not have Outlook or
internet access at all, the virus will continue to spread locally within
the user's own documents.
* Click here for Report on Melissa Virus
Top of Page
Linux
Date: January 31, 2001
Platform: SuSE Linux
Updates To: bind
Report From: Linux Daily News
* Release Note: Security updates to bind for SuSE Linux.
* Click here for LWN Security Update To bind
Date: January 31, 2001
Platform: Yellow Dog Linux
Updates To: bind
Report From: Linux Daily News
* Release Note: Security updates to bind for Yellow Dog Linux.
* Click here for LWN Security Update To bind
Date: January 31, 2001
Platform: Turbolinux
Updates To: LPRng
Report From: Linux Daily News
* Release Note: Turbolinux has issued a security update to LPRng fixing
the remotely-exploitable format string vulnerability in that package.
* Click here for LWN Security Update To LPRng
Date: January 30, 2001
Platform: SuSE
Updates To: kdesu utility
Report From: Linux Daily News
* Release Note: Here is SuSE's update to the kdesu utility fixing the local
root compromise problem in that package.
* Click here for Security Update To kdesu utility
Date: January 30, 2001
Platform: Slackware
Updates To: bind
Report From: Linux Daily News
* Release Note: Slackware has put out an advisory on the bind vulnerability,
its fix has been available since yesterday.
* Click here for Security Update To bind
Date: January 30, 2001
Platform: Red Hat
Updates To: bind
Report From: Linux Daily News
* Release Note: With the arrival of Red Hat's bind update, they we are
getting close to having the full set of major Linux distributions
represented. Remember, this is a remotely-exploitable problem. You
really want to apply the fix for your distribution if you are running
nameservers.
* Click here for Security Update To bind
Date: January 30, 2001
Platform: Linux
Updates To: Press Release and Advisory
Report From: Linux Daily News
* Release Note: The press release from Nominum and ISC. This release claims
that "an upgrade to bind 9.1 is imperative," but, in fact, version 8.2.3
has the full set of fixes. The CERT advisory describing the current set
of bind problems.
* Click here for Press Release from Nominum and ISC
* Click here for CERT advisory
Date: January 30, 2001
Platform: Caldera Systems
Updates To: bind
Report From: Linux Daily News
* Release Note: Remember, this is a remotely-exploitable problem. You really
want to apply the fix for your distribution if you are running nameservers.
* Click here for Security Update To bind
Date: January 30, 2001
Platform: Conectiva
Updates To: bind
Report From: Linux Daily News
* Release Note: Remember, this is a remotely-exploitable problem. You really
want to apply the fix for your distribution if you are running nameservers.
* Click here for Security Update To bind
Date: January 30, 2001
Platform: Debian
Updates To: bind
Report From: Linux Daily News
* Release Note: Remember, this is a remotely-exploitable problem. You really
want to apply the fix for your distribution if you are running nameservers.
* Click here for Security Update To bind
Date: January 30, 2001
Platform: Immunix
Updates To: bind
Report From: Linux Daily News
* Release Note: Remember, this is a remotely-exploitable problem. You really
want to apply the fix for your distribution if you are running nameservers.
* Click here for Security Update To bind
Date: January 30, 2001
Platform: Linux-Mandrake
Updates To: bind
Report From: Linux Daily News
* Release Note: Remember, this is a remotely-exploitable problem. You really
want to apply the fix for your distribution if you are running nameservers.
* Click here for Security Update To bind
Date: January 30, 2001
Platform: Red Hat
Updates To: bind
Report From: Linux Daily News
* Release Note: Remember, this is a remotely-exploitable problem. You really
want to apply the fix for your distribution if you are running nameservers.
* Click here for Security Update To bind
Date: January 30, 2001
Platform: Trustix
Updates To: bind
Report From: Linux Daily News
* Release Note: Trustix (Also has a fix for a separate OpenLDAP problem)
* Click here for Security Update To bind
Date: January 30, 2001
Released: January 28, 2001
Platform: Debian
Updates To: OpenSSH
Report From: Linux Daily News
* Release Note: Debian reported a problem with OpenSSH. It seems a former
security upload of OpenSSH lacked support for PAM which lead to people
not being able to log in into their server. This was only a problem on
the Sparc architecture. A second security update for OpenSSH was also
issued. Those people who use OpenSSH on a Debian/Sparc system are
encouraged to update their OpenSSH packages.
* Click here for problem with OpenSSH
* Click here for Security Update To OpenSSH
Date: January 30, 2001
Released: January 28, 2001
Platform: Linux-Mandrak
Updates To: webmin package
Report From: Linux Daily News
* Release Note: Linux-Mandrake has an update for the webmin package.
* Click here for Security Update To webmin package
Date: January 30, 2001
Released: January 28, 2001
Platform: Debian
Updates To: inn2 and cron
Report From: Linux Daily News
* Release Note: Debian has a new version of inn2 to fix some vulnerabil-
ities in that package. They also have a new version of cron to fix local
insecure crontab handling.
* Click here for Security Update To inn2
* Click here for Security Update To cron
Date: January 28, 2001
Platform: Linux-Mandrake
Updates To: webmin package
Report From: Linux Daily News
* Release Note: Linux-Mandrake has an update for the webmin package.
* Click here for LWN Security Update To webmin package
Date: January 28, 2001
Platform: Debian
Updates To: inn2 and cron
Report From: Linux Daily News
* Release Note: Debian has a new version of inn2 to fix some vulnerabil-
ities in that package. They also have a new version of cron to fix local
insecure crontab handling.
* Click here for LWN Security Update To inn2
* Click here for LWN Security Update To cron
Date: January 28, 2001
Released: January 26, 2001
Platform: Red Hat
Updates To: sysstat
Report From: Linux Daily News
* Release Note: Security updates from distribution vendor includes
sysstat: update to earlier advisory to add support for additional
iostat command line options.
* Click here for LWN Security Update To sysstat
Date: January 28, 2001
Released: January 26, 2001
Platform: SuSE
Updates To: glibc
Report From: Linux Daily News
* Release Note: Security updates from distribution vendor includes
glibc: local root compromise.
* Click here for LWN Security Update To glibc
Date: January 28, 2001
Released: January 26, 2001
Platform: Debian
Updates To: exmh
Report From: Linux Daily News
* Release Note: Security updates from distribution vendor includes
exmh: local insecure temporary file creation.
* Click here for LWN Security Update To exmh
Date: January 28, 2001
Released: January 26, 2001
Platform: Conectiva
Updates To: MySQL
Report From: Linux Daily News
* Release Note: Security updates from distribution vendor includes
MySQL: buffer overflow may allow remote explotation.
* Click here for LWN Security Update To MySQL
Date: January 26, 2001
Platform: Debian
Updates To: apache
Report From: Linux Daily News
* Release Note: The Debian Project has issued a security update to apache
fixing a couple of temporary file vulnerabilities and a problem with the
mod_rewrite engine which could expose arbitrary files to the net. An
upgrade is recommended.
* Click here for Security Update To apache
Date: January 26, 2001
Platform: Red Hat
Updates To: PHP and micq
Report From: Linux Daily News
* Release Note: Updates received since publication of our Weekly edition,
which is for PHP: updates for 5.2, 6.0, and 7 related to multipart forms,
and micq: fixes buffer overflow that allows arbitrary commands to be
executed.
* Click here for Security Update To PHP
* Click here for Security Update To micq
Date: January 26, 2001
Platform: Debian
Updates To: squid and PHP4
Report From: Linux Daily News
* Release Note: Updates received since publication of our Weekly edition,
which is for squid: insecure temporary file, and PHP4: remote DOS and
remote information leak.
* Click here for Security Update To squid
* Click here for Security Update To PHP4
Date: January 26, 2001
Platform: Conectiva
Updates To: icecast
Report From: Linux Daily News
* Release Note: Updates received since publication of our Weekly edition,
which is for icecast: format string vulnerability.
* Click here for Security Update To icecast
Date: January 26, 2001
Platform: Caldera
Updates To: glibc
Report From: Linux Daily News
* Release Note: Updates received since publication of our Weekly edition,
which is for glibc: problems with the use of LD_PRELOAD.
* Click here for Security Update To glibc
Date: January 24, 2001
Platform: Caldera
Updates To: kdesu
Report From: Linux Daily News
* Release Note: The latest batch of security updates that have come in to
LWN.net, includes Caldera's update for kdesu - stealing of password entry
possible by local user.
* Click here for Security Update To kdesu
Date: January 24, 2001
Platform: Debian
Updates To: wu-ftpd
Report From: Linux Daily News
* Release Note: The latest batch of security updates that have come in to
LWN.net, includes Debian's update for wu-ftpd - additional advisory for
ia32 architecture.
* Click here for Security Update To wu-ftpd
Date: January 24, 2001
Platform: FreeBSD
Updates To: XFree86, ipfw/ip6fw, crontab and bind
Report From: Linux Daily News
* Release Note: The latest batch of security updates that have come in to
LWN.net, includes those from FreeBSD, for:
XFree86 - v3.3.6 has multiple vulnerabilities that may allow local or
remote DoS attacks.
ipfw/ip6fw - allows bypassing of 'established' keyword.
crontab - allows users to read certain files.
bind - remote denial of service vulnerability.
* Click here for Security Update To XFree86
* Click here for Security Update To ipfw/ip6fw
* Click here for Security Update To crontab
* Click here for Security Update To bind
Date: January 24, 2001
Platform: Red Hat
Updates To: icecast and PHP
Report From: Linux Daily News
* Release Note: The latest batch of security updates that have come in to
LWN.net, includes those from Red Hat, for:
icecast - format string vulnerability
PHP - updated packages for 5.2, 6.x and 7 to handle multipart forms
correctly.
* Click here for Security Update To icecast
* Click here for Security Update To PHP
Date: January 24, 2001
Platform: Debian
Updates To: tinyproxy, Intel ia32 architecture and splitvt
Report From: Linux Daily News
* Release Note: Debian has issued and update for tinyproxy as well as an
update to an earlier advisory for wu-ftpd to cover the Intel ia32
architecture. Additionally, an update to the splitvt advisory has also
been posted to correct packaging problems.
* Click here for Security Update To tinyproxy
* Click here for Security Update To Intel ia32 architecture
* Click here for Security Update To splitvt
Date: January 24, 2001
Platform: Red Hat Linux 7
Updates To: MySQL
Report From: Linux Daily News
* Release Note: An update for MySQL for Red Hat Linux 7 has been issued by
that company that addresses a buffer overflow security vulnerability.
* Click here for Security Update To MySQL for Red Hat Linux 7
Date: January 24, 2001
Platform: Linux
Announcement: Linux Gets Stateful Firewalling (SecurityPortal)
Report From: Linux Daily News
* Release Note: SecurityPortal covers Netfilter, the packet filtering
system provided by the new 2.4 kernel release. Among many enhancements,
this "statefulness" allows Netfilter to block/detect many stealth scans
that were previously undetected on Linux firewalls."
* Click here for SecurityPortal Covers Netfilter
Date: January 24, 2001
Platform: Caldera
Updates To: webmin
Report From: Linux Daily News
* Release Note: Caldera has posted a security update for webmin to address
temporary file vulnerability issues.
* Click here for Security Update For webmin
Date: January 24, 2001
Platform: Debian
Bulletins: micq, wu-ftpd and jazip
Report From: Linux Daily News
* Release Note: A small flood of security announcements from Debian came
in last night and this morning to the LWN.net offices. Here is a summary
of those reports.
micq - buffer overflow problem which makes remote code execution
possible.
wu-ftpd - temporary file creation and format string vulnerabilities.
jazip - local root exploit.
* Click here for Security Bulletin For micq
* Click here for Security Bulletin For wu-ftpd
* Click here for Security Bulletin For jazip
Date: January 23, 2001
Released: January 22, 2001
Platform: Debian
Updates To: MySQL, splitvt, sash
Report From: Linux Daily News
* Release Note: The Debian Project has issued a security update to MySQL
fixing the remotely-exploitable vulnerability in that package. Debian
has released an update to splitvt fixing a number of buffer overflow
problems in that package. Finally, there is also a Debian update to sash
fixing a problem with its handling of the shadow file.
* Click here for LWN Security Update To MySQL
* Click here for LWN Security Update To splitvt
* Click here for LWN Security Update To sash
Date: January 23, 2001
Released: January 22, 2001
Platform: MandrakeSoft
Updates To: MySQL
Report From: Linux Daily News
* Release Note: MandrakeSoft also has a MySQL update, this one also
provides a new PHP build which is required to work with the newer MySQL.
* Click here for LWN Security Update To MySQL
Date: January 23, 2001
Released: January 22, 2001
Platform: Trustix
Updates To: glibc
Report From: Linux Daily News
* Release Note: Trustix has issued their update for the recently reported
problems with glibc.
* Click here for LWN Update To Trustix glibc
Date: January 20, 2001
Released: January 19, 2001
Platform: Linux Mandrake
Updates To: glibc
Report From: Linux Daily News
* Release Note: LinuxMandrake has posted an security update for glibc
for it's 6.0, 6.1, 7.0, 7.1, 7.2, Corporate Server 1.0.1 releases.
* Click here for LWN Security Update To glibc
Date: January 20, 2001
Released: January 19, 2001
Platform: Immunix
Updates To: glibc
Report From: Linux Daily News
* Release Note: Immunix has posted an security update for glibc as shipped
in its Immunix OS 7.0-beta.
* Click here for LWN Security Update To glibc
Date: January 20, 2001
Released: January 19, 2001
Platform: LinuxMandrake
Updates To: PHP
Report From: Linux Daily News
* Release Note: Problems with the version of PHP included in their 7.2
distribution have spurred LinuxMandrake to release a security update
for that package.
* Click here for LWN Security Update To PHP
Date: January 20, 2001
Released: January 19, 2001
Platform: Red Hat Linux
Warning About: Ramen: the first successful attack on the Linux?
Report From: Kaspersky Lab
* Release Note: To penetrate computers having Red Hat Linux 6.2 or 7.0
installed, 'Ramen' exploits three security breaches. It is important
to emphasize that the breaches exploited by the "Ramen" worm are also
found on other Linux distributes, such as Caldera OpenLinux, Connectiva
Linux, Debian Linux, HP-UX, Slackware Linux and other. This particular
worm is triggered to activate only on the systems running Read Hat Linux.
However, it is probable that the future will bring us other modifications
of 'Ramen' that will successfully operate on other Linux platforms.
* Click here for Virus Alert and Report on Ramen
Date: January 19, 2001
Released: January 18, 2001
Platform: Conectiva
Updates To: Security Update To php4
Report From: Linux Daily News
* Release Note: Conectiva has issued a security update to php4 which
fixes the recent troubles with per-directory directives.
* Click here for LWN Security Update To php4
Date: January 18, 2001
Released: January 17, 2001
Platform: Linux Operating Systems
Warning About: Linux.Ramen Worm
Report From: Norton / Symantec Security Updates
* Release Note: Linux.Ramen is a Linux worm that attacks web servers that
are based on the Linux operating system. This worm scans the Internet
for Linux-based web servers that have two particular exploits. If it
locates any servers with these exploits it will attempt to modify the
main page of that web server with a short message. The Symantec
AntiVirus Research Center is currently analyzing this worm.
* Click here for Report on Linux.Ramen Worm
Date: January 18, 2001
Released: January 16, 2001
Platform: Linux with Sam Lantinga splitvt 1.6.4 and Previous
Warning About: splitvt Format String Vulnerability
Report From: Security Focus
* Release Note: splitvt is a VT100 window splitter, designed to allow the
user two command line interfaces in one terminal window, originally
written by Sam Lantinga. It is freely available, open source, and
included with many variants of the Linux Operating System. A problem in
the program could allow for a format string attack.
* Click here for Advisory on splitvt Vulnerability
Date: January 18, 2001
Released: January 17, 2001
Platform: Linux Web Servers
Warning About: Linux/Ramen.worm Worm
Aliases: Linux.Ramen
Report From: Network Associates
* Release Note: This is an Internet worm for Linux web servers. This worm
consists of several components, each with a specific function and
purpose. Read the complete report for Method Of Infection and Removal
Instructions.
* Click here for Report on Linux/Ramen.worm Worm
Date: January 18, 2001
Platform: Linux Red Hat Linux 6.2 and 7.0
Warning About: Ramen Worm
Aliases: Linux.Ramen, LINUX/Ramen
Report From: F-Secure
* Release Note: Ramen is an Internet worm, which propagates from a Linux
based server to another. It works in a similar way as the Morris Worm
that was widespread in 1989.
* Click here for Report on Ramen Worm
Date: January 14, 2001
Released: January 13, 2001
Platform: Linux, Solaris, HP-UX, Windows and SCO.
Updates To: Borland InterBase Product
Report From: Linux Daily News
* Release Note: Borland announced the availability of a patch that will
fix a potential security issue within the InterBase product, versions
4.0 through 6.0. The patch is available for Linux, Solaris, HP-UX,
Windows and SCO.
* Click here for LWN Security Note to Borland InterBase Product
Date: January 12, 2001
Platform: RedHat Linux 7.0 / UNIX / Wirex Immunix OS 7.0-Beta
Warning About: Apache /tmp File Race Vulnerability
Report From: Security Focus
* Release Note: Apache web server is a popular http daemon, distributed
with many variants of the UNIX Operating System and maintained by the
Apache Project. Immunix is a hardened Linux distribution maintained by
the Immunix team at the WireX Corporation. A problem has been discovered
which makes it possible for a user with malicious motives to symblink
attack files writable by the UID of the Apache process.
* Click here for Advisory on Apache /tmp File Race Vulnerability
Date: January 12, 2001
Platform: LinuxMandrake
Updates To: arpwatch, squid, rdist, gpm, getty and inn
Report From: Linux Daily News
* Release Note: A flood of security reports have come in since we
published this weeks edition of the Weekly News. All of these
LinuxMandrake updates, are related to temporary file race condition
vulnerabilities.
* Click here for LWN Security Update To arpwatch
* Click here for LWN Security Update To squid
* Click here for LWN Security Update To rdist
* Click here for LWN Security Update To gpm
* Click here for LWN Security Update To getty
* Click here for LWN Security Update To inn
Date: January 12, 2001
Platform: Trustix
Updates To: diffutils and squid packages
Report From: Linux Daily News
* Release Note: Trustix has released a security report for temporary
file vulnerabilities in the diffutils and squid packages.
* Click here for LWN Security Update To diffutils and squid
Date: January 12, 2001
Platform: Red Hat
Updates To: glibc
Report From: Linux Daily News
* Release Note: Red Hat has released a security report for problems in
glibc that allow unpriviledged users read restricted files.
* Click here for LWN Security Update To glibc
Date: January 12, 2001
Platform: Slackware
Updates To: glibc
Report From: Linux Daily News
* Release Note: Slackware has released a security report for problems
in glibc that allow unpriviledged users read restricted files.
* Click here for LWN Security Update To glibc
Date: January 12, 2001
Platform: Various / Linux
Press Report: Major Security Hole Found In Borland Database
Report From: Linux Daily News
* Release Note: C|Net News.com is reporting that a major security hole
has been found in Borland's InterBase database, which runs on various
platforms including Linux. "Borland acknowledged the back door and
has begun releasing patches. The company has notified customers and
sales partners and will begin shipping repaired versions this week."
Update: This is actually the Interbase database, not Inprise. Our bad.
This database was released as open source last year. (Thanks to Pete
Link for the errata notice)
* Click here for LWN CNet News Report on Borland
Date: January 11, 2001
Released: January 10, 2001
Platform: Linux GNU glibc 2.1.9 and Greater
Warning About: glibc RESOLV_HOST_CONF File Read Access Vulnerability
Report From: Security Focus
* Release Note: glibc is the C Library distributed with most
implementations of the Linux Operating System. It is freely available
through the Free Software Foundation, and publicly maintained. A
problem in versions of glibc 2.1.9 and greater allow a local user
access to restricted files. This is also reported below, at Linux Daily
News report.
* Click here for Advisory on glibc Vulnerability
Date: January 11, 2001
Released: January 09, 2001
Platform: S.u.S.E. Linux 7.0
Warning About: Linux ReiserFS Kernel Oops and Code Execution
Vulnerability
Report From: Security Focus
* Release Note: ReiserFS is a file system alternative to the Linux ext2
file system. It was originally written by Hans Reiser, and is freely
available and publicly maintained. A problem has been reported in the
handling of long file names with ReiserFS version 3.5.28 on SuSE Linux
distribution 7.0.
* Click here for Advisory on Linux ReiserFS Kernel
Date: January 11, 2001
Platform: Linux glibc 2.1.9 And Greater
Bug Report: glibc RESOLV_HOST_CONF File Read Access Vulnerability
Report From: Linux Daily News
* Release Note: A bug in glibc 2.1.9 and greater results in the
RESOLV_HOST_CONF environment variable not be properly cleared when
suid/sgid programs are run. This can be exploited to access files
using root privileges, exposing files such as /etc/shadow and
potentially compromising the system. Workarounds are being discussed
and a patch for the problem is likely to be available soon. LWN says
to check BugTraq ID 2181 for more details.
* Click here for BugTraq ID 2181 for more details
Date: January 11, 2001
Platform: Debian
Updates To: mgetty
Report From: Linux Daily News
* Release Note: Debian also posted a temporary file vulnerability update,
this time for mgetty. The new version, 1.1.21-3potato1, addresses this
problem.
* Click here for LWN Security Update To mgetty
Date: January 11, 2001
Platform: Linux Mandrake
Updates To: getty_ps, diffutils, wu-ftpd, shadow-utils
Report From: Linux Daily News
* Release Note: LinuxMandrake posted security updates for getty_ps and
diffutils too late for the Weekly edition of LWN. Both updates address
temporary file race conditions, the latter in sdiff program within the
diffutils. Security updates were also posted for wu-ftpd to address a
temporary file creation problem in the 2.6.1 release of that program,
and another temporary file race condition in shadow-utils (in the
useradd program) package.
* Click here for LWN Security Update To getty_ps
* Click here for LWN Security Update To diffutils
* Click here for LWN Security Update To wu-ftpd
* Click here for LWN Security Update To shadow-utils
Date: January 09, 2001
Released: January 08, 2001
Platform: Linux kernel 2.3 / MS Win98 / Win95 / MS NT 4.0 / MS NT 2000
Warning About: StorageSoft ImageCast IC3 DoS Vulnerability
Report From: Security Focus
* Release Note: StorageSoft ImageCast IC3 is an imaging application
which migrates a replication of an existing desired hard drive to
a target drive. All settings, tasks and resources are configured in
the ImageCast Control Center (ICCC). ImageCast IC3 is subject to a
denial of service.
* Click here for Advisory on ImageCast Vulnerability
Date: January 09, 2001
Released: January 08, 2001
Platform: Sun Solaris / Linux / MS Windows NT / IBM AIX / HP HP-UX
Warning About: IBM HTTP Server AfpaCache DoS Vulnerability
Report From: Security Focus
* Release Note: IBM HTTP Server contains AfpaCache directive which
turns the Fast Response Cache Accelerator function on or off. IBM
HTTP Server is subject to a denial of service. Requesting multiple
malformed HTTP GET requests will cause the consumption of kernel
memory and eventually lead to a denial of service.
* Click here for Advisory on IBM HTTP Server Vulnerability
Date: January 08, 2001
Platform: Various
Updates To: LinuxPPC.org Security Updates
Report From: Linux Daily News
* Release Note: There are several security updates posted to
LinuxPPC.org. They recommend that everyone with the following
packages upgrade to the newly released versions. Packages are:
perl, xchat, umb-scheme, man, wu-ftpd, emacs, openldap, ircii,
piranha and gpm.
* Click here for LinuxPPC.org Security Updates
Date: January 07, 2001
Released: January 04, 2001
Platform: Conectiva
Updates To: slocate
Report From: Linux Daily News
* Release Note: Conectiva has issued a security update for slocate to
address a vulnerability related to bogus databases allowing "slocate"
user compromises.
* Click here for LWN Security Update To slocate
Date: January 04, 2001
Released: January 02, 2001
Platform: Various Versions of Linux
Warning About: GTK+ Arbitrary Loadable Module Execution
Vulnerability
Report From: Security Focus
* Release Note: GTK+ is the Gimp Toolkit, freely available to the
public and maintained by the GTK Development Team. A problem exists
in the Gimp Toolkit that could allow a user elevated privileges.
This issue makes it possible for a user with malicious intent to
potentially gain elevated privileges, overwrite system files, or
execute arbitrary and potentially dangerous code.
* Click here for Advisory on GTK+ Arbitrary Loadable Module
Top of Page
Miscellaneous
Date: January 31, 2001
Platform: Any systems running a version of AnswerBook2 before 1.4.2.
Answerbook2 version 1.4.2 without the appropriate patch.
Warning About: Sun AnswerBook2 Vulnerability
Report From: CIAC
* Release Note: Security vulnerabilities exist in the http server
(dwhttpd) included in Sun Solaris(tm) AnswerBook2.
* Click here for Bulletin Number L-031
Date: January 31, 2001 * Updated
Platform: Various versions of ISC BIND (including both 4.9.x
prior to 4.9.8 and 8.2.x prior to 8.2.3; 9.x is
not affected) and derivatives
Warning About: Multiple Vulnerabilities in BIND
Report From: CERT Advisories
* Release Note: The CERT/CC has updated its advisory. Added Microsoft
vendor statement and Added OpenBSD vendor statement.
* Click here for CERT CA-2001-02
Date: January 30, 2001
Reported: January 29, 2001
Platform: Various versions of ISC BIND (including both 4.9.x
prior to 4.9.8 and 8.2.x prior to 8.2.3; 9.x is
not affected) and derivatives
Warning About: Multiple Vulnerabilities in BIND
Report From: CERT Advisories, Internet Software Consortium,
CIAC Bulletin L-030 and SecurityFocus
* Release Note: The CERT/CC has recently learned of four vulnerabilities
spanning multiple versions of the Internet Software Consortium's (ISC)
Berkeley Internet Name Domain (BIND) server. BIND is an implementation
of the Domain Name System (DNS) that is maintained by the ISC. Because
the majority of name servers in operation today run BIND, these vulner-
abilities present a serious threat to the Internet infrastructure. The
Internet Software Consortium has posted information about all four
vulnerabilities.
* Click here for CERT CA-2001-02
* COVERT Labs at PGP Security Advisory
* COVERT Labs at PGP Security Announcement
* The Internet Software Consortium Article
* CIAC Bulletin Number L-030
SecurityFocus Advisories:
* ISC Bind 8 Transaction Signatures Buffer Overflow Vulnerability
* ISC Bind 8 Transaction Signatures Heap Overflow Vulnerability
* ISC Bind 4 nslookupComplain() Buffer Overflow Vulnerability
* ISC Bind 4 nslookupComplain() Format String Vulnerability
Date: January 30, 2001
Released: January 25, 2001
Platform: Netscape Enterprise Server 3.0
Warning About: Netscape Enterprise Server Web Publishing DoS Vulnerability
Report From: Security Focus
* Release Note: Netscape Enterprise Server is a web server used to host
larger-scale websites. The Web Publishing feature is installed by
default. This directory is accessible by remote or local users without
any authentication.
* Click here for Advisory on Netscape Enterprise Server Vulnerability
Date: January 28, 2001
Platform: FreeBSD 3.5.1, 4.2 and all versions prior to 01/23/2001
Warning About: FreeBSD "ipfw/ip6fw" Vulnerability
Report From: CIAC Information Bulletin
* Release Note: The system routines "ipfw" and "ipfw" do not properly
process the TCP reserved flags field if the field is over-loaded and
the ECE flag is set. Remote attackers may gain access through the
firewall by constructing TCP packets with the ECE flag set.
* Click here for Bulletin Number L-029
Date: January 26, 2001
Platform: Netopia R9100 Router
Warning About: Netopia R9100 Router Denial of Service Vulnerability
Report From: Security Focus
* Release Note: The Netopia R9100 Router, running firmware version 4.6,
is vulnerable to a denial of service attack. Subsequent versions of the
product are not vulnerable.
* Click here for Advisory on Netopia R9100 Router Vulnerability
Date: January 26, 2001
Platform: All versions prior to Solaris 8
Warning About: Solaris ARP Setgid Vulnerability
Report From: CIAC Information Bulletin
* Release Note: Address Resolution Protocol (ARP) command uses Set group
ID (Setgid), and is therefore susceptible to certain setgid attacks.
Exploiting setgid could result in overflow of stack, and possible root
compromise.
* Click here for Bulletin Number L-028
Date: January 24, 2001
Platform: Systems Running Netscape Enterprise Server 4.0 and 3.0
Warning About: Netscape Enterprise Server 'Index' Disclosure
Report From: Security Focus
* Release Note: Netscape Enterprise Server is a web server used to host
larger-scale websites. Netscape Enterprise Server with Web Publishing
enabled, will disclose the directory listing of the target server.
* Click here for Advisory on Netscape Enterprise Server
Date: January 24, 2001
Released: January 23, 2001
Platform: Systems Running Lotus Domino Mail Server 5.0.5
Warning About: Lotus Domino Mail Server 'Policy' BufferOverflow
Report From: Security Focus
* Release Note: A buffer overflow vulnerability has been reported in Lotus
Domino Mail Server. Lotus Domino Mail Server fails to properly validate
user supplied input to the field which specifies permitted domain names
in mail forwarding policy.
* Click here for Advisory on Lotus Domino Mail Server
Date: January 24, 2001
Platform: Computers which run a PHP
Warning About: PHP/Sysbat Virus
Report From: Network Associates
* Release Note: PHP is a server-side scripting language used to generate
dynamic Web page content. Computers which do not run a PHP interpreter
are immune to this virus. Read the complete report for Method Of
Infection and Removal Instructions
* Click here for Report on PHP/Sysbat Virus
Date: January 20, 2001
Released: January 18, 2001
Platform: Hewlett Packard HP-UX 11.11, 11.0 and 10.20
Warning About: HP-UX Support Tools Manager Denial of Service Attack
Report From: Security Focus
* Release Note: Support Tools Manager is a software package included with
HP-UX designed to make administration of systems easier. HP-UX is the
Hewlett Packard UNIX Operating System designed for use on Hewlett
Packard servers. A potential Denial of Service has been discovered in
the three tools included in with the Support Tools Manager. There are
currently few details on this vulnerability. This problem affects HP9000
servers in the 700 and 800 series.
* Click here for Advisory on Support Tools Manager Attack
Date: January 19, 2001
Platform: Software Packages wu-ftpd (port 21/tcp), rpc.statd
(port 111/udp) and lprng (port 515/tcp)
Warning About: Widespread Compromises Via "ramen" Toolkit
Report From: CERT/CC
* Release Note: The CERT/CC has received reports from sites that have
recovered an intruder toolkit called "ramen" from compromised hosts.
Ramen, which is publicly available, exploits one of several known
vulnerabilities and contains a mechanism to self-propagate.
* Click here for CERT IN-2001-01
Date: January 18, 2001
Released: January 17, 2001
Platform: Systems With tinyproxy 1.3.2 and 1.3.3
Warning About: Tinyproxy Heap Overflow Vulnerability
Report From: Security Focus
* Release Note: versions 1.3.2 and 1.3.3 of tinyproxy, a small HTTP proxy,
exhibit a vulnerability to heap overflow attacks.
* Click here for Advisory on Tinyproxy Vulnerability
Date: January 18, 2001
Released: January 16, 2001
Platform: PHP 4.0.4, 4.0.3, 4.0.1 and 4.00
Warning About: PHP .htaccess Attribute Transfer Vulnerability
Report From: Security Focus
* Release Note: PHP the Personal Home Page software package distributed and
maintained by the PHP Development Team. PHP provides enhanced attributes
and added functionality to web pages. A problem with the PHP package
could allow for unauthorized access to restricted resources.
* Click here for Advisory on PHP Vulnerability
Date: January 14, 2001
Released: January 12, 2001
Platform: Systems Where VBScript is installed, such as IE5
or Visual Studio.
Warning About: VBS/Davinia Worm
Aliases: HTML/LittleDavinia (Panda), LD.doc, LittleDavinia.vbs
Report From: Network Associates
* Release Note: McAfee AVERT has received information that a script
Internet worm may be circulating as the name LITTLEDAVINIA.VBS or
possibly LD.DOC. Read the complete report for Method Of Infection.
* Click here for Report on VBS/Davinia Worm
Date: January 14, 2001
Released: January 13, 2001
Platform: Linux, Solaris, HP-UX, Windows and SCO.
Updates To: Borland InterBase Product
Report From: Linux Daily News
* Release Note: Borland announced the availability of a patch that will
fix a potential security issue within the InterBase product, versions
4.0 through 6.0. The patch is available for Linux, Solaris, HP-UX,
Windows and SCO.
* Click here for LWN Security Note to Borland InterBase Product
Date: January 13, 2001
Platform: Unknown Information at this time
Warning About: VBS.Davinia Worm
Report From: Norton / Symantec Security Updates
* Release Note: SARC has received information of a new script-based
Internet worm named VBS.Davinia. However, SARC has not received any
submission of this new worm. We will update this writeup as soon as
we get a submission or more accurate information.
* Click here for Report on VBS.Davinia Worm
Date: January 13, 2001
Platform: Borland/Inprise Interbase 4.x and 5.x
Open source Interbase 6.0 and 6.01
Open source Firebird 0.9-3 and earlier
Warning About: Interbase Server Contains Compiled-in Back Door Account
Report From: CERT
* Release Note: Interbase is an open source database package that had
previously been distributed in a closed source fashion by Borland/
Inprise. Both the open and closed source verisions of the Interbase
server contain a compiled-in back door account with a known password.
* Click here for CERT CA-2001-01
Date: January 12, 2001
Platform: Sun Solaris 2.4 to 7.0_x86
Warning About: Solaris arp Buffer Overflow Vulnerability
Report From: Security Focus
* Release Note: The arp utility is used for viewing and manipulating
tables containing network to hardware address mappings. On Solaris
systems up to version 8, arp is installed setgid and owned by group
bin. The vulnerability can be exploited to execute code with effective
groupid bin privileges.
* Click here for Advisory on arp Buffer Overflow Vulnerability
Date: January 12, 2001
Platform: RedHat Linux 7.0 / UNIX / Wirex Immunix OS 7.0-Beta
Warning About: Apache /tmp File Race Vulnerability
Report From: Security Focus
* Release Note: Apache web server is a popular http daemon, distributed
with many variants of the UNIX Operating System and maintained by the
Apache Project. Immunix is a hardened Linux distribution maintained by
the Immunix team at the WireX Corporation. A problem has been discovered
which makes it possible for a user with malicious motives to symblink
attack files writable by the UID of the Apache process.
* Click here for Advisory on Apache /tmp File Race Vulnerability
Date: January 12, 2001
Platform: Various / Linux
Press Report: Major Security Hole Found In Borland Database
Report From: Linux Daily News
* Release Note: C|Net News.com is reporting that a major security hole
has been found in Borland's InterBase database, which runs on various
platforms including Linux. "Borland acknowledged the back door and
has begun releasing patches. The company has notified customers and
sales partners and will begin shipping repaired versions this week."
Update: This is actually the Interbase database, not Inprise. Our bad.
This database was released as open source last year. (Thanks to Pete
Link for the errata notice)
* Click here for LWN CNet News Report on Borland
Date: January 12, 2001
Warning About: WAZUP HOAX
Aliases: Waza.mp3 hoax
Report From: Network Associates
* Release Note: This is a hoax found to be circulating among French
speaking Internet users. See NAI's report for a copy of the french
text and the English translation. Delete or ignore messages
containing this text.
* Click here for NAI HOAX Report on WAZUP
Date: January 11, 2001
Released: January 10, 2001
Platform: Sun Solaris / SGI IRIX / MS Win98 / NT 4.0/2000
Linux kernel 2.3 / FreeBSD / BSDI BSD/OS
Warning About: WebMaster ConferenceRoom Developer Edition DoS Vulnerability
Report From: Security Focus
* Release Note: WebMaster ConferenceRoom Developer Edition is a chat
package which enables a large community of users to chat together.
ConferenceRoom has a wide range of capabilities and a user friendly
channel moderation feature. It is possible to cause a denial of service
in ConferenceRoom.
* Click here for Advisory on ConferenceRoom Vulnerability
Date: January 11, 2001
Released: January 09, 2001
Platform: Sun Solaris 2.6 / 2.5.1 / 2.5 / 2.4
Warning About: Solaris exrecover Buffer Overflow Vulnerability
Report From: Security Focus
* Release Note: exrecover is a system binary included with Solaris, a
variant of the UNIX Operating System distributed by Sun Microsystems.
A problem in the binary could lead to a local attack.
* Click here for Advisory on exrecover Vulnerability
Date: January 09, 2001
Released: January 08, 2001
Platform: Sun Solaris / Linux / MS Windows NT / IBM AIX / HP HP-UX
Warning About: IBM HTTP Server AfpaCache DoS Vulnerability
Report From: Security Focus
* Release Note: IBM HTTP Server contains AfpaCache directive which
turns the Fast Response Cache Accelerator function on or off. IBM
HTTP Server is subject to a denial of service. Requesting multiple
malformed HTTP GET requests will cause the consumption of kernel
memory and eventually lead to a denial of service.
* Click here for Advisory on IBM HTTP Server Vulnerability
Date: January 07, 2001
Released: January 05, 2001
Platform: Multiplatforms
Warning About: Lotus Domino Server Directory Traversal Vulnerability
Report From: Security Focus
* Release Note: Lotus Domino is a multiplatform web server which
integrates messaging and various interactive web applications. It is
possible for a remote user to gain access to any known file residing
on the Lotus Domino Server. Successful exploitation of this vulner-
ability could enable a remote user to gain access to systems files,
password files, etc. This could lead to a complete compromise of the
host.
* Click here for Advisory on Lotus Domino Server Vulnerability
Date: January 04, 2001
Released: January 03, 2001
Platform: UNIX Operating System
Warning About: HP-UX kermit Buffer Overflow Vulnerability
Report From: Security Focus
* Release Note: Kermit is a communications software package available
with most implementations of the UNIX Operating System. A problem
exists in the kermit software package distributed with HP-UX. This
problem could allow a user with malicious intent to arbitrarily
execute code, and gain elevated privileges with the potential for
administrative access.
* Click here for Advisory on HP-UX kermit Vulnerability
Top of Page
Back to the Virus Archives page