Virus Warnings from May 2001
______________________________________________________________
[Jump to Amiga] [Jump to Windows] [Jump to Mac]
[Jump to Linux] [Jump to Misc]
______________________________________________________________
Amiga
No virus warnings for May 2001
Top of Page
Windows
Date: May 31, 2001
Platform: MS Win ME / 9.x, Various Linux OS with various versions
of Gnu GNU Privacy Guard
Warning About: GnuPG Format String Vulnerability
Report From: Security Focus
* Release Note: GnuPG is a popular open source public/private key
encryption system. It is possible for attackers to create an encrypted
document that will exploit a format string vulnerability in the GnuPG
client when the document is decrypted. This vulnerability may lead to
remote attackers gaining access to client hosts.
* Click here for Advisory No. 2797
Date: May 31, 2001
Platform: MS Win ME / 9.x, Various Linux OS with various versions
of Gnu GNU Privacy Guard
Warning About: GnuPG Format String Vulnerability
Report From: Security Focus
* Release Note: GnuPG is a popular open source public/private key
encryption system. It is possible for attackers to create an encrypted
document that will exploit a format string vulnerability in the GnuPG
client when the document is decrypted. This vulnerability may lead to
remote attackers gaining access to client hosts.
* Click here for Advisory No. 2797
Date: May 31, 2001
Platform: MS Windows
Warning About: LoveLetter.CM@mm Worm
Report From: F-Secure
* Release Note: This variant is very similar to the original
VBS/LoveLetter.A@mm. There is, however, two differences:
- This variant replaces all files with ".com" and ".exe" extensions.
Files with ".jpg" or ".jpeg" extension are not affected.
- This variant hides files with ".dll" extension. Files with ".mp2"
extension are not affected.
* Click here for Report on LoveLetter.CM@mm
* Click here for Information about the original VBS/LoveLetter.A
Date: May 30, 2001
Platform: MS Windows and Misc Mail users
Warning About: VBS.Nasara.A@mm Worm
Aliases: VBS/NastySarah@m
Report From: Norton / Symantec Security Updates
* Release Note: VBS.Nasara.A@mm is a mass-mailing worm that uses MAPI
applications, Microsoft Outlook, or Internet Information Server (IIS)
to spread. It also modifies the Autoexec.bat file to delete the
contents of drive C. Name of attachment: NastySarah.jpg.vbs
If the worm cannot find any of these programs, it displays following
message and quits:
Hey! Haven't you heard! There's a VBS worm spreading by this very
filename! You're lucky you didn't get hit! Forward this warning on
to all of your contacts, so they won't get hit by the bug!
If the worm does find one of these programs, it deletes any email
message that includes the word "NASTYSARAH" in the subject or message.
It then spreads by automatically replying to messages that you
received previously.
* Click here for Report on VBS.Nasara.A@mm
Date: May 30, 2001
Platform: MS Windows
Warning About: VBS.Devolve.A Virus
Aliases: VBS.Devolove
Report From: Norton / Symantec Security Updates
* Release Note: VBS.Devolve.A is a Visual Basic Script in an HTML file.
The virus infects HTML files, and it modifies the Autoexec.bat file to
repeatedly display a message. On the 15th or 30th of every month, the
virus modifies the Autoexec.bat file to repeatedly display the
following message: this computer waz infected from dr[kazoy]...
* Click here for Report on VBS.Devolve.A
Date: May 30, 2001
Platform: MS Windows
Warning About: W97M.Thus.CV Macro Virus
Aliases: W97M/Thus.CV
Report From: Norton / Symantec Security Updates
* Release Note: W97M.Thus.CV is a macro virus that infects active MS Word
documents and the Normal.dot template. The virus attempts to encrypt
randomly chosen .exe and .vdb files. Any .exe and .vdb files that were
encrypted by the virus will have to be restored from backup or
reinstalled.
* Click here for Report on W97M.Thus.CV
Date: May 30, 2001
Platform: MS Windows
Warning About: BAT.Black Trojan Horse, Virus
Report From: Norton / Symantec Security Updates
* Release Note: This is a batch file virus that appends itself to the
C:\Autoexec.bat file and prepends itself to the C:\Windows\Win.ini
file. The file name of the batch file is BlackDay.bat. Due to bugs in
the virus code, some parts are not executed. If the virus has executed,
you may first have to reinstall Windows.
* Click here for Report on BAT.Black
Date: May 30, 2001
Platform: MS Windows
Warning About: W97M.Wrath Virus
Report From: Norton / Symantec Security Updates
* Release Note: This macro virus infects the Normal.dot template, and
uses that template to spread. It has a module named "Wrath" that
contains the viral code. Its payload deletes files if the date is
July 4 through July 8.
* Click here for Report on W97M.Wrath
Date: May 30, 2001
Platform: MS Windows
Warning About: Hooker Password and Data Stealing Trojan
Aliases: Trojan.PSW.Hooker
Report From: F-Secure
* Release Note: Hooker is a password and data stealing trojan. Being run
it installs itself in System directory and modifies RunOnce key in the
Registry. After initial installation the trojan drops a keylogging DLL
from inside its body and registers itself as a service process. This
way its task is not visible in Task Manager.
* Click here for Report on Hooker
Date: May 30, 2001
Platform: MS Windows
Warning About: Fever Worm
Aliases: Yellow Fever, W32.Yellow.worm, W32/Fever
Report From: F-Secure
* Release Note: Fever is an Internet worm that spreads itself as an
attachment to email messages. When the worm attachment is opened, it
activates and manipulates a few things. As a result of the manipula-
tions, Windows will launch the worm's file automatically at every
startup.
* Click here for Report on Fever
Date: May 28, 2001
Platform: MS Windows with Windows Media Player 6.4 and 7
Warning About: Windows Unchecked Buffer in Media Player .ASX Processor
Report From: CIAC Bulletins
* Release Note: This bulletin discusses two security vulnerabilities.
Damage: Unauthorized disclosure, and/or limited executing code of
choice. Solution: Apply the patches as described in bulletin.
* Click here for Bulletin Number L-089
Date: May 25, 2001
Platform: MS Windows
Warning About: W32/Hlam@MM Virus
Aliases: W32.HLLP.Chlamydia, W97M.Hlam.A (NAV), W97M/Hlam@MM
Report From: Network Associates
* Release Note: This is a multipartite virus which infects executable
files and Microsoft Word 97 (or greater) documents and templates. It
is also a mass-mailer, and IRC worm.
* Click here for Report on W32/Hlam@MM
Date: May 25, 2001
Platform: MS Windows
Warning About: HTML.Bother.3180 Virus
Aliases: HTML.Bother.3180.dr
Report From: Norton / Symantec Security Updates
* Release Note: HTML.Bother.3180 is script that uses ActiveX controls to
perform malicious actions on your computer.
* Click here for Report on HTML.Bother.3180
Date: May 25, 2001
Platform: MS Windows
Warning About: VBS.Noped.A@mm Worm
Report From: Norton / Symantec Security Updates
* Release Note: VBS.Noped.A@mm is an encrypted mass-mailing worm. It
opens Notepad and displays a text file. It also changes the home page
in Internet Explorer and searches all hard drives and mapped drives
for specific .jpg or .jpeg file names. If found, the worm sends a
message to one random recipient from a list of government agencies.
* Click here for Report on VBS.Noped.A@mm
Date: May 24, 2001
Platform: MS Windows Media Player 6.4 / Media Player 7
Patch Available: Windows Media Player .ASX Processor Contains
Unchecked Buffer
Report From: MicroSoft TechNet Security
* Release Note: Impact of vulnerability: Potentially run code of
attackers choice. Windows Media 6.4 customers should install the patch
immediately. Users of Windows Media Player 7 should install the latest
Windows Media Player 7.1 version immediately.
* Click here for MS Security Bulletin MS01-029
Date: May 23, 2001
Platform: MS Windows
Warning About: W32/Fever@M Virus
Aliases: W32/Fever (Sophos)
Report From: Network Associates
* Release Note: This mailer worm has been distributed on a game
developers mailing list. When run, it saves a copy of itself to the
WINDOWS SYSTEM directory as ed32.exe and creates a registry run key
to load the worm at startup.
* Click here for Report on W32/Fever@M
Date: May 23, 2001
Platform: MS Windows
Warning About: W97M.RV.A Virus
Aliases: W97M/RV, Macro.Word97.Rv
Report From: Norton / Symantec Security Updates
* Release Note: W97M.RV.A is a macro virus that infects active MS Word
documents and the Normal.dot template. The virus deletes other macros
in the active document and Normal.dot before infection.
* Click here for Report on W97M.RV.A
Date: May 23, 2001
Platform: MS Windows
Warning About: Trojan.Eurosol Trojan Horse
Aliases: Trojan.Win32.Eurosol
Report From: Norton / Symantec Security Updates
* Release Note: Trojan.Eurosol installs itself on an infected system so
that it is run at startup. This Trojan will also attack installations
of the ATGuard firewall if it is present on the infected computer.
* Click here for Report on Trojan.Eurosol
Date: May 22, 2001
Platform: MS Windows
Warning About: Virus Hiding In A SULFNBK.EXE HOAX
Report From: Kaspersky Lab
* Release Note: Warnings about a pseudo-virus began spreading towards the
end of last week, causing a real scare amongst users. Contrary to this
report, the SULFNBK.EXE file is absolutely safe, and moreover is a part
of the operating system included in the Windows delivery.
* Click here for Report: Virus HOAX Coaxes Users to Delete Files
Date: May 22, 2001
Platform: MS Windows with versions of Word
Patch Available: RTF document linked to template can run macros
without warning
Report From: MicroSoft TechNet Security
* Release Note: Impact of vulnerability: Run macros without warning
Recommendation: Customers using affected versions of Word should apply
the patch immediately.
* Click here for MS Security Bulletin MS01-028
Date: May 20, 2001
Platform: Microsoft IIS 4.0 / 5.0
Warning About: Microsoft CGI Filename Decode Error Vulnerability in IIS
Report From: CIAC Bulletins
* Release Note: An intruder could get around security checks or be able
to run arbitrary system commands. This could result in code execution
or unauthorized file disclosure. Solution: Apply the patch
* Click here for Bulletin Number L-083
Date: May 20, 2001
Platform: MS Windows
Warning About: W97M.Hlam.A Virus
Aliases: Bloodhound.WordMacro
Report From: Norton / Symantec Security Updates
* Release Note: W97M.Hlam.A is a multipartite macro virus. It replicates
by infecting active documents and the Normal.dot template file with a
viral macro code. A document infected with W97M.Hlam.A may have an
executable file appended (not embedded), which is detected as
W32.Hlam@mm.
* Click here for Report on W97M.Hlam.A
Date: May 17, 2001
Platform: MS Windows
Warning About: Mawanella Worm
Aliases: VBSWG.Z@mm, VBS/VBSWG.Z@MM, VBS.VBSWG.Z (CA)
VBS.VBSWG2.Z@MM (NAV), VBS_VBSWG.Z (Trend)
VBSWG.Z@MM (F-Secure)
Variant: VBSWG.Z
Report From: Kaspersky Lab, F-Secure, Network Associates and Symantec
* Release Note: Mawanella, was created by someone utilizing the virus
writing kit VBS Worm Generator, which is better known as having been
used to spawn the "Kournikova" virus epidemic at the beginning of
this year. Manwanella arrives to a computer in the form of an e-mail.
VBSWG.Z worm spreads messages that look as follows:
Subject: Mawanella
Body: Mawanella is one of the Sri Lanka's Muslim Village
Attachment: Mawanella.vbs
When the attached file is executed, the worm mass mails itself to
each recipient in every address book and shows a message, that is
outlined in the virus reports.
* Click here for KLabs Virus Alert on Mawanella
* Click here for F-Secure Report on Mawanella
* Click here for NAI Report on VBS/VBSWG.Z@MM
* Click here for Symantec Report on VBS.Vbswg2.Z@mm
Date: May 17, 2001
Platform: PC
Warning About: LoveLetter worm variant dubbed "VBS/LoveLet-CL"
Report From: Hackers ZDNet
* Release Note: A new email worm, dubbed "VBS/LoveLet-CL" by UK antivirus
company, Sophos, sends out messages from a victim's PC containing a
list of words designed to trigger surveillance systems such as Echelon,
which is the surveillance network that allegedly can scan e-mails and
wireless communications for particular content.
* Click here for ZDNet Report on LoveLetter worm variant
Date: May 17, 2001
Platform: Microsoft Internet Explorer 5.01 and 5.5
Patch Available: Flaws in Web Server Certificate Validation
Could Enable Spoofing
Report From: MicroSoft TechNet Security
* Release Note: A patch is available to eliminate two newly discovered
vulnerabilities affecting Internet Explorer, both of which could enable
an attacker to spoof trusted web sites.
* Click here for MS Security Bulletin MS01-027
Date: May 17, 2001
Platform: MS Windows
Warning About: VBS.Nightflight@mm Worm
Aliases: Bloodhound.VBS.Worm
Report From: Norton / Symantec Security Updates
* Release Note: VBS.Nightflight@mm is a polymorphic mass mailing worm
written in the Visual Basic Scripting (VBS) language. The worm can
email itself to all contacts in the Microsoft Outlook Address Book.
It can also spread by network drives and it contains functionality
such as changing the desktop wallpaper, spreading by mIRC, changing
the Windows user information, and lowering security settings on the
computer. Payload Trigger: On Fridays and Saturdays
* Click here for Report on VBS.Nightflight@mm
Date: May 17, 2001
Platform: MS Windows
Warning About: W97M.Tenda.A Virus
Aliases: W97M/Generic
Report From: Norton / Symantec Security Updates
* Release Note: W97M.Tenda.A is an encrypted macro virus that infects
active documents and the Normal.dot template file.
* Click here for Report on W97M.Tenda.A
Date: May 17, 2001
Platform: MS Windows
Warning About: VBS.VBSWG2.Y@mm Worm
Aliases: VBS.VBSWG2, VBS.HomePage, I-Worm.Homepage
Report From: Norton / Symantec Security Updates
* Release Note: VBS.VBSWG2.Y@mm is an encrypteBScript worm that uses
a known exploit to send itself to all recipients in your MS Outlook
address book. It also has a payload that starts your default Web
browser and then opens a government Web site.
* Click here for Report on VBS.VBSWG2.Y@mm
Date: May 17, 2001
Platform: MS Windows
Warning About: VBS.HStuff.A@m Worm
Report From: Norton / Symantec Security Updates
* Release Note: VBS.HStuff.A@mm is a Visual Basic Script (VBS) worm that
spreads using Microsoft Outlook. It displays a political message and
uses MS Internet Explorer to connect to specific Web sites.
* Click here for Report on VBS.HStuff.A@m
Date: May 16, 2001
Platform: Microsoft IIS
Warning About: Superfluous Decoding Vulnerability in IIS
Report From: CERT
* Release Note: A serious vulnerability in Microsoft IIS may allow
remote intruders to execute commands on an IIS web server.
Solutions: Apply a patch from your vendor
* Click here for CERT CA-2001-12
Date: May 16, 2001
Platform: MS Windows
Warning About: VBS.HStuff.A@m Worm
Report From: Norton / Symantec Security Updates
* Release Note: VBS.HStuff.A@mm is a Visual Basic Script (VBS) worm that
spreads using Microsoft Outlook. It displays a political message and
uses MS Internet Explorer to connect to specific Web sites.
* Click here for Report on VBS.HStuff.A@m
Date: May 16, 2001
Platform: MS Windows
Warning About: MDMA.5460 Virus
Report From: Norton / Symantec Security Updates
* Release Note: MDMA.5460 is a small memory-resident virus that infects
only .com files (including Command.com). Infected files have their
file size increased by 5460 bytes.
* Click here for Report on MDMA.5460
Date: May 16, 2001
Platform: MS Windows
Warning About: PHP.Carac Virus
Report From: Norton / Symantec Security Updates
* Release Note: PHP.Carac is a parasitic infector of .htm, .html, and
.php files. It drops an IRC script that replicates it to others who
join the channel that an infected computer is using.
* Click here for Report on PHP.Carac Virus
Date: May 16, 2001
Platform: MS Windows
Warning About: VBS.Gum.A@m Worm
Aliases: VBS.Gum, VBS/Gum
Report From: Norton / Symantec Security Updates
* Release Note: VBS.Gum.A@m is a VBS worm that spreads using mIRC. It
arrives as a script inside the HTML page Gum.html.
* Click here for Report on VBS.Gum.A@m
Date: May 16, 2001
Platform: MS Windows
Warning About: JS.Olvort.A@mm
Report From: Norton / Symantec Security Updates
* Release Note: JS.Olvort.A@mm is a JScript encrypted worm. It arrives
as an attachment with a variable name, which may be displayed as HTML
file.
* Click here for Report on JS.Olvort.A@mm
Date: May 16, 2001
Platform: MS Windows
Warning About: Staple Worm
Variant: Staple.A, Staple.B
Report From: F-Secure
* Release Note: VBS/Staple is a mass mailing worm written in Visual Basic
Script. This worm arrives in a email message with an
Attachment: injustice.TXT.vbs or Attachment: hotstuff.gif.vbs
* Click here for Report on Staple
Date: May 14, 2001
Platform: PC
Warning About: Futs Trojan
Aliases: Trojan.Futs
Report From: F-Secure
* Release Note: Anti-virus software developer Sophos reports the
detection of the latest Trojan, Trojan.Futs, that is designed to
integrate with Novell Netware. Occasionally the virus displays a
message, and attempts to format the hard drive, or causes the
computer to beep constantly until it is rebooted.
* Click here for Report on Futs
Date: May 14, 2001
Platform: MS Internet Information Server 4.0 and
MS Internet Information Services 5.0
Patch Available: Superfluous Decoding Operation Could Allow Command
Execution via IIS
Report From: MicroSoft TechNet Security
* Release Note: Three vulnerabilities: Code execution, denial of service,
information disclosure. Read the bulletin for download locations for
this patch.
* Click here for MS Security Bulletin MS01-026
Date: May 14, 2001
Platform: Indexing Service for Windows 2000, Index Server 2.0
Warning About: Microsoft Index Server Search Function Buffer Overflow
Report From: CIAC Bulletins
* Release Note: An unchecked buffer exists in software processing search
requests. This causes several potential vulenrabilities, depending on
the format of an attacker's search request. Apply the patch described
in bulletin.
* Click here for Bulletin Number L-081
Date: May 14, 2001
Platform: MS Windows 2000 Server/Advanced Server and
MS Windows 2000 Datacenter Server
Warning About: Microsoft Domain Controller Core Service Memory Leak
Report From: CIAC Bulletins
* Release Note: A Windows 2000 domain controller core service contains a
memory leak, triggered when attempting to process a certain invalid
service request. Repeatedly sending such a request could deplete the
available memory on the server. Apply the patches described in bulletin.
* Click here for Bulletin Number L-079
Date: May 14, 2001 * Added F-Secure Report link
Platform: MS Windows
Warning About: VBS.Hard.A@mm Script Worm
Aliases: VBS/Hard-A, VBS/Hard@mm, HardHead
Variant: Hard.A
Report From: Symantec Security, Network Associates and F-Secure
* Release Note: VBS.Hard.A@mm is a Visual Basic Script (VBS) worm that
uses MS Outlook Express. It arrives with an attachment named
"www.symantec.com.vbs" and a subject line of "FW: Symantec Anti-Virus
Warning". The intent is to imply the email originated with the Symantec
AntiVirus Research Center. Write-up by: Raul Elnitiarta
* Click here for Symantec Report on VBS.Hard.A@mm
* Click here for NAI Report on VBS/Hard@MM
* Click here for F-Secure Report on Hard
Date: May 13, 2001
Platform: MS Windows
Warning About: VBS.Hard.A@mm Script Worm
Aliases: VBS/Hard-A, VBS/Hard@mm
Report From: Norton / Symantec Security Updates amd Network Associates
* Release Note: VBS.Hard.A@mm is a Visual Basic Script (VBS) worm that
uses MS Outlook Express. It arrives with an attachment named
"www.symantec.com.vbs" and a subject line of "FW: Symantec Anti-Virus
Warning". The intent is to imply the email originated with the Symantec
AntiVirus Research Center. Write-up by: Raul Elnitiarta
* Click here for Symantec Report on VBS.Hard.A@mm
* Click here for NAI Report on VBS/Hard@MM
Date: May 13, 2001
Platform: MS Windows
Warning About: NoNo Macro Virus
Variant: NoNo.A
Report From: F-Secure
* Release Note: W97M/Nono is a macro virus that uses different module
names depending on the user's initials. This virus gets control when
an infected document is opened. It then disables the Word's built-in
macro virus protection.
* Click here for Report on NoNo
Date: May 11, 2001 * Revised
Platform: Systems running unpatched versions of Microsoft IIS
Systems running unpatched versions of Solaris up to, and
including, Solaris 7 (Sun Microsystems)
Warning About: sadmind/IIS Worm
Aliases: Sadmind/IIS, Unix/Sadmind, Solaris/Sadmind.worm,
Worm.PoizonBox, Backdoor.Sadmind (NAV),
Sadmin-iis (Panda), Unix/Sadmind (Sophos)
Variant: Sadmind.A
Report From: CERT, F-Secure, Network Associates and Symantec
* CERT Release Note: Revised Advisory
* F-Secure Release Note: Sadmind is a worm, that propagates from a Sun
Solaris machine to another. It also compromises Windows NT/2000 servers
running Internet Information Server 4.0 or 5.0.
* NAI Release Note: It uses the PERL/WSFT-Exploit trojan in order to
attack unpatched Microsoft IIS Web Servers.
* Click here for Revised CERT CA-2001-11
* Click here for F-Secure Report on Sadmind
* Click here for NAI Report on Solaris/Sadmind.worm
* Click here for Symantec Report on Backdoor.Sadmind
Date: May 11, 2001
Platform: MS Windows
Warning About: Pinkpick
Aliases: X97M/Pinkpick, X97M.Pink.A.Gen
Variant: Pinkpick.A
Report From: F-Secure
* Release Note: Pinkpick is an Excel macro virus.
* Click here for Report on Pinkpick
Date: May 11, 2001
Platform: MS Index Server 2.0, and Indexing Service in MS Windows 2000
Patch Available: Index Server Search Function Contains Unchecked Buffer
Report From: MicroSoft TechNet Security
* Release Note: Impact of vulnerability: Run code of attacker's choice.
* Click here for MS Security Bulletin MS01-025
Date: May 11, 2001
Platform: Microsoft IIS Webs Servers
Warning About: PERL/WSFT-Exploit Trojan
Report From: Network Associates
* Release Note: This trojan is used by the Solaris/Sadmind.worm to deface
unpatched Microsoft IIS Webs Servers by overwriting the index/default
page in the WWWROOT folder with the following text:
* Click here for Report on PERL/WSFT-Exploit
Date: May 11, 2001
Platform: MS Windows
Warning About: W32.HLLC.Danny Virus
Report From: Norton / Symantec Security Updates
* Release Note: W32.HLLC.Danny is a simple Win32 virus that overwrites
.exe files. The virus saves a copy of the original file before
overwriting it. When the virus is executed, it displays a message
containing a quote from Shakespeare's Hamlet.
* Click here for Report on W32.HLLC.Danny
Date: May 11, 2001
Platform: MS Windows
Warning About: VBS.Noarn.A Virus
Report From: Norton / Symantec Security Updates
* Release Note: VBS.Noarn.A is a Visual Basic Script virus in an HTML
file.
* Click here for Report on VBS.Noarn.A
Date: May 10, 2001
Platform: MS Windows
Warning About: W32/Roach@MM Worm Virus
Report From: Network Associates
* Release Note: W32/Roach@MM is detected heuristically with the current
engine and DAT files as "New Win32". This is new file-infecting,
mass-mailing, worm virus which utilizes encryption and polymorphic
techniques.
* Click here for NAI Report on W32/Roach@MM Worm
Date: May 10, 2001
Platform: MS Windows
Warning About: JS.Blink.A@m Worm
Report From: Norton / Symantec Security Updates
* Release Note: JS.Blink.A@m is a JScript encrypted worm, which spreads
using mIRC and PIRCH.
* Click here for Symantec Report on JS.Blink.A@m
Date: May 09, 2001
Platform: MS Windows
Warning About: VBSWG.X@mm Worm
Aliases: Homepage, Home Page, VBS/VBSWG.X,
VBS.VBSWG2.X@mm, VBS.HomePage
Variant: VBSWG.X
Report From: F-Secure Website, F-Secure Press Release, NAI and Symantec
* Release Note: This is an encrypted worm generated with VBSWG virus kit.
It is similar to the widely spread worm at February 2001 - VBS/Onthefly
(also known as Anna Kournikova worm). VBSWG.X worm spreads using
Outlook Application. It sends messages with the following content:
Subject: Homepage
Body: You've got to see this page! It's really cool ;O)
Attachment: homepage.HTML.vbs
* Click here for F-Secure Report on VBSWG.X@mm
* Click here for NAI Report on VBS/SST.gen@MM
* Click here for Symantec Report on VBS.VBSWG2.D@mm
Date: May 09, 2001
Platform: MS Windows 2000 Server, Windows 2000 Advanced Server
and Windows 2000 Datacenter Server
Patch Available: Malformed Request to Domain Controller can Cause
Memory Exhaustion
Report From: MicroSoft TechNet Security
* Release Note: A core service running on all Windows 2000 domain
controllers (but not on any other machines) contains a memory leak,
which can be triggered when it attempts to process a certain type of
invalid service request.
* Click here for MS Security Bulletin MS01-024
* Click here for Questions or Comments about the Bulletin
Date: May 08, 2001
Platform: Systems running unpatched versions of Microsoft IIS
Systems running unpatched versions of Solaris up to, and
including, Solaris 7 (Sun Microsystems)
Warning About: sadmind/IIS Worm
Report From: CERT
* Release Note: The CERT/CC has received reports of a new piece of
self-propagating malicious code (referred to here as the sadmind/IIS
worm). The worm uses two well-known vulnerabilities to compromise
systems and deface web pages.
* Click here for CERT CA-2001-11
Date: May 08, 2001
Platform: MS Windows
Warning About: Happytime Worm
Variant: Happytime.A
Report From: F-Secure
* Release Note: VBS/Happytime is a VBS worm that propagates in two
different ways - as a slow worm similar to JS/Kak, and as a fast worm
- mass mailer.
* Click here for Report on Happytime
Date: May 08, 2001
Platform: MS Windows
Warning About: W97M.Fool.J.Gen Virus
Aliases: Macro.Word97.Fool.b, W97M/Fool.gen
Report From: Norton / Symantec Security Updates
* Release Note: W97M.Fool.J.Gen is a Microsoft Word macro virus that
spreads by infecting the active Microsoft Word document and the global
template, Normal.dot.
* Click here for Report on W97M.Fool.J.Gen
Date: May 08, 2001
Platform: MS Windows
Warning About: VBS.Svinta.A Virus
Report From: Norton / Symantec Security Updates
* Release Note: VBS.Svinta.A is a Visual Basic Script (VBS) in an HTML
file. If an infected HTML file is opened, the Autoexec.bat file is
modified, and HTML files that are in specific folders are infected.
* Click here for Report on VBS.Svinta.A
Date: May 05, 2001
Platform: MS Windows
Warning About: JS.Disturbed.A@m Worm
Report From: Norton / Symantec Security Updates
* Release Note: JS.Disturbed.A@m is a worm that uses Microsoft Outlook
and Outlook Express to spread itself. This worm inserts its code into
every email message that you send.
* Click here for Report on JS.Disturbed.A@m
Date: May 05, 2001
Platform: MS Windows
Warning About: W32.HLLC.Pers Virus
Report From: Norton / Symantec Security Updates
* Release Note: W32.HLLC.Pers is a simple companion virus. It searches
for .exe files that are in the same folder as the virus, renames them
with the .Lsx extension, and then copies itself as the original .exe
file names.
* Click here for Report on W32.HLLC.Pers
Date: May 05, 2001
Platform: MS Windows
Warning About: VBS.Lumorg Trojan
Aliases: VBS.Lucky2
Report From: Norton / Symantec Security Updates
* Release Note: VBS.Lumorg is a Visual Basic Script Trojan horse. If the
virus is executed, it overwrites all files that are located in the same
folder as itself. It also adds a link to Internet Explorer's Favorites
menu.
* Click here for Report on VBS.Lumorg
Date: May 05, 2001
Platform: MS Windows
Warning About: JS/Yama.gen@M Virus
Aliases: Alan Peru, I-Worm.Yama (AVP) and JS.Disturbed.A@m (NAV)
Report From: Network Associates
* Release Note: This is a generic detection of several JS/Yama variants.
There are several common elements to the variants seen by AVERT. In
addition to JavaScript, t worm also uses VBScript and is therefore
dependant on the Windows Scripting Host.
* Click here for Report on JS/Yama.gen@M
Date: May 05, 2001
Platform: MS Windows
Warning About: VBS/Haptime@MM Virus
Aliases: VBS.Happytime.A (CA), VBS/Help (Panda),
VBS_Haptime.A (Trend)
Report From: Network Associates
* Release Note: This Visual Basic Script virus will append itself to
files, delete files, and can spread via embedded VBScript, contained
in the body of HTML formatted email messages.
* Click here for Report on VBS/Haptime@MM
Date: May 02, 2001
Platform: Windows 2000 and IIS 5.0 Server Software
MS Bulletin: Unchecked Buffer in ISAPI Extension Could Enable
Compromise of IIS 5.0 Server
Report From: MicroSoft TechNet Security
* Release Note: The vulnerability results because the Internet Printing
ISAPI extension in Windows 2000 contains an unchecked buffer. This is
an extremely serious vulnerability, and Microsoft recommends that all
IIS 5.0 web server administrators apply the patch immediately.
* Click here for MS Security Bulletin MS01-023
* Click here for Questions or Comments about the Bulletin
Date: May 02, 2001
Platform: MS Windows 2000 and Internet Information Server 5.0
Security Bug: Security Hole in Web Server Software
Report From: MSNBC Tech News, Hackers ZDNet and Microsoft Security
* Release Note: Microsoft Corp. issued a widespread warning Tuesday
about a security vulnerability that puts millions of Web sites at
immediate risk. Hackers ZDNet says a hole in IIS 5.0, described as
serious, could give system level access to a hacker.
* Click here for MSNBC Report on Serious Security Flaw
* Click here for Hackers ZDNet Report on Security Hole
* Click here for MS Security Bulletin MS01-023 and patch
Date: May 02, 2001
Platform: PC
Warning About: W97M.Rendra.D.Gen
Aliases: Macro.Word.97.Rendra.b, W97M/Rendra.gen
Report From: Norton / Symantec Security Updates
* Release Note: W97M.Rendra.D.Gen is a macro virus that infects active
documents and the Normal.dot template file.
* Click here for Report on W97M.Rendra.D.Gen
Date: May 02, 2001
Platform: MS Windows
Warning About: X97M.Pink.A.Gen
Variant: X97M/Laroux
Report From: Norton / Symantec Security Updates
* Release Note: X97M.Pink.A.Gen infects active workbooks and inserts an
infected workbook into the \XLStart folder.
* Click here for Report on X97M.Pink.A.Gen
Date: May 02, 2001
Platform: Windows
Security Bug: Virus protection for Intuit QuickBooks 2001
Report From: MSNBC Bug Of The Day
* Release Note: If the reported error pops up in QuickBooks 2001 when
attempting to access Common Payroll Setup, a Visual Basic Script
e-mail virus may be to blame. Read the bug report for the error
message and a workaround.
* Click here for Bug Report on Intuit QuickBooks 2001
Date: May 01, 2001
Platform: PC
Warning About: SadCase.Trojan
Report From: Norton / Symantec Security Updates
* Release Note: When run, SadCase.Trojan deletes as many files as
possible from drive C. While doing so, two messages are displayed.
* Click here for Report on SadCase.Trojan
Top of Page
Macintosh
Date: May 22, 2001
Platform: Macintosh with MS Word 98 / 2001 for the Mac
Patch Available: RTF document linked to template can run macros
without warning
Report From: MicroSoft TechNet Security
* Release Note: Impact of vulnerability: Run macros without warning
Recommendation: Customers using affected versions of Word should apply
the patch immediately.
* Click here for MS Security Bulletin MS01-028
Top of Page
Linux
Date: May 31, 2001
Platform: MS Win ME / 9.x, Various Linux OS with various versions
of Gnu GNU Privacy Guard
Warning About: GnuPG Format String Vulnerability
Report From: Security Focus
* Release Note: GnuPG is a popular open source public/private key
encryption system. It is possible for attackers to create an encrypted
document that will exploit a format string vulnerability in the GnuPG
client when the document is decrypted. This vulnerability may lead to
remote attackers gaining access to client hosts.
* Click here for Advisory No. 2797
Date: May 31, 2001
Platform: Linux
Updates To: format string problem with gnupg
Report From: Linux Daily News
* Release Note: The format string problem with gnupg was covered on this
week's security page.
* Click here for LWN Security Update To format string problem
Date: May 31, 2001
Platform: Linux-Mandrake
Updates To: gnupg
Report From: Linux Daily News
* Release Note: Linux-Mandrake has this update to the format string
problem with gnupg.
* Click here for LWN Security Update To gnupg
Date: May 31, 2001
Platform: Immunix
Updates To: gnupg
Report From: Linux Daily News
* Release Note: Immunix has this update to the format string problem
with gnupg.
* Click here for LWN Security Update To gnupg
Date: May 31, 2001
Platform: Immunix
Updates To: kerberos
Report From: Linux Daily News
* Release Note: Immunix has this update to kerberos fixing a buffer
overflow problem.
* Click here for LWN Security Update To kerberos
Date: May 31, 2001
Platform: Immunix
Updates To: man buffer overflow
Report From: Linux Daily News
* Release Note: Immunix has this fix for the man buffer overflow.
* Click here for LWN Security Update To man buffer overflow
Date: May 30, 2001
Platform: SuSE
Updates To: "man" package
Report From: Linux Daily News
* Release Note: SuSE has posted and a security advisory for the man
package distributed with SuSE distributions stretching back to 6.0 and
running through 7.1.
* Click here for LWN Security Update To man
Date: May 30, 2001
Platform: WireX
Updates To: FormatGuard
Report From: Linux Daily News
* Release Note: WireX has released a new tool called FormatGuard. Its
purpose is to protect programs against format string attacks. It's an
extension to the C library, and is released under the LGPL.
* Click here for LWN Security Update To FormatGuard
Date: May 28, 2001
Platform: Linux-Mandrake
Updates To: ncurses
Report From: Linux Daily News
* Release Note: MandrakeSoft has issued a security update to ncurses
fixing a buffer overflow problem in that package. Linux-Mandrake 8.0
appears not to be vulnerable; only users of 7.x need apply the update.
* Click here for LWN Security Update To ncurses
Date: May 28, 2001
Platform: Turbolinux
Updates To: vim, pmake, and openssl
Report From: Linux Daily News
* Release Note: Turbolinux continues to catch up on the security front.
Recent updates include this fix to vim dealing with the statusline
command vulnerability, this update to pmake fixing the setuid
vulnerability in that package, and a big fix to openssl that takes
care of four separate problems.
* Click here for LWN Security Update To vim
* Click here for LWN Security Update To pmake
* Click here for LWN Security Update To openssl
Date: May 28, 2001
Platform: Linux-Mandrake
Updates To: kdelibs
Report From: Linux Daily News
* Release Note: Linux-Mandrake has issued an advisory for kdelibs to
address a problems in kdesu where world readable files are used for
authentication processing.
* Click here for LWN Security Update To kdelibs
Date: May 25, 2001
Platform: Red Hat
Security Bug: Security holes in Linux 6 through 7
Report From: MSNBC Bug Of The Day
* Release Note: Several security holes have been found in the kernel.
Red Hat has released an update package for Red Hat Linux 6 through 7.
Additional information and links to architecture specific RPMs are
available at http://www.redhat.com/support/errata/RHSA-2001-013.html
* Click here for Bug Report on Security holes
Date: May 25, 2001
Platform: Trustix Linux
Updates To: samba and bind
Report From: Linux Daily News
* Release Note: Trustix has posted security advisories for samba and
bind.
* Click here for LWN Security Update To samba
* Click here for LWN Security Update To bind
Date: May 25, 2001
Platform: Turbolinux
Updates To: vixie-cron
Report From: Linux Daily News
* Release Note: Turbolinux has issued a security announcement for
vixie-cron to address the previouly reported problems with editing
crontab files.
* Click here for LWN Security Update To vixie-cron
Date: May 25, 2001
Platform: EnGarde
Updates To: pine
Report From: Linux Daily News
* Release Note: EnGarde Secure Linux has issued an update for pine to
address temporary file handling problems.
* Click here for LWN Security Update To pine
Date: May 24, 2001
Platform: EnGarde Secure Linux
Updates To: pine
Report From: Linux Daily News
* Release Note: EnGarde Secure Linux has issued an update for pine to
address temporary file handling problems.
* Click here for LWN Security Update To pine
Date: May 23, 2001
Platform: Linux
Warning About: Linux.Cheese.Worm Worm
Report From: Norton / Symantec Security Updates
* Release Note: This worm attempts to spread itself to machines that have
been compromised by Linux.Lion.Worm, and remove the security hole that
allowed the replication to occur. It is not considered harmful, but is
a misguided attempt to address a security issue.
* Click here for Report on Linux.Cheese.Worm
Date: May 23, 2001
Platform: Red Hat
Updates To: man, mktemp
Report From: Linux Daily News
* Release Note: Red Hat has issued seperate security updates for man to
address heap overruns and for mktemp which does not support making
temporary directories in certain versions of their distributions.
* Click here for LWN Security Update To man
* Click here for LWN Security Update To mktemp
Date: May 22, 2001
Platform: Linux 6.2 and 7.x
Warning About: Linux.Hijacker.Worm
Report From: Norton / Symantec Security Updates
* Release Note: This worm searches the Internet for Linux systems that
have been compromised by a backdoor trojan that may have gained root
access. It then remotely launches a module that starts a shell script
named w0rmstart.sh.
* Click here for Report on Linux.Hijacker.Worm
Date: May 22, 2001
Platform: Versions of Red Hat Linux
Warning About: Red Hat Samba Package /tmp Race Condition
Report From: CIAC Bulletins
* Release Note: A malicious local user could create a symbolic link
in /tmp and overwrite any file on the system.
Solution: Apply software upgrades as noted in bulletin.
* Click here for Bulletin Number L-084
Date: May 22, 2001
Platform: Linux-Mandrake
Updates To: samba and openssh
Report From: Linux Daily News
* Release Note: Linux-Mandrake has issued updates for samba and openssh.
* Click here for LWN Security Update To samba
* Click here for LWN Security Update To openssh
Date: May 20, 2001
Platform: Turbolinux
Updates To: xemacs, kernel and mgetty
Report From: Linux Daily News
* Release Note: Turbolinux has released security updates for xemacs (all
versions prior to xemacs-21.1.14-1), kernel (all Turbolinux versions
previous to 2.2.18-2), and mgetty (all Turbolinux versions prior to
1.1.22).
* Click here for LWN Security Update To xemacs
* Click here for LWN Security Update To kernel
* Click here for LWN Security Update To mgetty
Date: May 20, 2001
Platform: Caldera
Updates To: Samba
Report From: Linux Daily News
* Release Note: Caldera has issued an update for Samba to address
problems that remained from a previous update.
* Click here for LWN Security Update To Samba
Date: May 20, 2001
Platform: Immunix
Updates To: minicom
Report From: Linux Daily News
* Release Note: Immunix posted an advisory late yesterday to address
format string problems in minicom.
* Click here for LWN Security Update To minicom
Date: May 20, 2001
Platform: SuSE
Advisory for: 2.2 kernel
Report From: Linux Daily News
* Release Note: SuSE released an advisory for the 2.2 kernel in many of
their distributions to address multiple vulnerabilities that could
potentially allow remote attackers to gain root access.
* Click here for LWN Advisory for 2.2 kernel
Date: May 20, 2001
Platform: Caldera
Updates To: gnupg
Report From: Linux Daily News
* Release Note: Caldera has posted an update to gnupg to address a
private key retrieval vulnerability.
* Click here for LWN Security Update To gnupg
Date: May 17, 2001
Platform: Linux
Warning About: Cheese worm
Report From: Hackers ZDNet and MSNBC Tech News
* Release Note: System administrators, worldwide reported signs on
Wednesday that another self-spreading program -- or worm -- had started
to infect Linux systems.
* Click here for ZDNet Report on Cheese worm
* Click here for MSNBC Report: 'Benevolent' worm hits Linux boxes
Date: May 17, 2001
Platform: Red Hat
Updates To: Kerberos and gnupg
Report From: Linux Daily News
* Release Note: Red Hat has issued security advisories for Kerberos 5
and gnupg. The former addresses a potential vulnerability in the
gssapi-aware ftpd daemon and the latter covers potential secret key
vulnerabilities.
* Click here for LWN Security Update To Kerberos
* Click here for LWN Security Update To gnupg
Date: May 16, 2001
Platform: Linux-Mandrake
Advisory To: pine
Report From: Linux Daily News
* Release Note: Linux-Mandrake has issued a security advisory for pine
to address temporary file creation vulnerabilities.
* Click here for LWN Security Advisory for pine
Date: May 16, 2001
Platform: Progeny Debian distribution
Advisory To: kernel image 2.4.2
Report From: Linux Daily News
* Release Note: Progeny Linux has issued a security advisory for kernel
image 2.4.2 in their Progeny Debian distribution.
* Click here for LWN Security Advisory for kernel image 2.4.2
Date: May 16, 2001
Platform: Red Hat
Updates To: samba, Zope
Report From: Linux Daily News
* Release Note: Red Hat issued an update for a security fix for samba
they had previously released that addresses /tmp vulnerabilities. They
also issued a new update for the Zope vulnerability with ZClasses.
* Click here for LWN Security Update To samba
* Click here for LWN Security Update To Zope
Date: May 15, 2001
Platform: SuSE
Updates To: crontab
Report From: Linux Daily News
* Release Note: SuSE has issued an update for the cron package to
address problems related to dropping permissions when editing a
crontab file.
* Click here for LWN Security Update To crontab
Date: May 11, 2001
Platform: Linux Mandrake
Updates To: minicom, vixie-cron, Zope, and cups
Report From: Linux Daily News
* Release Note: Linux-Mandrake posted security announcements for 4
packages late yesterday. They cover minicom - format string issues.
vixie-cron - fixes recent problem when invoking the editor.
Zope - ZClasses update and cups - bug fix release, with unspecified
security updates.
* Click here for Security Announcement for minicom
* Click here for Security Announcement for vixie-cron
* Click here for Security Announcement for Zope
* Click here for Security Announcement for cups
Date: May 09, 2001
Platform: Immunix
Updates To: Samba security updates
Report From: Linux Daily News
* Release Note: In response to the release of Samba 2.0.9, security
updates for Samba have been released by Immunix.
* Click here for LWN Security Update To Samba
Date: May 09, 2001
Platform: Debian
Updates To: Samba security updates
Report From: Linux Daily News
* Release Note: In response to the release of Samba 2.0.9, security
updates for Samba have been released by Debian.
* Click here for LWN Security Update To Samba
Date: May 09, 2001
Platform: Turbolinux
Updates To: squid, dhcp, cvsweb, dialog, vixie-cron,
xntp3, netscape, and analog
Report From: Linux Daily News
* Release Note: Turbolinux seems to have decided to catch up on its
security fixes, and has sent out a whole pile of updates. Many of them
fix problems that have been outstanding for months. Available updates
include squid, dhcp, cvsweb, dialog, vixie-cron, xntp3, netscape, and
analog.
* Click here for LWN Security Update To squid
* Click here for LWN Security Update To dhcp
* Click here for LWN Security Update To cvsweb
* Click here for LWN Security Update To dialog
* Click here for LWN Security Update To vixie-cron
* Click here for LWN Security Update To xntp3
* Click here for LWN Security Update To netscape
* Click here for LWN Security Update To analog
Date: May 09, 2001
Platform: Samba
Updates To: Samba 2.0.9 released (security fix)
Report From: Linux Daily News
* Release Note: Andrew Tridgell has released Samba 2.0.9, which fixes the
security bug that he had thought was fixed in 2.0.8. If you're running
a 2.0 version of Samba, an upgrade is recommended; look for one from
your favorite distributor soon. 2.2.0 users are not affected by this
problem.
* Click here for LWN Security Update To Samba 2.0.9
Date: May 09, 2001
Platform: Turbolinux
Reports On: squid security problem
Report From: Linux Daily News
* Release Note: Turbolinux has released this report concerning a /tmp
file problem with squid.
* Click here for LWN Report on squid security problem
Date: May 09, 2001
Platform: EnGarde
Reports On: glibc vulnerability
Report From: Linux Daily News
* Release Note: The EnGarde Secure Linux distribution reports on a libc
local vulnerability and has an upgraded version of libc available to
fix the problem.
* Click here for LWN Security Report on glibc vulnerability
Date: May 08, 2001
Platform: Turbolinux
Updates To: ncurses
Report From: Linux Daily News
* Release Note: Turbolinux has issued an update to ncurses fixing the
buffer overflow problem that most distributions dealt with back in
October, 2000.
* Click here for LWN Security Update To ncurses
Date: May 08, 2001
Platform: Debian Project
Updates To: man-db and gftp
Report From: Linux Daily News
* Release Note: The Debian Project has an update to man-db fixing a
symlink vulnerability there. Also from Debian is this update to gftp
which fixes a format string vulnerability.
* Click here for LWN Security Update To man-db
* Click here for LWN Security Update To gftp
Date: May 08, 2001
Platform: MandrakeSoft
Updates To: pine
Report From: Linux Daily News
* Release Note: MandrakeSoft has put out an update to pine, which also
has a symlink vulnerability.
* Click here for LWN Security Update To pine
Date: May 08, 2001
Platform: Turbolinux
Updates To: ed
Report From: Linux Daily News
* Release Note: Turbolinux has issued a security advisory for the ed
package. Ed creates temporary files insecurely. If you have TL 6.1
WorkStation, or Turbolinux versions 6.0.5 and earlier, you should
update your package.
* Click here for LWN Security Update To ed package
Date: May 08, 2001
Platform: Debian
Updates To: Zope
Report From: Linux Daily News
* Release Note: The Debian Project has issued a security update to Zope
fixing the recently-reported zclass vulnerability.
* Click here for LWN Security Update To Zope
* Click here for reported zclass vulnerability
Date: May 08, 2001
Platform: Debian
Updates To: cron
Report From: Linux Daily News
* Release Note: Debian has issued a security advisory for the cron
package. Local root exploits are possible in older versions. This has
been fixed in version 3.0pl1-57.3 (or 3.0pl1-67 for unstable). No
exploits are known to exist, but it is recommended that you upgrade
your cron packages immediately.
* Click here for LWN Security Update To cron package
Date: May 05, 2001
Platform: Linux-Mandrake
Updates To: gnupg 1.0.5 and kdelibs 2.1.2 packages
Report From: Linux Daily News
* Release Note: Linux-Mandrake has issued gnupg 1.0.5 packages, which
include fixes for multiple security issues. Check the gnupg 1.0.5
announcment for more details. Also from Linux-Mandrake come new kdelibs
2.1.2 packages, fixing a temporary file link vulnerability there.
* Click here for LWN Security Update To gnupg 1.0.5
* Click here for gnupg.org's Whats New File
* Click here for LWN Security Update To kdelibs 2.1.2
Date: May 05, 2001
Platform: Turbolinux
Updates To: glibc package
Report From: Linux Daily News
* Release Note: Turbolinux has issued updated glibc packages which update
them to glibc-2.1.3-33.
* Click here for LWN Security Update To glibc
Date: May 05, 2001
Platform: SuSE
Updates To: sgmltool package
Report From: Linux Daily News
* Release Note: SuSE has issued updated sgmltool packages, fixing a
temporary file link problem in an underlying SGML perl script.
* Click here for LWN Security Update To sgmltool
Date: May 02, 2001
Platform: Immunix
Updates To: GnuPG
Report From: Linux Daily News
* Release Note: Wirex has issued an Immunix security update to GnuPG
fixing a number of security problems in that package.
* Click here for LWN Security Update To GnuPG
Date: May 01, 2001
Platform: Misc Versions of Linux / Unix
Update About: Network Scanning and Probing Activity at Ports 515 and 111
Report From: National Infrastructure Protection Center (NIPC)
* Release Note: "Significant Increase in Unix-based Network Scanning and
Probing Activity at Ports 515 and 111 Directed at lpd/LPRng and RPC
Services"
* Click here for NIPC Alert 01-010
Date: May 01, 2001
Platform: Red Hat
Updates To: kdelibs
Report From: Linux Daily News
* Release Note: Red Hat has issued a security update to kdelibs fixing
a temporary file vulnerability in that package.
* Click here for LWN Security Update To kdelibs
Date: May 01, 2001
Platform: Immunix
Updates To: gftp
Report From: Linux Daily News
* Release Note: Here's an update for gftp from Immunix.
* Click here for LWN Security Update To gftp
Top of Page
Miscellaneous
Date: May 31, 2001
Platform: Misc
Warning About: Reminder: SULFNBK.EXE is a Virus HOAX!
Report From: Kaspersky Lab
* Release Note: As Kaspersky Lab reported earlier last week, the virus
hoax SULFNBK has been making the rounds as also witnessed by other
anti-virus developers sending out a warning beacon. It is necessary to
convince users that this type of virus does not actually exist, and we
classify this as a VIRUS HOAX.
* Click here for Reminder: SULFNBK.EXE is a Virus HOAX!
Date: May 30, 2001
Platform: SourceForge Site Users
Security Post: SourceForge Server Compromised In Attack
Report From: Infowar.Com
* Release Note: Open-source software development site SourceForge.net is
warning many of its users to change their passwords following an attack
early last week in which intruders compromised one of the site's
servers.
* Click here for Bug Report on SourceForge Server Compromise
Date: May 30, 2001
Platform: MS Windows and Misc Mail users
Warning About: VBS.Nasara.A@mm Worm
Aliases: VBS/NastySarah@m
Report From: Norton / Symantec Security Updates
* Release Note: VBS.Nasara.A@mm is a mass-mailing worm that uses MAPI
applications, Microsoft Outlook, or Internet Information Server (IIS)
to spread. It also modifies the Autoexec.bat file to delete the
contents of drive C. Name of attachment: NastySarah.jpg.vbs
If the worm cannot find any of these programs, it displays following
message and quits:
Hey! Haven't you heard! There's a VBS worm spreading by this very
filename! You're lucky you didn't get hit! Forward this warning on
to all of your contacts, so they won't get hit by the bug!
If the worm does find one of these programs, it deletes any email
message that includes the word "NASTYSARAH" in the subject or message.
It then spreads by automatically replying to messages that you
received previously.
* Click here for Report on VBS.Nasara.A@mm
Date: May 30, 2001
Platform: Sun Solaris 8.0
Warning About: Solaris mailtool Buffer Overflow Vulnerability
Report From: Security Focus
* Release Note: The mailtool program included with OpenWindows in
Solaris, contains a buffer overflow vulnerability which may allow
local users to execute arbitrary code/commands with group 'mail'
privileges.
* Click here for Advisory 2787
Date: May 30, 2001
Platform: Misc versions of TWIG
Warning About: TWIG Webmail SQL Query Modification Vulnerability
Report From: Security Focus
* Release Note: TWIG Webmail contains a vulnerability which may allow for
users to modify SQL queries. These modified queries may then perform
unauthorized operations.
* Click here for Advisory 2791
Date: May 30, 2001
Platform: Cosmicperl Directory Pro 2.0
Warning About: Directory Pro Arbitrary File Disclosure Vulnerability
Report From: Security Focus
* Release Note: Webdirectory Pro is a web application used to create a
searchable directory of links developed by Cosmicperl. Webdirectory Pro
contains an input validation vulnerability which may lead to disclosure
of sensitive information to attackers.
* Click here for Advisory 2793
Date: May 28, 2001
Platform: Cisco IOS software version 12.1(2)T and 12.1(3)T: limited
deployment of these releases.
Warning About: Cisco IOS Reload after Scanning Vulnerability
Report From: CIAC Bulletins
* Release Note: Security Scanning software can trigger a memory error in
Cisco IOS Software, causing unexpected reload of the router.
Damage: Denial of service. Solution: Upgrade to unvulnerable versions
as soon as possible.
* Click here for Bulletin Number L-088
Date: May 24, 2001
Platform: Cisco 600 series routers (CBOS Software)
Warning About: Cisco Multiple Vulnerabilities in CBOS
Report From: CIAC Bulletins
* Release Note: Problems are several: TCP Sequence Prediction, echo
request denial of service vulnerabilities, NVRAM password stored
cleartext. Solution: Upgrade to releases not vulnerable, as
described in bulletin.
* Click here for Bulletin Number L-086
Date: May 22, 2001
Platform: CSS 11000 series switches
Warning About: Cisco Content Service Switch FTP Vulnerability
Report From: CIAC Bulletins
* Release Note: Any user with a valid account can read or write any file
on the system. Users can gain unauthorized access to data.
Solution: Apply software upgrades as noted in bulletin.
* Click here for Bulletin Number L-085
Date: May 20, 2001
Platform: Misc
Warning About: Eurosol Trojan
Report From: Kaspersky Lab
* Release Note: This Trojan steals a users personal account information
from the international finance system "WebMoney."
* Click here for KLabs Virus Alert on Eurosol Trojan
Date: May 16, 2001
Platform: Configurations including BGP4 Prefix Filtering with Inbound
Route Maps are vulnerable. This may include certain Cisco
devices and Cisco routers.
Warning About: Cisco IOS BGP Attribute Corruption Vulnerability
Report From: CIAC Bulletins
* Release Note: A memory corruption issue can cause the Network Layer
Reachability Information (NLRI) and attributes within some Border
Gateway Protocol (BGP) UPDATEs to be inaccurate therefore causing
failure. Solution: Upgrade the affected Cisco device software. There
is no known workaround.
* Click here for Bulletin Number L-082
Date: May 14, 2001
Platform: IRIX 6.5.5 through IRIX 6.5.8 are vulnerable
Warning About: SGI IRIX rpc.espd Buffer Overflow
Report From: CIAC Bulletins
* Release Note: An exploitable buffer overflow has been discovered in
the Embedded Support Partner (ESP) daemon rpc.espd. Apply the patches
described in bulletin.
* Click here for Bulletin Number L-080
Date: May 14, 2001
Platform: Misc
Hoax Report: Follow Links below
Report From: F-Secure Hoax information
* Release Note: F-Secure asks that you please ignore these messages and
don't spread them any further. There was quite a list for today. Here
is the list.
* Pay-at-the-pump gas station incident HOAX
* Bill 602P HOAX
* Money Transfer HOAX
* Champagne Lovers chain letter HOAX
* Gas Out chain letter HOAX
* NEWYORK BIG DIRT and THE FUCKER message HOAX
* Cancer chain letter HOAX
* Sulfnbk.exe virus HOAX
Date: May 11, 2001 * Revised
Platform: Systems running unpatched versions of Microsoft IIS
Systems running unpatched versions of Solaris up to, and
including, Solaris 7 (Sun Microsystems)
Warning About: sadmind/IIS Worm
Aliases: Sadmind/IIS, Unix/Sadmind, Solaris/Sadmind.worm,
Worm.PoizonBox, Backdoor.Sadmind (NAV),
Sadmin-iis (Panda), Unix/Sadmind (Sophos)
Variant: Sadmind.A
Report From: CERT, F-Secure, Network Associates and Symantec
* CERT Release Note: Revised Advisory
* F-Secure Release Note: Sadmind is a worm, that propagates from a Sun
Solaris machine to another. It also compromises Windows NT/2000 servers
running Internet Information Server 4.0 or 5.0.
* NAI Release Note: It uses the PERL/WSFT-Exploit trojan in order to
attack unpatched Microsoft IIS Web Servers.
* Click here for Revised CERT CA-2001-11
* Click here for F-Secure Report on Sadmind
* Click here for NAI Report on Solaris/Sadmind.worm
* Click here for Symantec Report on Backdoor.Sadmind
Date: May 11, 2001
Platform: Misc
Warning About: W32.Efortune.31384@mm Virus
Aliases: W32/Roach@MM
Report From: Norton / Symantec Security Updates
* Release Note: W32.Efortune.31384@mm is a polymorphically encrypted
massmailer with backdoor capabilities by IRC.
* Click here for Report on W32.Efortune.31384@mm
Date: May 11, 2001
Platform: Misc
Hoax Report: SULFNBK HOAX
Report From: Network Associates
* Release Note: Network Associates has released a report on a hoax that
says "McAfee AVERT Labs would like to inform you of a new email HOAX."
NAI says this email message is just a HOAX. Although, the SULFNBK.EXE
file may become infected by a number of valid viruses, the details of
this message are not based on actual events.
* Click here for NAI Report on SULFNBK Hoax
Date: May 08, 2001
Platform: Networks
Advisory: Ongoing DDoS Disruption Attempts
Report From: NIPC
* Release Note: The NIPC has received reliable information indicating
ongoing attempts to disrupt web access to several sites. The activity
has been seen from several networks, and consists entirely of
fragmented large UDP packets directed at port 80.
* Click here for NIPC Advisory 01-012
* Click here for Infowar.com Report on DDoS attacks
Date: May 08, 2001
Platform: Systems running unpatched versions of Microsoft IIS
Systems running unpatched versions of Solaris up to, and
including, Solaris 7 (Sun Microsystems)
Warning About: sadmind/IIS Worm
Report From: CERT
* Release Note: The CERT/CC has received reports of a new piece of
self-propagating malicious code (referred to here as the sadmind/IIS
worm). The worm uses two well-known vulnerabilities to compromise
systems and deface web pages.
* Click here for CERT CA-2001-11
Date: May 03, 2001
Platform: Dell Computers (Inspiron 5000 / 5000e consumer notebooks)
Warning About: Flaming Batteries Cause Dell Recall Woe
Report From: VNUNet Bugs and Fixes Department
* Release Note: Dell warned that "the batteries are subject to
overcharge, potentially causing them to overheat, release smoke
and possibly catch fire".
* Click here for VNUNet report on Dell Battery Recall
Date: May 02, 2001
Platform: a) Systems using TCP stacks which have not incorporated
RFC1948 or equivalent improvements
b) Systems not using cryptographically-secure network protocols
like IPSec
Warning About: Statistical Weaknesses in TCP/IP Initial Sequence Numbers
Report From: CERT Advisory
* Release Note: A new vulnerability has been identified which is
present when using random increments to constantly increase TCP ISN
values over time.
* Click here for CERT CA-2001-09
Top of Page
Back to the Virus Archives page