Virus Warnings from June 2001
   ______________________________________________________________

           [Jump to Amiga] [Jump to Windows] [Jump to Mac]
                   [Jump to Linux] [Jump to Misc]
   ______________________________________________________________


   Amiga


   Date: June 24, 2001
   Platform: Amiga
   Alert About:   Linkvirus Found (no name yet)
   Report From:   Virus Help Team Denmark (VHT-DK)
   * Release Note: Virus Help Denmark reports they received a new virus, and
     it is very tricky. Jan Erik Olausen, the programmer of VirusExecutor &
     xvs.library, has decoded the virus, and is working on it right now.
     There is "NO" cure for this virus right now.
   * Click here for VHT-DK Virus Warning vht-dk102
   * Subscribe online to the VHT-DK Virus Warnings Announcement list.

   Date: June 10, 2001
   Platform: Amiga
   Update About:  Bobek-2 Linkvirus Found
   Report From:   Virus Help Team Denmark (VHT-DK)
   * Release Note: Virus Help Denmark reports "What we think is the
     installer of the new linkvirus 'Bobek2' has been found. It was on
     Aminet but has been removed now. But there just might be a few more
     installers our there, so take care. Right now that is no cure for the
     'Bobek2' virus."
   * Click here for VHT-DK Virus Warning vht-dk101 Read Me
   * Subscribe online to the VHT-DK Virus Warnings Announcement list.

   Top of Page


   Windows

   Date: June 27, 2001
   Platform: Microsoft
   Warning About: Microsoft LDAP over SSL Password Vulnerability
   Report From:   CIAC Bulletins
   * Release Note: An LDAP function fails to check the permissions of a
     requestor when the directory principal=domain user and data
     attribute=domain password. Solution: Apply the patch prescribed by
     Microsoft.
   * Click here for Bulletin Number L-101

   Date: June 27, 2001
   Platform: Microsoft Windows
   Warning About: Perception LiteServe Script Source Code
                  Disclosure Vulnerability
   Report From:   Security Focus
   * Release Note: Perception LiteServe is a commercial e-mail, web, and
     FTP server for Microsoft Windows. Perception LiteServe's webserver
     is subject to a vulnerability which will display the source code for
     arbitrary CGI scripts to remote attackers.
   * Click here for Advisory No. 2926

   Date: June 27, 2001
   Platform: Microsoft Windows (but not on WinNT/2000)
   Warning About: W95/Linong@MM Virus
   Aliases:       W32.Liong (NAV)
   Report From:   Network Associates
   * Release Note: This is a 32-bit mass-mailing worm which, when run,
     sends itself to all recipients found in the Microsoft Outlook Address
     Book. Removal Instructions are in the report.
   * Click here for Report on W95/Linong@MM

   Date: June 27, 2001
   Platform: PC
   Warning About: VBS/LoveLetter.cq@MM Virus
   Aliases:       VBS.LoveLetter.CQ (NAV)
   Report From:   Network Associates
   * Release Note: Executing this VBScript worm copies files to your system,
     and uses it to connect to other machines on the Internet to spread the
     virus. Removal Instructions are in the report.
   * Click here for Report on VBS/LoveLetter.cq@MM

   Date: June 26, 2001
   Platform: Microsoft
   Advisory:     New Scanning Activity (with W32-Leaves.worm)
                 Exploiting SubSeven Victims
   Report From:  NIPC Advisory
   * Release Note: The NIPC and FedCIRC have recently received information
     on attempts to locate, obtain control of and plant new malicious code
     known as "W32-Leaves.worm" on computers previously infected with the
     SubSeven Trojan. This new activity, currently under investigation,
     further increases the importance that all users of Microsoft operating
     systems take precautions against infection by SubSeven Trojan variants,
     and, if infected, promptly implement the known procedures to remove the
     SubSeven infection.
   * Click here for NIPC Advisory 01-014

   Date: June 26, 2001
   Platform: PC
   Report From:   F-Secure
   * Click here for Virus Report on Leave
     Aliases:      I-Worm.Leave, W32.Leave.Worm
     Release Note: Leave is a Win32 worm that reportedly has backdoor
     capabilities or utilizes them from SubSeven backdoor. The worm
     reportedly spreads through e-mail and IRC servers.
   Report From:    Network Associates
   * Click here for NAI Report on W32/Leave.worm

   Date: June 26, 2001
   Platform: RAD installed on IIS 4.0 or IIS 5.0 web servers
   Warning About: FrontPage Sub-Component Vulnerability
   Report From:   CIAC Bulletins
   * Release Note: Microsoft's Visual Studio Remote Application Deployment
     (RAD) Support has a buffer overflow vulnerability. An attacker could
     use the vulnerability to load and execute artibrary code on the server
     Solution: Remove RAD from the server, or apply the patch as directed.
   * Click here for Bulletin Number L-100

   Date: June 26, 2001
   Platform: Microsoft Windows 2000
   Patch Available: Function Exposed via LDAP over SSL Could Enable
                    Passwords to be Changed
   Report From:    MicroSoft TechNet Security
   * Release Note: An attacker could change another users password for
     either of two purposes Recommendation: Customers who currently provide
     LDAP over SSL sessions should apply the patch immediately.
   * Click here for MS Security Bulletin MS01-036

   Date: June 26, 2001
   Platform: Microsoft
   Patch Available: FrontPage Server Extension Sub-Component Contains
                    Unchecked Buffer
   Report From:    MicroSoft TechNet Security
   * Release Note: An attacker could exploit this vulnerability against any
     server with this sub-component installed by establishing a web session
     on with the server and passing a specially malformed packet to the
     server component. Recommendation: Customers who have installed Visual
     Studio RAD Support should install the patch.
   * Click here for MS Security Bulletin MS01-035

   Date: June 26, 2001
   Platform: Microsoft
   Patch Available: Malformed Word Document Could Enable Macro
                    to Run Automatically
   Report From:    MicroSoft TechNet Security
   * Release Note: A vulnerability results because it is possible to modify
     a Word document in such a way as to prevent the security scanner from
     recognizing an embedded macro while still allowing it to execute.
     Recommendation: Customers using affected versions of Word should
     apply the patch immediately.
   * Click here for MS Security Bulletin MS01-034

   Date: June 26, 2001
   Platform: Windows
   Report From:   Security Focus
   Warning About: Cerberus FTP Server Buffer Overflow DoS Vulnerability
   Report From:   Security Focus
   Release Note:  There is a buffer overflow in Cerberus FTP Server. This
   vulnerability does not require any user authentication to exploit. It
   may be possible for remote users to cause a denial of service or execute
   arbitrary code on target hosts.
   * Click here for Advisory No. 2901

   Date: June 26, 2001
   Platform: Windows
   Warning About: Arcadia Internet Store Arbitrary File
                  Disclosure Vulnerability
   Report From:   Security Focus
   Release Note:  One of the components of this package, 'tradecli.dll',
   allows users to specify a template file. As a result, remote users can
   specify an arbitrary file on the same drive as the webserver by
   'traversing' outside of the web root directory. This vulnerability may
   disclose sensitive information to attackers.
   * Click here for Advisory No. 2902

   Date: June 26, 2001
   Platform: Windows
   Warning About: Arcadia Internet Store Show Path Vulnerability
   Report From:   Security Focus
   Release Note:  One of the components of this package, 'tradecli.dll',
   allows users to specify a template file, the contents of which will be
   output. If the requested file does not exist, the error message will
   contain the absolute path of the application on the webserver. This
   information may assist in further attacks.
   * Click here for Advisory No. 2904

   Date: June 26, 2001
   Platform: Windows
   Warning About: Arcadia Internet Store Denial of Service Vulnerability
   Report From:   Security Focus
   Release Note:  1C: Arcadia Internet Store is a online shopping utility
   for MS Windows NT/2000. Remote attackers can request dos devices, such as
   'con', 'com1', 'com2', etc. When 'tradecli.dll' attempts to open these
   files a denial of service may occur.
   * Click here for Advisory No. 2905

   Date: June 26, 2001
   Platform: Windows
   Warning About: MS Visual Studio RAD Support Buffer
                  Overflow Vulnerability
   Report From:   Security Focus
   Release Note:  Due to an unchecked buffer in a subcomponent of FrontPage
   Server Extensions, a specially crafted request could allow a user to
   execute arbitrary commands on a host running IIS 5.0 and IIS 4.0.
   * Click here for Advisory No. 2906

   Date: June 26, 2001
   Platform: Windows
   Warning About: Trend Micro InterScan WebManager RegGo.dll
                  Buffer Overflow Vulnerability
   Report From:   Security Focus
   Release Note:  A remotely exploitable buffer overflow exists in
   RegGo.dll. This may lead to compromise of hosts running vulnerable
   versions of WebManager.
   * Click here for Advisory No. 2907

   Date: June 26, 2001
   Platform: Windows
   Warning About: Microsoft IIS Unicode .asp Source Code
                  Disclosure Vulnerability
   Report From:   Security Focus
   Release Note:  A flaw exists in the handling of .asp requests.
   * Click here for Advisory No. 2909

   Date: June 26, 2001
   Platform: Microsoft
   Report From:    Norton / Symantec Security Updates
   * Click here for Report on W32.Leave.Worm
     Release Note: This worm downloads components from Web sites and
     contains code to accept commands from IRC.
   * Click here for Report on SennaSpy Generator
     Aliases:      Constructor.SennaSpy.2001
     Release Note: This is the Senna Spy Trojan Generator. It allows a user to
     create variants of the Senna Spy Trojan horse.
   * Click here for Report on W95.BlueCorners.2049
     Release Note: This virus is a fairly simple fast infector. It will
     infect only Windows 9x computers, and it will fail if run on Windows
     NT computer. This virus carries a non-destructive payload that is
     activated on specific dates.
   * Click here for Report on PWSteal.Trojan.D
     Release Note: PWSteal.Trojan.D is a Trojan that attempts to steal login
     names and passwords. These passwords are sent to an anonymous email
     address.
   * Click here for Report on W97M.NSI.E
     Aliases:      W97M.NSI, W97M/Nsi.e
     Release Note: This is a simple Microsoft Word macro virus that infects
     Normal.dot and other open documents when you open an infected document

   Date: June 21, 2001
   Platform: PC
   Warning About: Malicious Code in RTF Files
   Report From:   Kaspersky Lab
   * Release Note: A Trojan program penetrates computers when reading RTF
     files, and warns users about the discovery of the Trojan "Goga" that
     steals and sends out from infected computers user details for Internet
     access...
   * Click here for Virus Alert on RTF Files

   Date: June 21, 2001
   Platform: MS Windows NT 4.0 with IIS 4.0 or IIS 5.0 enabled,
             MS Windows 2000 and Beta versions of Microsoft Windows XP
   Warning About: Buffer Overflow In IIS Indexing Service DLL
   Report From:   CERT
   * Release Note: This vulnerability allows a remote intruder to run
     arbitrary code on the victim machine.
   * Click here for CERT CA-2001-13

   Date: June 21, 2001
   Platform: PC
   Report From:   CIAC Bulletins
   Warning About: Microsoft Exchange Server Outlook Web Access Flaw
   * Click here for Bulletin Number L-091
   Warning About: Microsoft Predictable Name Pipes In Telnet
   * Click here for Bulletin Number L-092
   Warning About: BIND Inadvertent Local Exposure of HMAC-MD5 (TSIG) Keys
   * Click here for Bulletin Number L-094
   Warning About: Microsoft SQL Query Method Vulnerability
   * Click here for Bulletin Number L--095
   Warning About: Microsoft Index Server ISAPI Extension Buffer Overflow
   * Click here for Bulletin Number L-098

   Date: June 21, 2001
   Platform: PC
   Report From:   F-Secure
   * Click here for Report on Choke
     Aliases:      I-Worm.Choke, Win32.Choke, w32/Choke
     Release Note: Choke is a worm that utilises MSN Messenger for
     spreading. It sends itself using filenames like
     'ShootPresidentBUSH.exe', 'choke.exe' and
     'George.W.Bush@whitehouse.gov' as username.
   * Click here for Report on NewsFlood
     Aliases:      Win32/NewsFlood.7168.A, Trojan.Win32.NewsFlood
     Release Note: Newsflood is a trojan with the purpose of posting vast
     amount of messages to certain usenet groups.
   * Click here for Report on Lamerman
     Release Note: F-Secure Anti-Virus had a false alarm on this virus on
     June 15th, 2001. As a result, F-Secure Anti-Virus might have detected
     "Lamerman.512.c" in master boot record or in file SUHDLOG.DAT on some
     systems.
   * Click here for Report on SHS
     Aliases:      Scrap Object Files, SHB
     Release Note: There is no virus by this name. However, files with the
     .SHS or .SHB extension can be used as trojans within Windows. If you
     receive a file with the .SHS or .SHB extension via web or e-mail, do
     not execute (double-click) it.
   * Click here for Report on Gogga
     Aliases:      Trojan.PSW.Goga, Goga
     Release Note: Goga is a trojan that is executed from a malicious Rich
     Text Formatted (.rtf) document. Due a security vulnerability, macros
     are able to execute from a template pointed by a RTF file without
     notification to the user in Microsoft Word.
   * Click here for Report on SUHDLOG.DAT
     Release Note: There is no virus by this name. However, we occasionally
     get queries about this file. SUHDLOG.DAT is created to the root
     directory of drive C: during the setup of Windows.
   * Click here for Report on Hadra
     Aliases:      I-Worm.Hydra
     Release Note: This is Internet worm spreading with emails being
     attached as EXE file.

   Date: June 21, 2001
   Platform: PC
   Report From:   MicroSoft TechNet Security
   Patch Available: Unchecked Buffer in Index Server ISAPI Extension
                    Could Enable Web Server Compromise
   * Click here for MS Security Bulletin MS01-033

   Date: June 21, 2001
   Platform: PC
   Report From:   MicroSoft TechNet Security
   Patch Available: SQL Query Method Enables Cached Administrator
                    Connection to be Reused
   * Click here for MS Security Bulletin MS01-032

   Date: June 21, 2001
   Platform: PC
   Report From:   Network Associates
   * Click here for Report on Backdoor-QR
   This is a remote access and keylogger trojan. When run, TCP/IP ports
   12973, and 12975 are opened to allow an attacker to connect to your
   system.
   * Click here for Report on Backdoor-QO
   This is a remote access trojan program. It is a UPX packed Delphi
   executable. When run it acts as an FTP server, opening port 3332 on the
   local machine.
   * Click here for Report on Backdoor-QN
   Aliases:       Backdoor.Belio081 (AVX)
   This threat is currently detected heuristically as New Backdoor.
   This is a remote access trojan and IRC Bot.
   * Click here for Report on DUNpws.ik
   Aliases:       DUNpws.ik.dr, Gogga (F-Secure) and W97M/Goga
   This trojan has three parts. An .RTF document, a remote .DOT template,
   and an application.
   * Click here for Report on W32/Storm.worm
   This worm arrives as a self-extracting ARJ archive 3342142 bytes long.
   The archive contains a copy of a Java environment, plus several .CLA
   files which perform the main worm functions.
   * Click here for Report on W32/Hadra@M
   Aliases:       Hadra (F-Secure), I-Worm.Hydra (AVP), W32.Hyd@mm (NAV)
                  Win32.Hydra.12249 (CA)
   This mailing worm sends itself to mail recipients when ordinary mail
   is sent out via Microsoft Outlook.

   Date: June 21, 2001
   Platform: PC
   Report From:   Norton / Symantec Security Updates
   Release Note: Read the complete report for Removal Instructions and
   how to Restore Files if applicapable.
   * Click here for Report on W97M.Gogaru.A
   This is a macro which is coded to drop a password stealer Trojan onto
   the victim's system, after first having been downloaded from an
   Internet web address via an .RTF document.
   * Click here for Report on VBS.Kidarcade.F
   VBS.Kidarcade.F is a virus based on Visual Basic Script (VBS). It has
   been put into an HTML page, and is on at least one Web site. The virus
   installs a Backdoor Trojan that allows unauthorized access to the
   infected computer.
   * Click here for Report on IRC.Whacked.Worm
   IRC.Whacked.Worm uses IRC to spread. Infected systems can be monitored
   and manipulated to launch any file without your permission.

   Date: June 08, 2001
   Platform: MS Windows
   Warning About: W32/Themba Virus
   Aliases:       W32.HLLP.Thembe (NAV)
   Report From:   Network Associates
   * Release Note: This is an appending virus written in Visual Basic. When
     run, it infects all files in the current directory that contain the
     .EXE extension and other .EXE files that are run while an infected
     program is in loaded into memory.
   * Click here for Report on W32/Themba

   Date: June 08, 2001
   Platform: MS Windows 2000 Telnet service
   Patch Available: Predictable Name Pipes Could Enable Privilege
                    Elevation via Telnet
   Report From:   MicroSoft TechNet Security
   * Release Note: Impact of vulnerability: Privilege elevation, denial of
     service, information disclosure. Recommendation: System owners using
     the Telnet service should consider applying the patch.
   * Click here for MS Security Bulletin MS01-031

   Date: June 07, 2001
   Platform: Microsoft Exchange 2000 Server Outlook Web Access
   Patch Available: Incorrect Attachment Handling in Exchange 2000
                    OWA Can Execute Script
   Report From:   MicroSoft TechNet Security
   * Release Note: Impact of vulnerability: Run code of attackers choice.
     Recommendation: Customers with OWA implementations should install the
     patch immediately.
   * Click here for MS Security Bulletin MS01-030

   Date: June 07, 2001
   Platform: MS Windows
   Warning About: W32/Choke.worm Virus
   Aliases:       I-Worm.Choke (AVP), Win32.Choke (CA)
   Report From:   Network Associates
   * Release Note: This is the second known worm that spreads via MS's MSN
     Messenger program. If MSN Messenger is not installed on the local
     system, the worm will install itself, but fail to spread to others
     from that system.
   * Click here for NAI Report on W32/Choke.worm

   Date: June 07, 2001
   Platform: MS Windows
   Warning About: MsWorld Worm
   Aliases:       I-Worm.MsWorld, W32/MWrld-mm, W32/MissWorld-mm
                  W32/MsWorld@MM
   Report From:   Kaspersky Lab, F-Secure, Network Associates and Symantec
   * Release Note: MsWorld is written in Visual Basic programming language
     with embedded Macromedia Flash modules. The worm spreads in attached
     files via e-mail by using the widely-used MS Outlook e-mail program.
     It initiates a mass mailing routine, modifies a .BAT, and then formats
     all system disks. "MsWorld" also tries to delete the Windows system
     registry files.
   * Click here for Kaspersky Lab Report on MsWorld
   * Click here for F-Secure Report on MissWorld
   * Click here for NAI Report on W32/MsWorld@MM
   * Click here for Symantec Report on W32.MsWorld@mm

   Date: June 07, 2001
   Platform: MS Windows
   Warning About: LoveLetter.BE
   Aliases:       VBS/LoveLetter.BE@mm
   Report From:   F-Secure
   * Release Note: This variant spreads in a message with the following
     content:
        Subject:    fwd: Joke
        Attachment: Joke.vbs
     VBS/LoveLetter.BE@mm is quite similar with the original VBS/LoveLetter.A
     This variant saves itself to the Windows System directory as "Jokes.vbs"
     and "Jokes.htm".
   * Click here for F-Secure Report on LoveLetter.BE
   * Click here for info on original VBS/LoveLetter.A

   Date: June 07, 2001
   Platform: MS Windows
   Warning About: DoS.Storm.Worm
   Report From:   Norton / Symantec Security Updates
   * Release Note: DoS.Storm.Worm is a worm that seeks out MS Internet
     Information Services (IIS) systems that have not applied the proper
     security patches. Any such systems that it finds are then infected
     with the worm. The payload of this worm performs a denial of service
     attack on http://www.microsoft.com and an email bombing session is
     started that sends email messages containing an obscene message to
     gates@microsoft.com.
   * Click here for Report on DoS.Storm.Worm

   Date: June 05, 2001
   Platform: MS Windows
   Warning About: SPAM/Absolut
   Report From:   Network Associates
   * Release Note: This is an email/chat SPAM tool used by someone to send
     a message or messages to a large number of email addresses or AOL chat
     rooms.
   * Click here for Report on SPAM/Absolut

   Date: June 02, 2001  * Updated
   Platform: MS Windows
   Hoax Alert:    Updated: SULFNBK.EXE Warning HOAX
   Report From:   Symantec Security HOAX Updates
   * Release Note: The file that is mentioned in the hoax, Sulfnbk.exe, is a
     Microsoft Windows utility. The virus/worm W32.Magistr.24876@mm can
     arrive as an attachment named Sulfnbk.exe. The Sulfnbk.exe file used by
     Windows is located in the C:\Windows\Command folder. If the file is
     located in any other folder, or arrives as an attachment to a email
     message, then it is possible that the file is infected.
   * Updated HOAX Report: How to restore the Sulfnbk.exe file

   Date: June 02, 2001  * Updated
   Platform: MS Windows
   Warning About: VBS.Loveletter.CN@mm Virus
   Aliases:       VBS.Loveletter.CM@mm (AVX), VBS.Lopez.A@mm,
                  JENNIFERLOPEZ_NAKED.JPG.vbs
   Report From:   Norton / Symantec Security Updates
   * Release Note: This is a minor variant of the LoveLetter virus family.
     This virus may arrive in the following format by email:
        Subject: Where are you?
        Body: This is my pic in the beach!
        Attachment: JENNIFERLOPEZ_NAKED.JPG.vbs
     This virus also drops the file Cih_14.exe, which is a dropper for the
     CIH virus, and attempts to run it. Read the complete report for Removal
     Instructions and Additional Information if you are using Norton
     AntiVirus 2001.
   * Click here for Report on VBS.Loveletter.CN@mm

   Date: June 02, 2001
   Platform: MS Windows
   Warning About: VBS.SystemColor.A Trojan Horse
   Report From:   Norton / Symantec Security Updates
   * Release Note: VBS.SystemColor.A is a Trojan horse that is written in
     Visual Basic Script. Once it is executed, it copies itself to
     C:\Windows\Filemon.exe. It then starts to repeatedly copy Explorer.exe
     as C:\Windows\System\Systemcolor\Color.. As a result, the computer may
     run out of space on the hard disk and stop responding. You may not be
     able to run Windows. Read the complete report for Removal Instructions.
   * Click here for Report on VBS.SystemColor.A

   Date: June 02, 2001
   Platform: MS Windows
   Warning About: IRC.Cuty Trojan Horse, Worm
   Aliases:       Elspy.a.worm
   Report From:   Norton / Symantec Security Updates
   * Release Note: This is a IRC worm that does not send itself to others.
     It only sends the CuteJany.doc file to IRC users. This worm is an
     encrypted DOS executable file. When it is executed it decrypts itself.
     It then creates the Cutyjant.bat file in the same folder as the worm,
     and executes it. Read the complete report for Removal Instructions.
   * Click here for Report on IRC.Cuty

   Date: June 02, 2001
   Platform: MS Windows
   Warning About: VBS.NoMercy.A Virus
   Aliases:       VBS/NoMercy.a, VBS.NMVT
   Report From:   Norton / Symantec Security Updates
   * Release Note: VBS.NoMercy.A is a Visual Basic script in an HTML file.
     The virus infects .html, .htm, .shtml, .stm, and .asp files. Read the
     complete report for Removal Instructions.
   * Click here for Report on VBS.NoMercy.A

   Date: June 02, 2001
   Platform: MS Windows
   Warning About: VBS.Sargo.A@mm.int Virus
   Aliases:       VBS.Nasara.A@mm, VBS/NastySarah@m
   Report From:   Norton / Symantec Security Updates
   * Release Note: VBS.Sargo.A@mm.int is an intended virus, coded to run as
     a mass-mailing worm that uses MAPI applications, Microsoft Outlook, or
     Internet Information Server (IIS) to spread. It also attempts to modify
     the Autoexec.bat file to delete the contents of drive C. Read the
     complete report for Removal Instructions.
   * Click here for Report on VBS.Sargo.A@mm.int

   Date: June 02, 2001
   Platform: MS Windows
   Warning About: W32.Update.Worm Worm
   Aliases:       I-Worm.Mustard, W32.Mustard
   Report From:   Norton / Symantec Security Updates
   * Release Note: W32.Update.Worm is a simple mass-mailing worm that can
     spread using MS Outlook. The worm is written in a high-level language.
     However, for the email spreading, the worm creates and executes a VBS
     script. This worm also can also spread using mIRC. This worm may also
     attempt to disable Norton AntiVirus. Read the complete report for
     Removal Instructions.
   * Click here for Report on W32.Update.Worm

   Date: June 02, 2001
   Platform: MS Windows
   Warning About: W97M.Quest.A Virus
   Report From:   Norton / Symantec Security Updates
   * Release Note: W97M.Quest.A is a macro virus that infects active MS Word
     documents and the Normal.dot template. Read the complete report for
     Removal Instructions.
   * Click here for Report on W97M.Quest.A

   Date: June 02, 2001  * Updated
   Platform: MS Windows
   Warning About: Noped Worm
   Variant:       Noped.A
   Report From:   F-Secure
   * Release Note: VBS/Noped is encrypted and polymorphic worm written in
     Visual Basic Script. This worm arrives is a messages saying they want
     to end illegal child porn. It comes with an attachment. The worm also
     changes the Internet Explorer title bar text to:
     |.,.-*^*-.,.\ FUAHACKEDU@888.NU /.,.-*^*-.,.|
     Next the worm sends itself to random recipients in the Outlook address
     book. It also collects a list of files with extension ".jpg" or ".jpeg"
     and sends this list to several fixed email addresses.
   * Click here for Report on Noped

   Date: June 02, 2001
   Platform: MS Windows
   Warning About: Bionet Backdoor
   Aliases:       Backdoor.Bionet
   Report From:   F-Secure
   * Release Note: Bionet is a backdoor - hacker's remote access tool. It's
     not so advanced as Sub7 or BackOrifice or Netbus backdoors. It consists
     of server and client parts. To perform disinfection it is enough to
     delete the server part of this backdoor from a system. It's better to
     do it from pure DOS.
   * Click here for Report on Bionet

   Top of Page


   Macintosh

   Date: June 08, 2001
   Platform: Macintosh
   Warning About: MacSimpsons@mm AppleScript Virus
   Report From:   Norton / Symantec Security Updates
   * Release Note: SARC has become aware of a new AppleScript worm
     targetting the Macintosh platform called MacSimpsons@mm. It appears
     to open Outlook Express or Entourage and send a copy of itself with
     the original message to everyone in the user's address book. The
     title of the script is "Simpsons Episodes". This virus does not appear
     to be particularly malicious. Read the complete report for Removal
     Instructions.
   * Click here for Report on MacSimpsons@mm

   Top of Page


   Linux

   Date: June 27, 2001
   Platform:  Red Hat
   Updates To:    samba
   Report From:   Linux Daily News
   * Release Note: Red Hat has posted their update for the samba security
     problems noted late last week.
   * Click here for LWN Security Update To samba

   Date: June 27, 2001
   Platform:  Caldera
   Updates To:    fetchmail and samba
   Report From:   Linux Daily News
   * Release Note: Caldera has posted advisories for fetchmail, to address
     the long header field problem, and samba, to address file overwrite
     issues that could allow remote compromises.
   * Click here for LWN Security Update To fetchmail
   * Click here for LWN Security Update To samba

   Date: June 26, 2001
   Platform: IRIX, Linux: PCP suite versions 2.1.11-5 and before
   Warning About: SGI PCP Pmpost Symlink Vulnerability
   Report From:   CIAC Bulletins
   * Release Note: The pmpost command of the Performance Co-Pilot (PCP)
     suite has a symlink handling vulnerability. If this runs in root
     context (i.e., setuid root), this could result in root compromise.
     Solution: Apply the described workaround.
   * Click here for Bulletin Number L-099

   Date: June 26, 2001
   Platform:  Red Hat
   Updates To:    XFree86
   Report From:   Linux Daily News
   * Release Note: Red Hat has posted an update for the XFree86 packages in
     their various distributions. This update addresses various security
     issues as well as provides new and updated drivers.
   * Click here for LWN Security Update To XFree86

   Date: June 26, 2001
   Platform:  Samba
   Updates To:    Samba Security Fix
   Report From:   Linux Daily News
   * Release Note: The Samba team has released patches for the macro
     exploit.
   * Click here for Samba Released Patches

   Date: June 26, 2001
   Platform:  Conectiva
   Updates To:    Security Announcement for Samba
   Report From:   Linux Daily News
   * Release Note: Conectiva has released a security update for samba.
   * Click here for Conectiva Security Update for Samba

   Date: June 26, 2001
   Platform:  Debian
   Updates To:    Security Advisory for Samba
   Report From:   Linux Daily News
   * Release Note: Debian addresses the problems with samba that were
     reported earlier this week.
   * Click here for Debian Security Advisory for Samba

   Date: June 26, 2001
   Platform:  Samba
   Updates To:    Urgent Security Advisory
   Report From:   Linux Daily News
   * Release Note: The Samba team has sent out an urgent security advisory
     regarding a remotely-exploitable hole in all versions of the code.
     There is no new Samba release yet (it's promised within 24 hours), but
     the advisory does contain a configuration file workaround which may be
     used to close the hole. Anybody running Samba really needs to have a
     look at this one.
   * Click here for Samba Urgent Security Advisory

   Date: June 26, 2001
   Platform:  Red Hat
   Updates To:    kernel 2.4
   Report From:   Linux Daily News
   * Release Note: A kernel 2.4 advisory from Red Hat addresses potential,
     though not default, configurations for FTP iptables.
   * Click here for LWN Security Update To kernel 2.4

   Date: June 26, 2001
   Platform:  Caldera
   Updates To:    fetchmail
   Report From:   Linux Daily News
   * Release Note: A fetchmail advisory from Caldera addresses buffer
     overflows in fetchmail that could be exploited remotely by sending
     exceptionally long header field data.
   * Click here for LWN Security Update To fetchmail

   Date: June 26, 2001
   Platform:  Turbolinux
   Updates To:    gnupg
   Report From:   Linux Daily News
   * Release Note: Turbolinux has issued an update for the gnupg package
     found in a number of versions of their Linux distributions.
   * Click here for LWN Security Update To gnupg

   Date: June 26, 2001
   Platform:  Immunix
   Updates To:    ispell
   Report From:   Linux Daily News
   * Release Note: Immunix has published an advisory to update the ispell
     package in their distributions.
   * Click here for LWN Security Update To ispell

   Date: June 26, 2001
   Platform:  EnGarde Secure Linux
   Updates To:    Apache and fetchmail-ssl packages
   Report From:   Linux Daily News
   * Release Note: EnGarde Secure Linux has posted an advisory for both
      the Apache and fetchmail-ssl packages found in their distribution.
   * Click here for LWN Security Update To Apache
   * Click here for LWN Security Update To fetchmail-ssl

   Date: June 26, 2001
   Platform:  Turbolinux
   Updates To:    esound
   Report From:   Linux Daily News
   * Release Note: Turbolinux has issued a security advisory for esound,
     addressing problems with world writable directories.
   * Click here for LWN Security Update To esound

   Date: June 26, 2001
   Platform: Linux
   Report From:   Security Focus
   Warning About: cfingerd Utilities Buffer Overflow Vulnerability
   Release Note:  A buffer overflow in cfingerd makes it possible for a
   local user to gain elevated privileges.
   * Click here for Advisory No. 2914

   Date: June 26, 2001
   Platform: Linux
   Report From:   Security Focus
   Warning About: CFingerD Utilities Format String Vulnerability
   Release Note:  cfingerd is a secure implementation of the finger daemon.
   Due to insufficient validation of input, it's possible to pass arbitrary
   format strings through the program, allowing an attacker to write to
   arbitrary sections of memory.
   * Click here for Advisory No. 2915

   Date: June 26, 2001
   Platform: Linux
   Warning About: eXtremail Remote Format String Vulnerability
   Report From:   Security Focus
   Release Note:  eXtremail is a freeware SMTP server available for Linux
   and AIX. eXtremail runs with root privileges. By exploiting this
   vulnerability, remote attackers can gain superuser access on the
   underlying host.
   * Click here for Advisory No. 2908

   Date: June 21, 2001
   Platform: Red Hat
   Report From:   CIAC Bulletins
   Warning About: Red Hat LPRng Vulnerability
   * Click here for Bulletin Number L-096

   Date: June 21, 2001
   Platform:  Linux Mandrake
   Updates To:    rxvt, webmin, ispell and proftpd
   Report From:   Linux Daily News
   * Click here for LWN Security Update To rxvt
   Release Note: buffer overflow can allow elevated privileges if rxvt is
   setgid.
   * Click here for LWN Security Update To webmin
   Release Note: administrative authorization is being carried by
   environment variables to system daemons.
   * Click here for LWN Security Update To ispell
   Release Note: use of mktemp() makes ispell vulnerable to symlink
   attacks.
   * Click here for LWN Security Update To proftpd
   Release Note: Linux proftpd not affected by recent CERT advisory
   because Linux uses glob() function that is not vulnerable.

   Date: June 08, 2001
   Platform:  Red Hat
   Updates To:    gnupg
   Report From:   Linux Daily News
   * Release Note: Red Hat chimes in with their gnupg update. This one
     affects Red Hat Linux 6.2, 7.0 and 7.1 on various hardware platforms.
   * Click here for LWN Security Update To gnupg

   Date: June 08, 2001
   Platform:  Conectiva
   Updates To:    gnupg
   Report From:   Linux Daily News
   * Release Note: Conectiva has chimed in with their update to address
     the recent problems reported with gnupg.
   * Click here for LWN Security Update To gnupg

   Date: June 05, 2001
   Platform:  SuSE
   Updates To:    gnupg
   Report From:   Linux Daily News
   * Release Note: SuSE has also released a security update for the format
     string vulnerability in gnupg.
   * Click here for LWN Security Update To gnupg
   * May 31st Issue of LWN explains format string vulnerability

   Date: June 02, 2001
   Platform:  Caldera
   Updates To:    webmin
   Report From:   Linux Daily News
   * Release Note: Caldera has posted a security advisory for the webmin
     package to address a "root account leak".
   * Click here for LWN Security Update To webmin

   Date: June 02, 2001
   Platform:  Trustix
   Updates To:    gnupg
   Report From:   Linux Daily News
   * Release Note: Trustix has posted their update for gnupg to address the
     format string problem discovered last week.
   * Click here for LWN Security Update To gnupg

   Top of Page


   Miscellaneous

   Date: June 29, 2001
   Platform: HP 9000 Servers running HP-UX releases 10.20 and 11.00
             (only), Solaris releases 2.X, Windows NT4.X/Windows 2000
             running NNM 6.1
   Warning About: Security Vulnerability in HP OpenView
                  Network Node Manager
   Report From:   CIAC Bulletins
   * Release Note: Vulnerability exists in HP Openview Network Node Manager
     which allows a user to gain unauthorized privileges. Solution: Apply
     the appropriate HP patches for your system.
   * Click here for Bulletin Number L-102

   Date: June 28, 2001
   Platform: Cisco IOS systems
   Warning About: Cisco IOS HTTP Server Authentication Vulnerability
   Report From:   CERT
   * Release Note: A problem with HTTP server component of Cisco IOS system
     software allows an intruder to execute privileged commands on Cisco
     routers if local authentication databases are used.
   * Click here for CERT CA-2001-14

   Date: June 28, 2001
   Platform: Oracle 8i Standard and Enterprise Editions Version 8.1.5,
             8.1.6, 8.1.7 and previous versions for Windows, Linux,
             Solaris, AIX, HP-UX and Tru64 Unix.
   Updates To:    Vulnerability in Oracle 8i TNS Listener
   Report From:   COVERT Labs at PGP Security
   * Release Note: The Listener is vulnerable to a buffer overflow condition
     that allows remote execution of arbitrary code that grants full control
     of the database services and, on some platforms, full control of the
     operating system. Oracle has produced a patch under bug number 1489683.
   * Click here for COVERT Advisories No. 050

   Date: June 28, 2001
   Platform: Oracle 8i Standard and Enterprise Editions Version
             8.1.5, 8.1.6, 8.1.7 and all previous versions for Windows,
             Linux, Solaris, AIX, HP-UX and Tru64 Unix.
   Updates To:    Oracle 8i SQLNet Header Vulnerability
   Report From:   COVERT Labs at PGP Security
   * Release Note: A vulnerability allows a remote user to mount a denial
     of service attack against any Oracle service that relies upon the
     protocol, including the TNS Listener, Oracle Name Service and Oracle
     Connections Manager. Oracle has produced a patch under bug number
     1656431.
   * Click here for COVERT Advisories No. 049

   Date: June 27, 2001
   Platform: Misc
   Warning About: Verification of Downloaded Software
   Report From:   CERT
   * Release Note: When downloading software from online repositories, it
     is important to consider the possibility that the site has been
     compromised. We strongly encourage users to verify cryptographic
     signatures (e.g. PGP) of all downloaded software. Cryptographic
     signatures provide reasonable assurance that the files have not
     been modified either on the server or in transit. They also allow
     for verification of the signer's identity.
   * Click here for CERT IN-2001-06

   Date: June 26, 2001
   Released: June , 2001
   Platform: Misc
   Hoax Report:   Anticristo HOAX
   Report From:   Network Associates
   * Release Note: Network Associates has released a report that says, this
     email message is just a HOAX, currently we know of no other message
     that the user will receive about the HOAs the initial email states.
     AVERT has not received any report of a user's hard drive being erased
     for opening the email.
   * Click here for NAI Report on Anticristo HOAX

   Date: June 26, 2001
   Platform: Misc
   Warning About: Juergen Schoenwaelder scotty ntping Buffer
                  Overflow Vulnerability
   Report From:   Security Focus
   Release Note:  A local attacker can supply a long string as a command
   line argument to ntping. If the input is carefully constructed, a local
   attacker can exploit this vulnerability to execute arbitrary code on the
   target host.
   * Click here for Advisory No. 2911

   Date: June 26, 2001
   Platform: Solaris
   Warning About: Solaris PTExec Buffer Overflow Vulnerability
   Report From:   Security Focus
   Release Note:  A buffer overflow exists. It is possible for a local user
   to overwrite stack memory, including the return address. This makes it
   possible for a local user to gain elevated privileges, and potentially
   full administrative access.
   * Click here for Advisory No. 2898

   Date: June 21, 2001
   Platform: Misc
   Report From:   CIAC Bulletins
   Warning About: HP-UX kmmodreg Vulnerability
   * Click here for Bulletin Number L-093
   Warning About: Cisco 6400 NRP2 telnet Vulnerability
   * Click here for Bulletin Number L-097

   Date: June 07, 2001
   Platform: CSS 11000 series switches
   Warning About: Cisco 11000 Series Switch, Web Management Vulnerability
   Report From:   CIAC Bulletins
   * Release Note: The Cisco Content Service Switch (CSS) 11000 series
     switches do not enforce the correct restrictions for accessing the web
     management URL. A user can gain access to the web management interface
     without being authenticated on the CSS 11000 series switch. Apply
     workarounds and patches as described in vendor bulletin.
   * Click here for Bulletin Number L-090

   Date: June 07, 2001
   Platform: Misc
   Hoax Report:   Gamma2 HOAX
   Report From:   F-Secure Hoax information
   * Release Note: This hoax was circulated in June 2001. The hoax message
     was made to look like a genuine F-Secure Corporation press release.
     This press release is a fake and the message is a hoax. "Gamma2.exe"
     virus does not exist. Please ignore this warning and do not pass it on.
   * Click here for F-Secure Report on Gamma2 HOAX

   Top of Page


   Back to the Virus Archives page

[Home] - [About Us] - [News] - [Downloads] - [Warnings] - [Links]
[Archives] - [Non-Java Web Chat] - [PGP] - [Search Page] - [Feedback]

Virus Help Team Canada Site (c)2000-2012 by Charlene
VHT-CAN and our webhoster disclaimes any responsibility for software
obtained through this site. Contact VHT-Canada