Virus Warnings from July 2001
______________________________________________________________
[Jump to Amiga] [Jump to Windows] [Jump to Mac]
[Jump to Linux] [Jump to Misc]
______________________________________________________________
Amiga
Date: July 01, 2001
Platform: Amiga
Update About: Bobek2 Infected Archive Found
Report From: Virus Help Team Denmark (VHT-DK)
* Release Note: Virus Help Denmark reports another archive that is
infected with the 'Bobek2' linkvirus has been found. It was on Aminet
for a short time, but is has been removed now. But there just might be
a few more archives our there, so take care.. Use VirusExecutor, VirusZ
& VirusChecker, with (and this is very important) the xvs.library
v33.26 to remove the virused from Devoprefs file.
* Click here for VHT-DK Virus Warning vht-dk103 Read Me
* Subscribe online to the VHT-DK Virus Warnings Announcement list.
Top of Page
Windows
31 July 2001 - NAI/PGP OnLine Scan for Code Red Worm
PGP Security & McAfee are offering their CyberCop Worm-Scan for online
vulnerability assessment for the Code Red Worm. You will need javascript
enabled in your browser, plus you will need to provide some personal info
such as name, email address and a password. The passowrd is required in
order to provide secure access to your CyberCop report that will be
mailed to your email address.
* Click here for NAI Press release of online scan service
31 July 2001 - Code Red Worm Still Present Threat to the Internet
Microsoft Corporate Summary: The Code Red Worm and mutations of the worm
pose a continued and serious threat to Internet users. Immediate action
is required to combat this threat. Users who have deployed software that
is vulnerable to the worm (Microsoft IIS Versions 4.0 and 5.0) must
install, if they have not done so already, a vital security patch.
Who Must Act?
Every organization or person who has Windows NT or Windows 2000 systems
AND the IIS web server software may be vulnerable. IIS is installed
automatically for many applications. If you are using Windows 95,
Windows 98, or Windows Me, there is no action that you need to take in
response to this alert.
What To Do If You Are Vunerable?
a. To rid your machine of the current worm, reboot your computer.
b. To protect your system from re-infection: Install the patch as
specified in the instructions.
The security bulletin that describes the patch and the vulnerability
it addresses is posted at:
http://www.microsoft.com/technet/security/bulletin/MS01-033.asp
Because of the importance of this threat, this alert is being made
jointly by: Microsoft, The National Infrastructure Protection Center
(NIPC), Federal Computer Incident Response Center (FedCIRC), Information
Technology Association of America (ITAA), CERT Coordination Center, SANS
Institute, Internet Security Systems and Internet Security Alliance.
Virus Help Team Canada Suggests the Following Links for fast info
* Patch: Windows NT 4.0 computers running Index Server 2.0
* Patch: Windows 2000 computers running Internet Information Service 5.0
* MS TechNet Security Tools including security and config checklists
31 July 2001 - Frisk Software International Code Red Summary
Code Red is the first worm that doesn't reproduce itself by copying
itself into files or by infecting files but runs in memory only and
reproduces by streaming communications between systems. Antivirus
software will not be of use to prevent infections or damage done by
the worm. Users of the IIS web server are required to get an update of
the server from Microsoft's website:
http://www.microsoft.com/windows2000/downloads/critical/q300972/default.asp
26 July 2001 - F-Secure Warns of Sircam Worm
F-Secure Corporation is alerting computer users worldwide about a new,
rapidly spreading e-mail worm called Sircam. Sircam is a mass mailing
e-mail worm with the ability to spread through Windows Network shares.
F-Secure anti-virus detects and disinfects the worm. This is the first
e-mail worm that is not Windows Outlook-specific. Instead, this worm
makes use of any e-mail system. This makes it much more liable to spread.
* Click here for Symantec Report on W32.Sircam.Worm@mm
* Click here to obtain Symantec's W32.Sircam.Worm@mm removal tool
21 July 2001 - Advisory 01-015: "Ida Code Red Worm"
National Infrastructure Protection Center (NIPC) Advisory says Internet
backbone providers have notified the NIPC they are witnessing large-scale
victimized web servers scanning for Microsoft Internet Information Server
(IIS) vulnerabilities.
13 July 2001 - Viri Warnings and Alerts for Today
VBS.Blank.A (Symantec)
W32.HLLC.Abessive (Symantec)
W32.Malot.int (Symantec)
12 July 2001 - Viri Warnings and Alerts for Today
Backdoor-QZ (NAI)
Leave (Updated) (F-Secure)
Marijuana (F-Secure)
11 July 2001 - Viri Warnings and Alerts for Today
Bogus Patch "leaves" Backdoor Open (Kaspersky Lab)
An Internet Worm "Leave" Spreads in the Form of Security Patch to
Windows Kaspersky Lab, an international data-security software
development company, warns users of the discovery of a new version
of the Internet worm...
(more on Leave) (F-Secure)
(more on W32.Leave.B.Worm) (Symantec)
HTML.Reality.B (Symantec)
10 July 2001 - Viri Warnings and Alerts for Today
Nymph (F-Secure)
Linong (F-Secure)
Backdoor-QV (NAI)
Evem (NAI)
VBS/PWStroy (NAI)
W32.Leave.B.Worm (Symantec)
W97M.Claud.Gen (Symantec)
Date: July 08, 2001
Platform: MS Windows 2000
Patch Available: Authentication Error in SMTP Service Could
Allow Mail Relaying
Report From: MicroSoft TechNet Security
* Release Note: Customers who need SMTP services should apply the patch.
All others should disable the SMTP service.
* Click here for MS Security Bulletin MS01-037
Date: July 08, 2001
Platform: MS Windows
Report From: Norton / Symantec Security Updates
* Click here for Report on Backdoor.Bionet.40a
Release Note: Backdoor.Bionet.40a is a malicious backdoor Trojan. Its
actions are similar to SubSeven, Netbus, and BackOrifice in that it
allows unauthorized access to an infected computer.
* Click here for Report on W32.Lad.1916
Release Note: W32.Lad.1916 is a direct infector, and it infects MS
Portable Executable (PE) files. When executed, the virus does not go
memory resident. Instead, the virus attempts to infect files in the
Windows folders, and in the same folder as the virus. Its payload is
executed on the 19th of every month, and it displays a short message.
Date: July 08, 2001
Platform: MS Windows
Report From: Network Associates
* Click here for Report on Backdoor-QT
Aliases: Backdoor-QT.cfg, Backdoor-QT.cli, Backdoor-QT.svr,
BackDoor.Muska (AVP) and MuSka52
Release Note: This is a remote access trojan written in Visual Basic 5.
When run, it copies itself to the WINDOWS SYSTEM directory as UT3.EXE
and creates a WIN.INI entry to load a program at startup
* Click here for Report on W32/Funso@M
Aliases: AOL.PWSteal.86016 (NAV) and I-Worm.Menace (AVP)
Release Note: This is an AOL password stealing trojan and email worm
virus written in Visual Basic 6. When run, the program will display a
message box plus various other things.
* Click here for Report on VBS/Jolin@MM
Aliases: VBS.Jolin@mm (NAV) and VBS/Niloj-A (Sophos)
Release Note: At the present time, this VBScript contains bugs which
prevent it from functioning properly.
Date: July 08, 2001
Platform: MS Windows
Warning About: Nymph Worm
Aliases: Roach, Roach.b, W32/Roach, I-Worm.Roach.b
Report From: F-Secure
* Release Note: Nymph is a mass-mailer with backdoor capabilities created
by ASM/iKX group. It is one of the first worms that uses search engine
of a webserver to find victim's e-mail addresses.
* Click here for Report on Nymph
Date: July 08, 2001
Platform: Microsoft Windows 2000
Warning About: Microsoft Authentication Error in SMTP Service
Report From: CIAC Bulletins
* Release Note: The vulnerability could allow an unauthorized user to
successfully authenticate to the service using incorrect credentials.
The unauthorized user could gain user-level privileges on the SMTP
service. Solution: Apply the patch provided by Microsoft.
* Click here for Bulletin Number L-107
Date: July 08, 2001
Platform: Microsoft Windows (all versions)
Warning About: W32/Leaves: Exploitation of previously installed
SubSeven Trojan Horses
Report From: CERT
* Release Note: The CERT/CC has received an increasing number of reports
regarding the compromise of home user machines running MS Windows. Most
of these reports surround the intruder tool SubSeven. SubSeven is often
used as a Trojan horse, which allows an intruder to deliver and
execute any custom payload and run arbitrary commands on the affected
machine.
* Click here for CERT IN-2001-07
Top of Page
Macintosh
No warnings for July 2001
Top of Page
Linux
Date: July 08, 2001
Platform: Any Linux or BSD system running Samba
Warning About: Samba Security Vulnerability
Report From: CIAC Bulletins
* Release Note: A remote attacker can use a netbios name containing
unix path characters which will then be substituted into the %m macro
wherever it occurs in smb.conf. This can be used to cause Samba to
create a log file on top of an important system file, which in turn
can be used to compromise security on the server. Solution: Change
smb.conf configuration file, or update to most recent release of Samba.
* Click here for Bulletin Number L-105
Date: July 08, 2001
Platform: Linux-Mandrake
Updates To: fetchmail and xinetd
Report From: Linux Daily News
* Release Note: Linux-Mandrake has issued two new security advisories.
The first is for fetchmail to address the problem with long header
fields. The second is for xinetd to address default umask issues with
xinetd.
* Click here for LWN Security Update To fetchmail
* Click here for LWN Security Update To xinetd
Date: July 08, 2001
Platform: Immunix
Updates To: tetex
Report From: Linux Daily News
* Release Note: Immunix has posted a security update for tetex to address
temporary file handling problems that can lead to privilege elevation.
* Click here for LWN Security Update To tetex
Date: July 04, 2001
Platform: Caldera
Updates To: OpenSSH
Report From: Linux Daily News
* Release Note: Caldera International has released a security update to
OpenSSH fixing an interesting problem: an attacker can remove any file
on the system, as long as it's called "cookies"...
* Click here for LWN Security Update To OpenSSH
Top of Page
Miscellaneous
10 July 2001 - Viri Warnings and Alerts for Today
LOC HOAX (NAI)
If you receive this email, delete the it and DO NOT pass it on.
Date: July 08, 2001
Platform: All releases of Cisco IOS(R) software starting with
release 11.3 and later.
Warning About: Cisco IOS HTTP Authorization Vulnerability
Report From: CIAC Bulletins
* Release Note: The user will be able to exercise complete control over
the device. All commands will be executed with the highest privilege
(level 15). Solution: Upgrade or apply the workaround given in the
Cisco advisory.
* Click here for Bulletin Number L-106
Date: July 08, 2001
Platform: Oracle 8i
Warning About: Oracle 8i contains buffer overflow in TNS listener
Report From: CERT
* Release Note: A vulnerability in Oracle 8i allows remote intruders to
assume control of database servers running on victim machines. If the
Oracle server is running on a Windows system, an intruder may also be
able to gain contol of the underlying operating system.
* Click here for CERT CA-2001-016
Date: July 04, 2001
Platform: Misc
Hoax Alert: MusicPanel (MP3) Virus HOAX
Report From: Symantec Security HOAX Updates
* Release Note: The following message is a hoax. This "virus" does not
exist.
Sample of hoax message:
Music fans around the planet will receive a shocking surprise
on their computers on American Independence Day,July 4, but only
if they have downloaded unauthorised songs from Napster, Gnutella
or other file swapping applications on the Internet.
Please ignore any messages regarding this hoax and do not pass on
messages. Passing on messages about the hoax only serves to further
propagate it.
* Click here for Symantec HOAX Report on MusicPanel
* Click here for Vmyths HOAX Report on MusicPanel (MP3) virus
* Click here for ZDNet HOAX Report on MusicPanel
Date: July 04, 2001
Platform: i386 Intel Platform
Warning About: SuSE Linux, xinetd Buffer Overflow
Report From: CIAC Bulletins
* Release Note: The buffer overflow vulnerability allows a remote
attacker to execute arbitrary code at all privleges.
Solution: Apply patches supplied by SuSE
* Click here for Bulletin Number L-104
Date: July 04, 2001
Platform: Various version of SunOS
Warning About: Sun ypbind Buffer Overflow Vulnerability
Report From: CIAC Bulletins
* Release Note: This vulnerability may allow a local or remote user to
gain root access and, therefore, complete control of the system.
Solution: Apply the patches described below.
* Click here for Bulletin Number L-103
Top of Page
Back to the Virus Archives page