Virus Warnings from June 2001
______________________________________________________________
[Jump to Amiga] [Jump to Windows] [Jump to Mac]
[Jump to Linux] [Jump to Misc]
______________________________________________________________
Amiga
Date: June 24, 2001
Platform: Amiga
Alert About: Linkvirus Found (no name yet)
Report From: Virus Help Team Denmark (VHT-DK)
* Release Note: Virus Help Denmark reports they received a new virus, and
it is very tricky. Jan Erik Olausen, the programmer of VirusExecutor &
xvs.library, has decoded the virus, and is working on it right now.
There is "NO" cure for this virus right now.
* Click here for VHT-DK Virus Warning vht-dk102
* Subscribe online to the VHT-DK Virus Warnings Announcement list.
Date: June 10, 2001
Platform: Amiga
Update About: Bobek-2 Linkvirus Found
Report From: Virus Help Team Denmark (VHT-DK)
* Release Note: Virus Help Denmark reports "What we think is the
installer of the new linkvirus 'Bobek2' has been found. It was on
Aminet but has been removed now. But there just might be a few more
installers our there, so take care. Right now that is no cure for the
'Bobek2' virus."
* Click here for VHT-DK Virus Warning vht-dk101 Read Me
* Subscribe online to the VHT-DK Virus Warnings Announcement list.
Top of Page
Windows
Date: June 27, 2001
Platform: Microsoft
Warning About: Microsoft LDAP over SSL Password Vulnerability
Report From: CIAC Bulletins
* Release Note: An LDAP function fails to check the permissions of a
requestor when the directory principal=domain user and data
attribute=domain password. Solution: Apply the patch prescribed by
Microsoft.
* Click here for Bulletin Number L-101
Date: June 27, 2001
Platform: Microsoft Windows
Warning About: Perception LiteServe Script Source Code
Disclosure Vulnerability
Report From: Security Focus
* Release Note: Perception LiteServe is a commercial e-mail, web, and
FTP server for Microsoft Windows. Perception LiteServe's webserver
is subject to a vulnerability which will display the source code for
arbitrary CGI scripts to remote attackers.
* Click here for Advisory No. 2926
Date: June 27, 2001
Platform: Microsoft Windows (but not on WinNT/2000)
Warning About: W95/Linong@MM Virus
Aliases: W32.Liong (NAV)
Report From: Network Associates
* Release Note: This is a 32-bit mass-mailing worm which, when run,
sends itself to all recipients found in the Microsoft Outlook Address
Book. Removal Instructions are in the report.
* Click here for Report on W95/Linong@MM
Date: June 27, 2001
Platform: PC
Warning About: VBS/LoveLetter.cq@MM Virus
Aliases: VBS.LoveLetter.CQ (NAV)
Report From: Network Associates
* Release Note: Executing this VBScript worm copies files to your system,
and uses it to connect to other machines on the Internet to spread the
virus. Removal Instructions are in the report.
* Click here for Report on VBS/LoveLetter.cq@MM
Date: June 26, 2001
Platform: Microsoft
Advisory: New Scanning Activity (with W32-Leaves.worm)
Exploiting SubSeven Victims
Report From: NIPC Advisory
* Release Note: The NIPC and FedCIRC have recently received information
on attempts to locate, obtain control of and plant new malicious code
known as "W32-Leaves.worm" on computers previously infected with the
SubSeven Trojan. This new activity, currently under investigation,
further increases the importance that all users of Microsoft operating
systems take precautions against infection by SubSeven Trojan variants,
and, if infected, promptly implement the known procedures to remove the
SubSeven infection.
* Click here for NIPC Advisory 01-014
Date: June 26, 2001
Platform: PC
Report From: F-Secure
* Click here for Virus Report on Leave
Aliases: I-Worm.Leave, W32.Leave.Worm
Release Note: Leave is a Win32 worm that reportedly has backdoor
capabilities or utilizes them from SubSeven backdoor. The worm
reportedly spreads through e-mail and IRC servers.
Report From: Network Associates
* Click here for NAI Report on W32/Leave.worm
Date: June 26, 2001
Platform: RAD installed on IIS 4.0 or IIS 5.0 web servers
Warning About: FrontPage Sub-Component Vulnerability
Report From: CIAC Bulletins
* Release Note: Microsoft's Visual Studio Remote Application Deployment
(RAD) Support has a buffer overflow vulnerability. An attacker could
use the vulnerability to load and execute artibrary code on the server
Solution: Remove RAD from the server, or apply the patch as directed.
* Click here for Bulletin Number L-100
Date: June 26, 2001
Platform: Microsoft Windows 2000
Patch Available: Function Exposed via LDAP over SSL Could Enable
Passwords to be Changed
Report From: MicroSoft TechNet Security
* Release Note: An attacker could change another users password for
either of two purposes Recommendation: Customers who currently provide
LDAP over SSL sessions should apply the patch immediately.
* Click here for MS Security Bulletin MS01-036
Date: June 26, 2001
Platform: Microsoft
Patch Available: FrontPage Server Extension Sub-Component Contains
Unchecked Buffer
Report From: MicroSoft TechNet Security
* Release Note: An attacker could exploit this vulnerability against any
server with this sub-component installed by establishing a web session
on with the server and passing a specially malformed packet to the
server component. Recommendation: Customers who have installed Visual
Studio RAD Support should install the patch.
* Click here for MS Security Bulletin MS01-035
Date: June 26, 2001
Platform: Microsoft
Patch Available: Malformed Word Document Could Enable Macro
to Run Automatically
Report From: MicroSoft TechNet Security
* Release Note: A vulnerability results because it is possible to modify
a Word document in such a way as to prevent the security scanner from
recognizing an embedded macro while still allowing it to execute.
Recommendation: Customers using affected versions of Word should
apply the patch immediately.
* Click here for MS Security Bulletin MS01-034
Date: June 26, 2001
Platform: Windows
Report From: Security Focus
Warning About: Cerberus FTP Server Buffer Overflow DoS Vulnerability
Report From: Security Focus
Release Note: There is a buffer overflow in Cerberus FTP Server. This
vulnerability does not require any user authentication to exploit. It
may be possible for remote users to cause a denial of service or execute
arbitrary code on target hosts.
* Click here for Advisory No. 2901
Date: June 26, 2001
Platform: Windows
Warning About: Arcadia Internet Store Arbitrary File
Disclosure Vulnerability
Report From: Security Focus
Release Note: One of the components of this package, 'tradecli.dll',
allows users to specify a template file. As a result, remote users can
specify an arbitrary file on the same drive as the webserver by
'traversing' outside of the web root directory. This vulnerability may
disclose sensitive information to attackers.
* Click here for Advisory No. 2902
Date: June 26, 2001
Platform: Windows
Warning About: Arcadia Internet Store Show Path Vulnerability
Report From: Security Focus
Release Note: One of the components of this package, 'tradecli.dll',
allows users to specify a template file, the contents of which will be
output. If the requested file does not exist, the error message will
contain the absolute path of the application on the webserver. This
information may assist in further attacks.
* Click here for Advisory No. 2904
Date: June 26, 2001
Platform: Windows
Warning About: Arcadia Internet Store Denial of Service Vulnerability
Report From: Security Focus
Release Note: 1C: Arcadia Internet Store is a online shopping utility
for MS Windows NT/2000. Remote attackers can request dos devices, such as
'con', 'com1', 'com2', etc. When 'tradecli.dll' attempts to open these
files a denial of service may occur.
* Click here for Advisory No. 2905
Date: June 26, 2001
Platform: Windows
Warning About: MS Visual Studio RAD Support Buffer
Overflow Vulnerability
Report From: Security Focus
Release Note: Due to an unchecked buffer in a subcomponent of FrontPage
Server Extensions, a specially crafted request could allow a user to
execute arbitrary commands on a host running IIS 5.0 and IIS 4.0.
* Click here for Advisory No. 2906
Date: June 26, 2001
Platform: Windows
Warning About: Trend Micro InterScan WebManager RegGo.dll
Buffer Overflow Vulnerability
Report From: Security Focus
Release Note: A remotely exploitable buffer overflow exists in
RegGo.dll. This may lead to compromise of hosts running vulnerable
versions of WebManager.
* Click here for Advisory No. 2907
Date: June 26, 2001
Platform: Windows
Warning About: Microsoft IIS Unicode .asp Source Code
Disclosure Vulnerability
Report From: Security Focus
Release Note: A flaw exists in the handling of .asp requests.
* Click here for Advisory No. 2909
Date: June 26, 2001
Platform: Microsoft
Report From: Norton / Symantec Security Updates
* Click here for Report on W32.Leave.Worm
Release Note: This worm downloads components from Web sites and
contains code to accept commands from IRC.
* Click here for Report on SennaSpy Generator
Aliases: Constructor.SennaSpy.2001
Release Note: This is the Senna Spy Trojan Generator. It allows a user to
create variants of the Senna Spy Trojan horse.
* Click here for Report on W95.BlueCorners.2049
Release Note: This virus is a fairly simple fast infector. It will
infect only Windows 9x computers, and it will fail if run on Windows
NT computer. This virus carries a non-destructive payload that is
activated on specific dates.
* Click here for Report on PWSteal.Trojan.D
Release Note: PWSteal.Trojan.D is a Trojan that attempts to steal login
names and passwords. These passwords are sent to an anonymous email
address.
* Click here for Report on W97M.NSI.E
Aliases: W97M.NSI, W97M/Nsi.e
Release Note: This is a simple Microsoft Word macro virus that infects
Normal.dot and other open documents when you open an infected document
Date: June 21, 2001
Platform: PC
Warning About: Malicious Code in RTF Files
Report From: Kaspersky Lab
* Release Note: A Trojan program penetrates computers when reading RTF
files, and warns users about the discovery of the Trojan "Goga" that
steals and sends out from infected computers user details for Internet
access...
* Click here for Virus Alert on RTF Files
Date: June 21, 2001
Platform: MS Windows NT 4.0 with IIS 4.0 or IIS 5.0 enabled,
MS Windows 2000 and Beta versions of Microsoft Windows XP
Warning About: Buffer Overflow In IIS Indexing Service DLL
Report From: CERT
* Release Note: This vulnerability allows a remote intruder to run
arbitrary code on the victim machine.
* Click here for CERT CA-2001-13
Date: June 21, 2001
Platform: PC
Report From: CIAC Bulletins
Warning About: Microsoft Exchange Server Outlook Web Access Flaw
* Click here for Bulletin Number L-091
Warning About: Microsoft Predictable Name Pipes In Telnet
* Click here for Bulletin Number L-092
Warning About: BIND Inadvertent Local Exposure of HMAC-MD5 (TSIG) Keys
* Click here for Bulletin Number L-094
Warning About: Microsoft SQL Query Method Vulnerability
* Click here for Bulletin Number L--095
Warning About: Microsoft Index Server ISAPI Extension Buffer Overflow
* Click here for Bulletin Number L-098
Date: June 21, 2001
Platform: PC
Report From: F-Secure
* Click here for Report on Choke
Aliases: I-Worm.Choke, Win32.Choke, w32/Choke
Release Note: Choke is a worm that utilises MSN Messenger for
spreading. It sends itself using filenames like
'ShootPresidentBUSH.exe', 'choke.exe' and
'George.W.Bush@whitehouse.gov' as username.
* Click here for Report on NewsFlood
Aliases: Win32/NewsFlood.7168.A, Trojan.Win32.NewsFlood
Release Note: Newsflood is a trojan with the purpose of posting vast
amount of messages to certain usenet groups.
* Click here for Report on Lamerman
Release Note: F-Secure Anti-Virus had a false alarm on this virus on
June 15th, 2001. As a result, F-Secure Anti-Virus might have detected
"Lamerman.512.c" in master boot record or in file SUHDLOG.DAT on some
systems.
* Click here for Report on SHS
Aliases: Scrap Object Files, SHB
Release Note: There is no virus by this name. However, files with the
.SHS or .SHB extension can be used as trojans within Windows. If you
receive a file with the .SHS or .SHB extension via web or e-mail, do
not execute (double-click) it.
* Click here for Report on Gogga
Aliases: Trojan.PSW.Goga, Goga
Release Note: Goga is a trojan that is executed from a malicious Rich
Text Formatted (.rtf) document. Due a security vulnerability, macros
are able to execute from a template pointed by a RTF file without
notification to the user in Microsoft Word.
* Click here for Report on SUHDLOG.DAT
Release Note: There is no virus by this name. However, we occasionally
get queries about this file. SUHDLOG.DAT is created to the root
directory of drive C: during the setup of Windows.
* Click here for Report on Hadra
Aliases: I-Worm.Hydra
Release Note: This is Internet worm spreading with emails being
attached as EXE file.
Date: June 21, 2001
Platform: PC
Report From: MicroSoft TechNet Security
Patch Available: Unchecked Buffer in Index Server ISAPI Extension
Could Enable Web Server Compromise
* Click here for MS Security Bulletin MS01-033
Date: June 21, 2001
Platform: PC
Report From: MicroSoft TechNet Security
Patch Available: SQL Query Method Enables Cached Administrator
Connection to be Reused
* Click here for MS Security Bulletin MS01-032
Date: June 21, 2001
Platform: PC
Report From: Network Associates
* Click here for Report on Backdoor-QR
This is a remote access and keylogger trojan. When run, TCP/IP ports
12973, and 12975 are opened to allow an attacker to connect to your
system.
* Click here for Report on Backdoor-QO
This is a remote access trojan program. It is a UPX packed Delphi
executable. When run it acts as an FTP server, opening port 3332 on the
local machine.
* Click here for Report on Backdoor-QN
Aliases: Backdoor.Belio081 (AVX)
This threat is currently detected heuristically as New Backdoor.
This is a remote access trojan and IRC Bot.
* Click here for Report on DUNpws.ik
Aliases: DUNpws.ik.dr, Gogga (F-Secure) and W97M/Goga
This trojan has three parts. An .RTF document, a remote .DOT template,
and an application.
* Click here for Report on W32/Storm.worm
This worm arrives as a self-extracting ARJ archive 3342142 bytes long.
The archive contains a copy of a Java environment, plus several .CLA
files which perform the main worm functions.
* Click here for Report on W32/Hadra@M
Aliases: Hadra (F-Secure), I-Worm.Hydra (AVP), W32.Hyd@mm (NAV)
Win32.Hydra.12249 (CA)
This mailing worm sends itself to mail recipients when ordinary mail
is sent out via Microsoft Outlook.
Date: June 21, 2001
Platform: PC
Report From: Norton / Symantec Security Updates
Release Note: Read the complete report for Removal Instructions and
how to Restore Files if applicapable.
* Click here for Report on W97M.Gogaru.A
This is a macro which is coded to drop a password stealer Trojan onto
the victim's system, after first having been downloaded from an
Internet web address via an .RTF document.
* Click here for Report on VBS.Kidarcade.F
VBS.Kidarcade.F is a virus based on Visual Basic Script (VBS). It has
been put into an HTML page, and is on at least one Web site. The virus
installs a Backdoor Trojan that allows unauthorized access to the
infected computer.
* Click here for Report on IRC.Whacked.Worm
IRC.Whacked.Worm uses IRC to spread. Infected systems can be monitored
and manipulated to launch any file without your permission.
Date: June 08, 2001
Platform: MS Windows
Warning About: W32/Themba Virus
Aliases: W32.HLLP.Thembe (NAV)
Report From: Network Associates
* Release Note: This is an appending virus written in Visual Basic. When
run, it infects all files in the current directory that contain the
.EXE extension and other .EXE files that are run while an infected
program is in loaded into memory.
* Click here for Report on W32/Themba
Date: June 08, 2001
Platform: MS Windows 2000 Telnet service
Patch Available: Predictable Name Pipes Could Enable Privilege
Elevation via Telnet
Report From: MicroSoft TechNet Security
* Release Note: Impact of vulnerability: Privilege elevation, denial of
service, information disclosure. Recommendation: System owners using
the Telnet service should consider applying the patch.
* Click here for MS Security Bulletin MS01-031
Date: June 07, 2001
Platform: Microsoft Exchange 2000 Server Outlook Web Access
Patch Available: Incorrect Attachment Handling in Exchange 2000
OWA Can Execute Script
Report From: MicroSoft TechNet Security
* Release Note: Impact of vulnerability: Run code of attackers choice.
Recommendation: Customers with OWA implementations should install the
patch immediately.
* Click here for MS Security Bulletin MS01-030
Date: June 07, 2001
Platform: MS Windows
Warning About: W32/Choke.worm Virus
Aliases: I-Worm.Choke (AVP), Win32.Choke (CA)
Report From: Network Associates
* Release Note: This is the second known worm that spreads via MS's MSN
Messenger program. If MSN Messenger is not installed on the local
system, the worm will install itself, but fail to spread to others
from that system.
* Click here for NAI Report on W32/Choke.worm
Date: June 07, 2001
Platform: MS Windows
Warning About: MsWorld Worm
Aliases: I-Worm.MsWorld, W32/MWrld-mm, W32/MissWorld-mm
W32/MsWorld@MM
Report From: Kaspersky Lab, F-Secure, Network Associates and Symantec
* Release Note: MsWorld is written in Visual Basic programming language
with embedded Macromedia Flash modules. The worm spreads in attached
files via e-mail by using the widely-used MS Outlook e-mail program.
It initiates a mass mailing routine, modifies a .BAT, and then formats
all system disks. "MsWorld" also tries to delete the Windows system
registry files.
* Click here for Kaspersky Lab Report on MsWorld
* Click here for F-Secure Report on MissWorld
* Click here for NAI Report on W32/MsWorld@MM
* Click here for Symantec Report on W32.MsWorld@mm
Date: June 07, 2001
Platform: MS Windows
Warning About: LoveLetter.BE
Aliases: VBS/LoveLetter.BE@mm
Report From: F-Secure
* Release Note: This variant spreads in a message with the following
content:
Subject: fwd: Joke
Attachment: Joke.vbs
VBS/LoveLetter.BE@mm is quite similar with the original VBS/LoveLetter.A
This variant saves itself to the Windows System directory as "Jokes.vbs"
and "Jokes.htm".
* Click here for F-Secure Report on LoveLetter.BE
* Click here for info on original VBS/LoveLetter.A
Date: June 07, 2001
Platform: MS Windows
Warning About: DoS.Storm.Worm
Report From: Norton / Symantec Security Updates
* Release Note: DoS.Storm.Worm is a worm that seeks out MS Internet
Information Services (IIS) systems that have not applied the proper
security patches. Any such systems that it finds are then infected
with the worm. The payload of this worm performs a denial of service
attack on http://www.microsoft.com and an email bombing session is
started that sends email messages containing an obscene message to
gates@microsoft.com.
* Click here for Report on DoS.Storm.Worm
Date: June 05, 2001
Platform: MS Windows
Warning About: SPAM/Absolut
Report From: Network Associates
* Release Note: This is an email/chat SPAM tool used by someone to send
a message or messages to a large number of email addresses or AOL chat
rooms.
* Click here for Report on SPAM/Absolut
Date: June 02, 2001 * Updated
Platform: MS Windows
Hoax Alert: Updated: SULFNBK.EXE Warning HOAX
Report From: Symantec Security HOAX Updates
* Release Note: The file that is mentioned in the hoax, Sulfnbk.exe, is a
Microsoft Windows utility. The virus/worm W32.Magistr.24876@mm can
arrive as an attachment named Sulfnbk.exe. The Sulfnbk.exe file used by
Windows is located in the C:\Windows\Command folder. If the file is
located in any other folder, or arrives as an attachment to a email
message, then it is possible that the file is infected.
* Updated HOAX Report: How to restore the Sulfnbk.exe file
Date: June 02, 2001 * Updated
Platform: MS Windows
Warning About: VBS.Loveletter.CN@mm Virus
Aliases: VBS.Loveletter.CM@mm (AVX), VBS.Lopez.A@mm,
JENNIFERLOPEZ_NAKED.JPG.vbs
Report From: Norton / Symantec Security Updates
* Release Note: This is a minor variant of the LoveLetter virus family.
This virus may arrive in the following format by email:
Subject: Where are you?
Body: This is my pic in the beach!
Attachment: JENNIFERLOPEZ_NAKED.JPG.vbs
This virus also drops the file Cih_14.exe, which is a dropper for the
CIH virus, and attempts to run it. Read the complete report for Removal
Instructions and Additional Information if you are using Norton
AntiVirus 2001.
* Click here for Report on VBS.Loveletter.CN@mm
Date: June 02, 2001
Platform: MS Windows
Warning About: VBS.SystemColor.A Trojan Horse
Report From: Norton / Symantec Security Updates
* Release Note: VBS.SystemColor.A is a Trojan horse that is written in
Visual Basic Script. Once it is executed, it copies itself to
C:\Windows\Filemon.exe. It then starts to repeatedly copy Explorer.exe
as C:\Windows\System\Systemcolor\Color.. As a result, the computer may
run out of space on the hard disk and stop responding. You may not be
able to run Windows. Read the complete report for Removal Instructions.
* Click here for Report on VBS.SystemColor.A
Date: June 02, 2001
Platform: MS Windows
Warning About: IRC.Cuty Trojan Horse, Worm
Aliases: Elspy.a.worm
Report From: Norton / Symantec Security Updates
* Release Note: This is a IRC worm that does not send itself to others.
It only sends the CuteJany.doc file to IRC users. This worm is an
encrypted DOS executable file. When it is executed it decrypts itself.
It then creates the Cutyjant.bat file in the same folder as the worm,
and executes it. Read the complete report for Removal Instructions.
* Click here for Report on IRC.Cuty
Date: June 02, 2001
Platform: MS Windows
Warning About: VBS.NoMercy.A Virus
Aliases: VBS/NoMercy.a, VBS.NMVT
Report From: Norton / Symantec Security Updates
* Release Note: VBS.NoMercy.A is a Visual Basic script in an HTML file.
The virus infects .html, .htm, .shtml, .stm, and .asp files. Read the
complete report for Removal Instructions.
* Click here for Report on VBS.NoMercy.A
Date: June 02, 2001
Platform: MS Windows
Warning About: VBS.Sargo.A@mm.int Virus
Aliases: VBS.Nasara.A@mm, VBS/NastySarah@m
Report From: Norton / Symantec Security Updates
* Release Note: VBS.Sargo.A@mm.int is an intended virus, coded to run as
a mass-mailing worm that uses MAPI applications, Microsoft Outlook, or
Internet Information Server (IIS) to spread. It also attempts to modify
the Autoexec.bat file to delete the contents of drive C. Read the
complete report for Removal Instructions.
* Click here for Report on VBS.Sargo.A@mm.int
Date: June 02, 2001
Platform: MS Windows
Warning About: W32.Update.Worm Worm
Aliases: I-Worm.Mustard, W32.Mustard
Report From: Norton / Symantec Security Updates
* Release Note: W32.Update.Worm is a simple mass-mailing worm that can
spread using MS Outlook. The worm is written in a high-level language.
However, for the email spreading, the worm creates and executes a VBS
script. This worm also can also spread using mIRC. This worm may also
attempt to disable Norton AntiVirus. Read the complete report for
Removal Instructions.
* Click here for Report on W32.Update.Worm
Date: June 02, 2001
Platform: MS Windows
Warning About: W97M.Quest.A Virus
Report From: Norton / Symantec Security Updates
* Release Note: W97M.Quest.A is a macro virus that infects active MS Word
documents and the Normal.dot template. Read the complete report for
Removal Instructions.
* Click here for Report on W97M.Quest.A
Date: June 02, 2001 * Updated
Platform: MS Windows
Warning About: Noped Worm
Variant: Noped.A
Report From: F-Secure
* Release Note: VBS/Noped is encrypted and polymorphic worm written in
Visual Basic Script. This worm arrives is a messages saying they want
to end illegal child porn. It comes with an attachment. The worm also
changes the Internet Explorer title bar text to:
|.,.-*^*-.,.\ FUAHACKEDU@888.NU /.,.-*^*-.,.|
Next the worm sends itself to random recipients in the Outlook address
book. It also collects a list of files with extension ".jpg" or ".jpeg"
and sends this list to several fixed email addresses.
* Click here for Report on Noped
Date: June 02, 2001
Platform: MS Windows
Warning About: Bionet Backdoor
Aliases: Backdoor.Bionet
Report From: F-Secure
* Release Note: Bionet is a backdoor - hacker's remote access tool. It's
not so advanced as Sub7 or BackOrifice or Netbus backdoors. It consists
of server and client parts. To perform disinfection it is enough to
delete the server part of this backdoor from a system. It's better to
do it from pure DOS.
* Click here for Report on Bionet
Top of Page
Macintosh
Date: June 08, 2001
Platform: Macintosh
Warning About: MacSimpsons@mm AppleScript Virus
Report From: Norton / Symantec Security Updates
* Release Note: SARC has become aware of a new AppleScript worm
targetting the Macintosh platform called MacSimpsons@mm. It appears
to open Outlook Express or Entourage and send a copy of itself with
the original message to everyone in the user's address book. The
title of the script is "Simpsons Episodes". This virus does not appear
to be particularly malicious. Read the complete report for Removal
Instructions.
* Click here for Report on MacSimpsons@mm
Top of Page
Linux
Date: June 27, 2001
Platform: Red Hat
Updates To: samba
Report From: Linux Daily News
* Release Note: Red Hat has posted their update for the samba security
problems noted late last week.
* Click here for LWN Security Update To samba
Date: June 27, 2001
Platform: Caldera
Updates To: fetchmail and samba
Report From: Linux Daily News
* Release Note: Caldera has posted advisories for fetchmail, to address
the long header field problem, and samba, to address file overwrite
issues that could allow remote compromises.
* Click here for LWN Security Update To fetchmail
* Click here for LWN Security Update To samba
Date: June 26, 2001
Platform: IRIX, Linux: PCP suite versions 2.1.11-5 and before
Warning About: SGI PCP Pmpost Symlink Vulnerability
Report From: CIAC Bulletins
* Release Note: The pmpost command of the Performance Co-Pilot (PCP)
suite has a symlink handling vulnerability. If this runs in root
context (i.e., setuid root), this could result in root compromise.
Solution: Apply the described workaround.
* Click here for Bulletin Number L-099
Date: June 26, 2001
Platform: Red Hat
Updates To: XFree86
Report From: Linux Daily News
* Release Note: Red Hat has posted an update for the XFree86 packages in
their various distributions. This update addresses various security
issues as well as provides new and updated drivers.
* Click here for LWN Security Update To XFree86
Date: June 26, 2001
Platform: Samba
Updates To: Samba Security Fix
Report From: Linux Daily News
* Release Note: The Samba team has released patches for the macro
exploit.
* Click here for Samba Released Patches
Date: June 26, 2001
Platform: Conectiva
Updates To: Security Announcement for Samba
Report From: Linux Daily News
* Release Note: Conectiva has released a security update for samba.
* Click here for Conectiva Security Update for Samba
Date: June 26, 2001
Platform: Debian
Updates To: Security Advisory for Samba
Report From: Linux Daily News
* Release Note: Debian addresses the problems with samba that were
reported earlier this week.
* Click here for Debian Security Advisory for Samba
Date: June 26, 2001
Platform: Samba
Updates To: Urgent Security Advisory
Report From: Linux Daily News
* Release Note: The Samba team has sent out an urgent security advisory
regarding a remotely-exploitable hole in all versions of the code.
There is no new Samba release yet (it's promised within 24 hours), but
the advisory does contain a configuration file workaround which may be
used to close the hole. Anybody running Samba really needs to have a
look at this one.
* Click here for Samba Urgent Security Advisory
Date: June 26, 2001
Platform: Red Hat
Updates To: kernel 2.4
Report From: Linux Daily News
* Release Note: A kernel 2.4 advisory from Red Hat addresses potential,
though not default, configurations for FTP iptables.
* Click here for LWN Security Update To kernel 2.4
Date: June 26, 2001
Platform: Caldera
Updates To: fetchmail
Report From: Linux Daily News
* Release Note: A fetchmail advisory from Caldera addresses buffer
overflows in fetchmail that could be exploited remotely by sending
exceptionally long header field data.
* Click here for LWN Security Update To fetchmail
Date: June 26, 2001
Platform: Turbolinux
Updates To: gnupg
Report From: Linux Daily News
* Release Note: Turbolinux has issued an update for the gnupg package
found in a number of versions of their Linux distributions.
* Click here for LWN Security Update To gnupg
Date: June 26, 2001
Platform: Immunix
Updates To: ispell
Report From: Linux Daily News
* Release Note: Immunix has published an advisory to update the ispell
package in their distributions.
* Click here for LWN Security Update To ispell
Date: June 26, 2001
Platform: EnGarde Secure Linux
Updates To: Apache and fetchmail-ssl packages
Report From: Linux Daily News
* Release Note: EnGarde Secure Linux has posted an advisory for both
the Apache and fetchmail-ssl packages found in their distribution.
* Click here for LWN Security Update To Apache
* Click here for LWN Security Update To fetchmail-ssl
Date: June 26, 2001
Platform: Turbolinux
Updates To: esound
Report From: Linux Daily News
* Release Note: Turbolinux has issued a security advisory for esound,
addressing problems with world writable directories.
* Click here for LWN Security Update To esound
Date: June 26, 2001
Platform: Linux
Report From: Security Focus
Warning About: cfingerd Utilities Buffer Overflow Vulnerability
Release Note: A buffer overflow in cfingerd makes it possible for a
local user to gain elevated privileges.
* Click here for Advisory No. 2914
Date: June 26, 2001
Platform: Linux
Report From: Security Focus
Warning About: CFingerD Utilities Format String Vulnerability
Release Note: cfingerd is a secure implementation of the finger daemon.
Due to insufficient validation of input, it's possible to pass arbitrary
format strings through the program, allowing an attacker to write to
arbitrary sections of memory.
* Click here for Advisory No. 2915
Date: June 26, 2001
Platform: Linux
Warning About: eXtremail Remote Format String Vulnerability
Report From: Security Focus
Release Note: eXtremail is a freeware SMTP server available for Linux
and AIX. eXtremail runs with root privileges. By exploiting this
vulnerability, remote attackers can gain superuser access on the
underlying host.
* Click here for Advisory No. 2908
Date: June 21, 2001
Platform: Red Hat
Report From: CIAC Bulletins
Warning About: Red Hat LPRng Vulnerability
* Click here for Bulletin Number L-096
Date: June 21, 2001
Platform: Linux Mandrake
Updates To: rxvt, webmin, ispell and proftpd
Report From: Linux Daily News
* Click here for LWN Security Update To rxvt
Release Note: buffer overflow can allow elevated privileges if rxvt is
setgid.
* Click here for LWN Security Update To webmin
Release Note: administrative authorization is being carried by
environment variables to system daemons.
* Click here for LWN Security Update To ispell
Release Note: use of mktemp() makes ispell vulnerable to symlink
attacks.
* Click here for LWN Security Update To proftpd
Release Note: Linux proftpd not affected by recent CERT advisory
because Linux uses glob() function that is not vulnerable.
Date: June 08, 2001
Platform: Red Hat
Updates To: gnupg
Report From: Linux Daily News
* Release Note: Red Hat chimes in with their gnupg update. This one
affects Red Hat Linux 6.2, 7.0 and 7.1 on various hardware platforms.
* Click here for LWN Security Update To gnupg
Date: June 08, 2001
Platform: Conectiva
Updates To: gnupg
Report From: Linux Daily News
* Release Note: Conectiva has chimed in with their update to address
the recent problems reported with gnupg.
* Click here for LWN Security Update To gnupg
Date: June 05, 2001
Platform: SuSE
Updates To: gnupg
Report From: Linux Daily News
* Release Note: SuSE has also released a security update for the format
string vulnerability in gnupg.
* Click here for LWN Security Update To gnupg
* May 31st Issue of LWN explains format string vulnerability
Date: June 02, 2001
Platform: Caldera
Updates To: webmin
Report From: Linux Daily News
* Release Note: Caldera has posted a security advisory for the webmin
package to address a "root account leak".
* Click here for LWN Security Update To webmin
Date: June 02, 2001
Platform: Trustix
Updates To: gnupg
Report From: Linux Daily News
* Release Note: Trustix has posted their update for gnupg to address the
format string problem discovered last week.
* Click here for LWN Security Update To gnupg
Top of Page
Miscellaneous
Date: June 29, 2001
Platform: HP 9000 Servers running HP-UX releases 10.20 and 11.00
(only), Solaris releases 2.X, Windows NT4.X/Windows 2000
running NNM 6.1
Warning About: Security Vulnerability in HP OpenView
Network Node Manager
Report From: CIAC Bulletins
* Release Note: Vulnerability exists in HP Openview Network Node Manager
which allows a user to gain unauthorized privileges. Solution: Apply
the appropriate HP patches for your system.
* Click here for Bulletin Number L-102
Date: June 28, 2001
Platform: Cisco IOS systems
Warning About: Cisco IOS HTTP Server Authentication Vulnerability
Report From: CERT
* Release Note: A problem with HTTP server component of Cisco IOS system
software allows an intruder to execute privileged commands on Cisco
routers if local authentication databases are used.
* Click here for CERT CA-2001-14
Date: June 28, 2001
Platform: Oracle 8i Standard and Enterprise Editions Version 8.1.5,
8.1.6, 8.1.7 and previous versions for Windows, Linux,
Solaris, AIX, HP-UX and Tru64 Unix.
Updates To: Vulnerability in Oracle 8i TNS Listener
Report From: COVERT Labs at PGP Security
* Release Note: The Listener is vulnerable to a buffer overflow condition
that allows remote execution of arbitrary code that grants full control
of the database services and, on some platforms, full control of the
operating system. Oracle has produced a patch under bug number 1489683.
* Click here for COVERT Advisories No. 050
Date: June 28, 2001
Platform: Oracle 8i Standard and Enterprise Editions Version
8.1.5, 8.1.6, 8.1.7 and all previous versions for Windows,
Linux, Solaris, AIX, HP-UX and Tru64 Unix.
Updates To: Oracle 8i SQLNet Header Vulnerability
Report From: COVERT Labs at PGP Security
* Release Note: A vulnerability allows a remote user to mount a denial
of service attack against any Oracle service that relies upon the
protocol, including the TNS Listener, Oracle Name Service and Oracle
Connections Manager. Oracle has produced a patch under bug number
1656431.
* Click here for COVERT Advisories No. 049
Date: June 27, 2001
Platform: Misc
Warning About: Verification of Downloaded Software
Report From: CERT
* Release Note: When downloading software from online repositories, it
is important to consider the possibility that the site has been
compromised. We strongly encourage users to verify cryptographic
signatures (e.g. PGP) of all downloaded software. Cryptographic
signatures provide reasonable assurance that the files have not
been modified either on the server or in transit. They also allow
for verification of the signer's identity.
* Click here for CERT IN-2001-06
Date: June 26, 2001
Released: June , 2001
Platform: Misc
Hoax Report: Anticristo HOAX
Report From: Network Associates
* Release Note: Network Associates has released a report that says, this
email message is just a HOAX, currently we know of no other message
that the user will receive about the HOAs the initial email states.
AVERT has not received any report of a user's hard drive being erased
for opening the email.
* Click here for NAI Report on Anticristo HOAX
Date: June 26, 2001
Platform: Misc
Warning About: Juergen Schoenwaelder scotty ntping Buffer
Overflow Vulnerability
Report From: Security Focus
Release Note: A local attacker can supply a long string as a command
line argument to ntping. If the input is carefully constructed, a local
attacker can exploit this vulnerability to execute arbitrary code on the
target host.
* Click here for Advisory No. 2911
Date: June 26, 2001
Platform: Solaris
Warning About: Solaris PTExec Buffer Overflow Vulnerability
Report From: Security Focus
Release Note: A buffer overflow exists. It is possible for a local user
to overwrite stack memory, including the return address. This makes it
possible for a local user to gain elevated privileges, and potentially
full administrative access.
* Click here for Advisory No. 2898
Date: June 21, 2001
Platform: Misc
Report From: CIAC Bulletins
Warning About: HP-UX kmmodreg Vulnerability
* Click here for Bulletin Number L-093
Warning About: Cisco 6400 NRP2 telnet Vulnerability
* Click here for Bulletin Number L-097
Date: June 07, 2001
Platform: CSS 11000 series switches
Warning About: Cisco 11000 Series Switch, Web Management Vulnerability
Report From: CIAC Bulletins
* Release Note: The Cisco Content Service Switch (CSS) 11000 series
switches do not enforce the correct restrictions for accessing the web
management URL. A user can gain access to the web management interface
without being authenticated on the CSS 11000 series switch. Apply
workarounds and patches as described in vendor bulletin.
* Click here for Bulletin Number L-090
Date: June 07, 2001
Platform: Misc
Hoax Report: Gamma2 HOAX
Report From: F-Secure Hoax information
* Release Note: This hoax was circulated in June 2001. The hoax message
was made to look like a genuine F-Secure Corporation press release.
This press release is a fake and the message is a hoax. "Gamma2.exe"
virus does not exist. Please ignore this warning and do not pass it on.
* Click here for F-Secure Report on Gamma2 HOAX
Top of Page
Back to the Virus Archives page