Virus Warnings from August 2001
______________________________________________________________
[Jump to Amiga] [Jump to Windows] [Jump to Mac]
[Jump to Linux] [Jump to Misc]
______________________________________________________________
Amiga
19 August 2001 - VHT-DK Warning: Trojan in Aminet file Muahaha.lha
Virus Help Denmark says a new trojan has been found today. The trojan
will delete every file that has the "key" in the name of the file. This
trojan is just like the one that has found of the 15'th of August, named
MZ-Makey trojan. But this trojan was found on Aminet, but removed now.
The xvs.library package will be released very soon.
Follow the above link for viruswarning - file is named vht-dk109.lha.
* Click here for VHT-DK Virus Warning vht-dk109 Readme
* Subscribe online to the VHT-DK Virus Warnings Announcement list.
18 August 2001 - VHT-DK Warning: Hitch-Hiker v5.00 For Third Time
Virus Help Denmark says here we go again, the 3rd installer of
Hitch-Hiker has been found this weekend. The archive was uploaded to
AmiNet, but it has been removed now. Again, there is "NO" cure for
this virus right now.
Follow the above link for viruswarning - file is named vht-dk108.lha.
* Click here for VHT-DK Virus Warning vht-dk108 Readme
* Subscribe online to the VHT-DK Virus Warnings Announcement list.
17 August 2001 - VHT-DK Warning: Hitch-Hiker v5.00 UPDATE
Virus Help Denmark says there might just be more installers of the
'Hitch-Hiker 5.00' virus out there. The 'xvs.library' (external Virus
Scanner library) will be updated as soon as possible. In the mean time,
take care...
Follow the above link for viruswarning - file is named vht-dk107.lha.
* Click here for VHT-DK Virus Warning vht-dk107 Readme
* Subscribe online to the VHT-DK Virus Warnings Announcement list.
17 August 2001 - VHT-DK Warning: Hitch-Hiker v5.00 Virus Found
Virus Help Denmark reports they have found the installer of the new
'Hitch-Hiker 5.00' linkvirus. There is NO cure for this virus right now
Follow the above link for viruswarning - file is named vht-dk106.lha.
* Click here for VHT-DK Virus Warning vht-dk106 Readme
* Subscribe online to the VHT-DK Virus Warnings Announcement list.
15 August 2001 - VHT-DK Warning: New Trojan Found
Virus Help Denmark reports a new trojan has been found today. This trojan
says that it will make a key-file that will work with over 250 programs.
Well, I guess that there are someone that will fall for this kind of
program. The trojan will delete every file that has the "key" in the name
of the file, in your S:, Libs:, Devs: and L:.
Follow the above link for viruswarning - file is named vht-dk105.lha.
* Click here for VHT-DK Virus Warning vht-dk105 Readme
* Subscribe online to the VHT-DK Virus Warnings Announcement list.
01 August 2001 - VHT-DK Warning: Installer of SMEG 2 Virus Found
Virus Help Denmark reports the installer of the new linkvirus SMEG 2a &
SMEG 2b has been found. Follow the above link for viruswarning - file is
named vht-dk104.lha.
* Click here for VHT-DK Virus Warning vht-dk104 Readme
* Subscribe online to the VHT-DK Virus Warnings Announcement list.
Top of Page
Windows
09 August 2001 - New Virus Travels In PDF Files
ZDNet says 'Peachy' shows that Adobe's PDF file format may not be as
immune to viruses as previously thought. Adobe's popular PDF file format
has generally been considered immune to viruses. But a new virus carried
by programs embedded in PDF files raises concerns that the format itself
could become susceptible. Fortunately, those who are simply viewing a PDF,
or Portable Document Format, file aren't vulnerable. The virus spreads
only by way of Adobe's Acrobat software -- the program used to create PDF
documents -- not through Acrobat Reader, the free program that is used to
view the files. Updated virus descriptions released by McAfee next week
will be able to detect Peachy, said Gullotto, senior director of McAfee's
Avert group.
09 August 2001 - Hotmail Attacked By Code Red II
ZDNet says attack on Microsoft's own server software causes problems for
free email service. Microsoft released a patch to protect servers from
the Code Red virus six weeks ago, but its free email service was caught
out by the more virulent successor to the worm, usually referred to as
Code Red II, earlier this week.
Microsoft has now released a patch to block the vulnerability that Code
Red II exploits, and network administrators must remove the back door
from their systems and reformat and reinstall all software.
06 August 2001 - NIPC Advisory 01-017: "Code Red II"
CodeRed II is a rewritten version of the original Code Red worm. It uses
the same IIS hole to gain access on the web server and the continues to
find new vulnerable systems. The NIPC considers Code Red II to be a
serious threat because it spreads rapidly and installs a backdoor that
can be accessed by anyone familiar with the exploit. Any intruder can use
the backdoor compromise to make other system modifications at will.
* NAI: Click here for Report on W32/CodeRed.c.worm
To detect and remove the trojan, update to the 4152 DATs. If the trojan
is detected it will be deleted, and the registry keys which allow a
remote attacker to have access to the C: and D: drives, via a web
browser, will be deleted as well.
Virus Help Team Canada: There is a link to the updated 4152 DAT's on
the news page.
* F-Secure: Click here for Report on Code Red / Code Red II
* Symantec: Click here for Report on CodeRed.v3
Symantec is offering a free tool, Symantec Security Check, that you can
use to determine if your computer is at risk. The tool is available in
two forms, both of which are free. The first is an online scan and the
second you can download the tool onto your computer.
04 August 2001 - SirCam worm settles in for the long haul
ZDNet says experts say the worm is likely to keep sending out recipes,
confidential government documents and CVs for the forseeable future.
Updated news stories and links on SirCam
* Report: Worm nabs secret Ukrainian files
Web site receives secret documents from Ukrainian president
* SirCam tops virus charts for July
Code Red may have grabbed the media attention, but the SirCam email worm
has continued to top the charts
04 August 2001 - Trend Micro Sircam Virus Vulnerability
Trend Micro InterScan VirusWall is unable to filter or clean the
TROJ_SIRCAM.A virus from attachments in electronic mail format (.eml).
This vulnerability is due to a problem with InterScan's ability to
decode certain attachment types.
04 August 2001 - FAQ: The Code Red threat
ZDNet UK answers common questions about the Code Red worm.
04 August 2001 - F-Secure warns: Code Red is not dead
F-Secure Media Release reminds us the worm has been programmed to spread
only during the first 20 days of every month. As the widespread July
infections started on the 19th of the month, the worm stopped spreading
by itself almost as soon as it had become widespread. This time it won't.
It will continue to spread for almost three weeks and might spread much
more widely than in July, when it infected around 300,000 servers.
Updated stories and links on this Code Red Worm
* Train crash could be to blame for Internet derailment
A train crash in the US cut Internet cables serving seven major ISPs.
Was it this, and not Code Red, that derailed the Internet on 18 July?
* Code Red not by any means dead
Its impact so far having been contained mostly to the US, Code Red could
well be spreading to the rest of the world
* FBI accused over Code Red virus confusion
* Microsoft takes heat for Code Red
* Code Red worm stays cool
01 August 2001 - Possible Internet Slowdown Due to Code Red Worm
CNN has been updating the news for the Code Red worm almost hourly. They
have said the slowdown may not show up for a day or two, or there may not
even be any noticeable difference. The fact remains, that users of the
affected Micorsoft products, still have the responsibility to download and
install the appropriate patch on their systems. The security personel that
were highlighted on CNN on July 30th, said persons that do not even run a
server may still have the server software installed on their systems when
they installed their MS Operating System software. As such, they are also
possibly vunerable, and to take the necessary precautions.
Who Must Act?
Every organization or person who has Windows NT or Windows 2000 systems
AND the IIS web server software may be vulnerable. IIS is installed
automatically for many applications. If you are using Windows 95,
Windows 98, or Windows Me, there is no action that you need to take in
response to this alert.
What To Do If You Are Vunerable?
a. To rid your machine of the current worm, reboot your computer.
b. To protect your system from re-infection: Install the patch as
specified in the instructions.
The security bulletin that describes the patch and the vulnerability
it addresses is posted at:
http://www.microsoft.com/technet/security/bulletin/MS01-033.asp
Because of the importance of this threat, this alert is being made
jointly by: Microsoft, The National Infrastructure Protection Center
(NIPC), Federal Computer Incident Response Center (FedCIRC), Information
Technology Association of America (ITAA), CERT Coordination Center, SANS
Institute, Internet Security Systems and Internet Security Alliance.
Virus Help Team Canada Fast Links for Info on Code Red Worm
* NAI Press release of online scan service
* NAI/PGP OnLine Scan for Code Red Worm
!! Read the directions carefully before requesting the scan !!
* Patch: Windows NT 4.0 computers running Index Server 2.0
* Patch: Windows 2000 computers running Internet Information Service 5.0
* MS TechNet Security Tools including security and config checklists
Top of Page
Macintosh
No warnings for August 2001
Top of Page
Linux
Date: July 08, 2001
Platform: Any Linux or BSD system running Samba
Warning About: Samba Security Vulnerability
Report From: CIAC Bulletins
* Release Note: A remote attacker can use a netbios name containing
unix path characters which will then be substituted into the %m macro
wherever it occurs in smb.conf. This can be used to cause Samba to
create a log file on top of an important system file, which in turn
can be used to compromise security on the server. Solution: Change
smb.conf configuration file, or update to most recent release of Samba.
* Click here for Bulletin Number L-105
Date: July 08, 2001
Platform: Linux-Mandrake
Updates To: fetchmail and xinetd
Report From: Linux Daily News
* Release Note: Linux-Mandrake has issued two new security advisories.
The first is for fetchmail to address the problem with long header
fields. The second is for xinetd to address default umask issues with
xinetd.
* Click here for LWN Security Update To fetchmail
* Click here for LWN Security Update To xinetd
Date: July 08, 2001
Platform: Immunix
Updates To: tetex
Report From: Linux Daily News
* Release Note: Immunix has posted a security update for tetex to address
temporary file handling problems that can lead to privilege elevation.
* Click here for LWN Security Update To tetex
Date: July 04, 2001
Platform: Caldera
Updates To: OpenSSH
Report From: Linux Daily News
* Release Note: Caldera International has released a security update to
OpenSSH fixing an interesting problem: an attacker can remove any file
on the system, as long as it's called "cookies"...
* Click here for LWN Security Update To OpenSSH
Top of Page
Miscellaneous
10 July 2001 - Viri Warnings and Alerts for Today
LOC HOAX (NAI)
If you receive this email, delete the it and DO NOT pass it on.
Date: July 08, 2001
Platform: All releases of Cisco IOS(R) software starting with
release 11.3 and later.
Warning About: Cisco IOS HTTP Authorization Vulnerability
Report From: CIAC Bulletins
* Release Note: The user will be able to exercise complete control over
the device. All commands will be executed with the highest privilege
(level 15). Solution: Upgrade or apply the workaround given in the
Cisco advisory.
* Click here for Bulletin Number L-106
Date: July 08, 2001
Platform: Oracle 8i
Warning About: Oracle 8i contains buffer overflow in TNS listener
Report From: CERT
* Release Note: A vulnerability in Oracle 8i allows remote intruders to
assume control of database servers running on victim machines. If the
Oracle server is running on a Windows system, an intruder may also be
able to gain contol of the underlying operating system.
* Click here for CERT CA-2001-016
Date: July 04, 2001
Platform: Misc
Hoax Alert: MusicPanel (MP3) Virus HOAX
Report From: Symantec Security HOAX Updates
* Release Note: The following message is a hoax. This "virus" does not
exist.
Sample of hoax message:
Music fans around the planet will receive a shocking surprise
on their computers on American Independence Day,July 4, but only
if they have downloaded unauthorised songs from Napster, Gnutella
or other file swapping applications on the Internet.
Please ignore any messages regarding this hoax and do not pass on
messages. Passing on messages about the hoax only serves to further
propagate it.
* Click here for Symantec HOAX Report on MusicPanel
* Click here for Vmyths HOAX Report on MusicPanel (MP3) virus
* Click here for ZDNet HOAX Report on MusicPanel
Date: July 04, 2001
Platform: i386 Intel Platform
Warning About: SuSE Linux, xinetd Buffer Overflow
Report From: CIAC Bulletins
* Release Note: The buffer overflow vulnerability allows a remote
attacker to execute arbitrary code at all privleges.
Solution: Apply patches supplied by SuSE
* Click here for Bulletin Number L-104
Date: July 04, 2001
Platform: Various version of SunOS
Warning About: Sun ypbind Buffer Overflow Vulnerability
Report From: CIAC Bulletins
* Release Note: This vulnerability may allow a local or remote user to
gain root access and, therefore, complete control of the system.
Solution: Apply the patches described below.
* Click here for Bulletin Number L-103
Top of Page
Back to the Virus Archives page