Virus Security Information Page

              MSNBC News

Symantec Security Check 

    ISC Logo       

Symantec Security Check is a free service designed to help you understand your computer's exposure to online security intrusions and virus threats. To access site click here .

Use Windows Update on a regular basis,  or Schedule Automatic Updates in Windows XP, Windows 2000, or Windows Server 2003  Click here for more details.  NOTE:  close ALL programs before you run updates.  If this is a host server your need to turn off all the services you can before you attempt any patch. Exchange Server may not work after a patch if this is not done.  U.S. Department of Homeland Security US-CERT strongly encourages users to install and maintain anti-virus software and exercise caution when handling attachments. Anti-virus software may not be able to scan password protected archive files so users must use discretion when opening archive files and should scan files once extracted from an archive.  Why should I run Windows update?
 

10/16/2003 Thursday - CERT® Advisory CA-2003-27 Multiple Vulnerabilities in Microsoft Windows and Exchange - There are a number of vulnerabilities in Microsoft Windows and Microsoft Exchange that could allow an attacker to gain administrative control of a vulnerable system. The most serious of these vulnerabilities allow an unauthenticated, remote attacker to execute arbitrary code with no action required on the part of the victim.   Click here for more details.

10/03/2003 Friday - Microsoft - Severity Level Critical - A number of security issues have been identified in Microsoft® Internet Explorer that could allow an attacker to compromise a Microsoft Windows®-based system and then take a variety of actions. For example, an attacker could run programs on your computer when you are viewing a Web page. This vulnerability affects all computers that have Internet Explorer installed. (You do not have to be using Internet Explorer as your Web browser to be affected by this issue.) You should help protect your computer by installing this update from Microsoft [ Windows Update].  Products affected " Internet Explorer 5.01 / 5.5 / 6.0 ". Note Windows and Internet Explorer share components. You should apply this update if you have Internet Explorer 5.01 or later. Earlier versions are not supported and may or may not be affected. Users with earlier versions are strongly encouraged to upgrade.  Click here for more details.

10/02/2003 Thursday - InfoWorld - Trojan uses MS hole to hijack Web browsers - Computer hackers have found another way to exploit an unpatched hole in Microsoft Corp.'s Internet Explorer Web browser, using a specially designed attack Web site to install a Trojan horse program on vulnerable Windows machines. The Trojan program changes the DNS (Domain Name System) configuration on the Windows machine so that requests for popular Web search engines like www.google.com and www.altavista.com bring the Web surfer to a Web site maintained by the hackers instead, according to warnings from leading security companies. Click here for more details.  Symantec - Trojan.Qhosts is a Trojan Horse that will modify the TCP/IP settings to point to a different DNS server. For a computer to become infected, you would have to open an HTML page that contains code, which allows it to open a viral HTML file on the target computer, so that the script can create and run the malicious executable. Click here for more details. Systems Affected: Windows 95, Windows 98, Windows Me, Windows NT, Windows 2000, Windows XP, Windows Server 2003 

09/23/2003 Tuesday - MSNBC WASHINGTON D.C. — The State Department’s electronic system for checking every visa applicant for terrorist or criminal history failed worldwide for several hours late Tuesday because of a computer virus, leaving the U.S. government briefly unable to issue visas. Click here for more details.  Symantec - W32.Welchia.Worm is a worm that exploits multiple vulnerabilities, including: The DCOM RPC vulnerability (described in Microsoft Security Bulletin MS03-026) using TCP port 135. The worm specifically targets Windows XP machines using this exploit. The WebDav vulnerability (described in Microsoft Security Bulletin MS03-007) using TCP port 80. The worm specifically targets machines running Microsoft IIS 5.0 using this exploit. As coded in this worm, this exploit will impact Windows 2000 systems and may impact Windows NT/XP systems. Click here for more details.

09/18/2003 Thursday - MSNBC New virus preys on old IE flaw — A new e-mail worm has started to spread quickly, taking advantage of an Internet Explorer vulnerability that was first disclosed two years ago. The bug, which has been alternately dubbed Swen and Gibe.F, appears to exploit a flaw that Microsoft first disclosed in a March 2001 security bulletin.  Click here for more details.  Symantec - W32.Swen.A@mm is a mass-mailing worm that uses its own SMTP engine to spread itself. It attempts to spread through file-sharing networks, such as KaZaA and IRC, and attempts to kill antivirus and personal firewall programs running on a computer. The worm can arrive as an email attachment. The subject, body, and From: address of the email may vary. Some examples claim to be patches for Microsoft Internet Explorer, or delivery failure notices from qmail.  Click here for more details.

09/16/2003 Tuesday - [ see NOTE listed below before you patch your system ] MSNBC WASHINGTON D.C.  Blaster copycat said set to attack Security researchers on Tuesday detected hackers distributing software to break into computers using flaws announced last week in some versions of Microsoft Corp.’s Windows operating system. Click here for more details.  09/10/2003 Wednesday - MSNBC WASHINGTON D.C.  Moments before a top Microsoft executive told Congress about efforts to improve security, the company warned on Wednesday of new flaws that leave its flagship Windows software vulnerable to Internet attacks similar to the Blaster virus that infected hundreds of thousands of computers last month.  Click here for more details.  CERT® Advisory CA-2003-23 RPCSS Vulnerabilities in Microsoft Windows.  Click here for more details.  Infoworld - Blaster II? Microsoft warns of new security holes. Only weeks after the appearance of the Blaster worm, Microsoft Corp. released a software patch for still more holes similar to those Blaster exploited.  Click here for more details.  Microsoft Security Bulletin MS03-039 - Buffer Overrun In RPCSS Service Could Allow Code Execution (824146) - Who should read this bulletin: Users running Microsoft Windows - Maximum Severity Rating: Critical.  Click here for more details.  NOTE: Use Windows Update to install this patch. If you do not it will not show up as patched upon scan, and may not be patched correctly.  If this is a host server your need to turn off all the services you can before you attempt any patch. Exchange Server may not work after a patch if this is not done.

08/18/2003 Monday - Symantec W32.Sobig.F@mm is a mass-mailing, network-aware worm that sends itself to all the email addresses it finds in the files that have the following extensions [ .dbx .eml .hlp .htm .html .mht .wab .txt ]. The worm uses its own SMTP engine to propagate and will attempt to create a copy of itself on accessible network shares, but fails due to bugs in the code. The email message has the following characteristic: Spoofed address (which means that the sender in the "From" field is most likely not the real sender). The worm may also use the address admin@internet.com as the sender.  You may receive bounced eMail, or a message from someone asking ‘ Why are you sending me this junk’ when you did not send it.  This is all part of the worm.  Click here for detailsINFOWORLD - The latest of version of the Sobig Internet virus, Sobig.F, is spreading faster than any virus seen before, according to U.K. e-mail security firm MessageLabs Ltd. Click here for the article.   Removal using the W32.Sobig.F@mm Removal Tool click hereMessageLabs - SOBIG.F VIRUS FASTEST SPREADING EVER - This makes Sobig.F the fastest growing virus ever, surpassing the infamous LoveBug, Klez and Kournikova viruses. All initial copies originated from the United States, where the virus is currently most prevalent. As Sobig.F continues its rapid spread today businesses are also advised to be on high-level alert. Sobig.F, first detected on 18th August, is the sixth variant issued in the Sobig virus series and appears to be the most sophisticated to date. Since the first Sobig virus was issued on January 9th 2003, MessageLabs has intercepted almost three million copies of Sobig variants. Click here for more details.

08/11/2003 Monday - [ see NOTE listed below before you patch your system ] eEye Digital Security A worm began spreading on the Internet early Monday morning that exploits a recent vulnerability in Microsoft Operating Systems [ Windows NT / 2000 / XP / 2003 ]. The worm, dubbed Blaster, takes advantage of a known vulnerability in Microsoft RPC DCOM that affects all current versions of Windows NT, Windows 2000, Windows XP, and Windows Server 2003. Click here for more details.  eEye Digital Security offers a tool to scan for the vulnerable.  Click here for more details.  Symantec - W32.Blaster.Worm is a worm that exploits the DCOM RPC vulnerability (described in Microsoft Security Bulletin MS03-026) using TCP port 135. This worm attempts to download and run the Msblast.exe file. Click here for more details about the worm, and how to deal with it.  MSNBC - A new computer worm caused headaches for thousands of computer users around the globe Tuesday, mystifying many whose only hint of trouble was when their computers suddenly began restarting. The worm does not arrive via e-mail; it finds its own way onto vulnerable machines, without any user interaction. Click here for more details.   NOTE:  If you have one of these versions of the Windows Operating Systems [ Windows NT / 2000 / XP / 2003 ],  and you have not patched your computer, you will be infected with this worm.  IT IS VERY IMPORTANT THAT YOU PATCH YOUR COMPUTER Click here for more details about the patch. To obtain the ' W32.Blaster.Worm Removal Tool ' program from Symantec click hereNetwork World 08/18/03 Some IT staffs came to the belated discovery that the patch Microsoft issued July 16 doesn't work on all four Service Packs (SP) for upgrades to Windows 2000. Officially, Microsoft has indicated the patch applies only to SP3 and SP4 because the company doesn't develop patches for older, "unsupported" releases such as SP1 and SP2. Click here for details.  McAfee AVERT Stinger - Stinger is a stand-alone utility used to detect and remove specific viruses. It is not a substitute for full anti-virus protection, but rather a tool to assist administrators and users when dealing with an infected system.  Click here to download the scan removal tool.  For more details about McAfee AVERT Stinger Click here .   NOTE: Use Windows Update to install this patch. If you do not it will not show up as patched upon scan, and may not be patched correctly.  If this is a host server your need to turn off all the services you can before you attempt any patch. Exchange Server may not work after a patch if this is not done.

08/01/2003 Friday - The CERT Coordination Center Incident Note IN-2003-02 began to receive an increased number of reports of a new mass mailing virus, now referred to as W32/Mimail, spreading on the Internet.  Click here for more details.  Symantec W32.Mimail.A@mm more information about this virus, and how to remove it.  Click here for more details. 

07/31/2003 Thursday - The CERT Coordination Center has received reports of widespread attacks using a recently disclosed security vulnerability and a previously unknown security hole in Microsoft Corp.'s Windows operating system, the center said Thursday in an advisory. Click here for more details.

07/17/2003 Thursday MSNBC - Microsoft Corporation acknowledged a critical vulnerability Wednesday in nearly all versions of its flagship Windows operating system software, the first such design flaw to affect its latest Windows Server 2003 software.  Click here for more details.  On July 16, 2003, Microsoft® released a critical security bulletin (MS03-026) and a software patch ( http://go.microsoft.com/?linkid=210348 ) to address a vulnerability in the Windows® operating system that could allow code execution. The incident has been widely reported in the press and the patch has been made available to Microsoft customers and partners.

06/05/2003 Thursday Symantec W32.Bugbear.B@mm is a variant of W32.Bugbear@mm. W32.Bugbear.B@mm is a mass-mailing worm that also spreads through network shares. The worm is polymorphic and also infects a select list of executable files. The worm has keystroke-logging and backdoor capabilities and also attempts to terminate the processes of various antivirus and firewall programs.  Click here for more details.

05/08/2003 Thursday Symantec W32.HLLW.Fizzer@mm is a mass-mailing worm that sends itself to all contacts in the Windows Address Book. It contains a backdoor that uses mIRC to communicate with a remote attacker. It also contains a keylogger and attempts to spread through the KaZaA file-sharing network. The worm attempts to terminate the process of various antivirus programs if they are found to be active. Click here for more details.

04/23/2003 Wednesday MSNBC -  Microsoft once again has welcomed Wednesday with patches for security flaws discovered in its Windows applications. The software giant warned customers they should apply updates for both Internet Explorer (IE) and Outlook Express to fix critical security vulnerabilities that could let attackers run programs on a victim’s PC. Click here for more details.  Note: to update your computer run "Windows Update".

03/19/2003 Wednesday Microsoft warned about a serious flaw in almost every version of its popular Windows software that could allow hackers to seize control of a person’s computer when victims read e-mails or visit Web sites. Click here for more details from MSNBC.

03/17/2003 Monday Microsoft Summary-Affected Software: Microsoft Windows 2000. Impact of vulnerability: Run code of attacker's choice. Maximum Severity Rating: Critical. Recommendation: Systems administrators should apply the patch immediately. Click here for more details. MSNBC A computer intruder armed with a secret, particularly effective attack tool recently took control of an Army Web server, MSNBC.com has learned. Both Microsoft and the CERT Coordination Center released hastily-prepared warnings about the vulnerability that led to the attack on Monday.  Click here for more details.

02/24/2003 Monday Symantec W32.HLLW.Lovgate.C@mm is a variant of W32.HLLW.Lovgate@mm. This worm contains mass-mailing and backdoor functionality. There are no major functionality differences between this variant and W32.HLLW.Lovgate@mm. This variant appears to have been re-compiled with a different compiler, and then packed with the same runtime compression utility as W32.HLLW.Lovgate@mm Click here for more details.

eWeek A new variant on the Lovgate worm began spreading early Monday, posing as an authentic-looking business e-mail, according to security researchers. In addition to its mass-mailing functionality, Lovgate spreads through Windows shares and can steal users' passwords, according to security researchers at F-Secure, which posted an advisory on the worm and rated it Level 2, or a medium-grade threat. Click here for more details. 

01/25/2003 Saturday CERT® Advisory CA-2003-04 MS-SQL Server Worm  The CERT/CC has received reports of self-propagating malicious code that exploits multiple vulnerabilities in the Resolution Service of Microsoft SQL Server 2000. The propagation of this worm has caused varied levels of network degradation across the Internet, in addition to the compromise of vulnerable machines.  Click here for the article.

Microsoft Customer Update on the "Slammer" Virus Attack Click here for article .

SEATTLE (AP) -- Microsoft Corp. itself was exposed to the virus-like attack that crippled global Internet activity last weekend because it failed to install crucial fixes to its own software on many Microsoft computer servers, according to internal e-mails obtained by The Associated Press.  Click here for Article

Symantec W32.SQLExp.Worm is a worm that targets systems running Microsoft SQL Server 2000, as well as Microsoft Desktop Engine (MSDE) 2000. The worm sends 376 bytes to UDP port 1434, the SQL Server Resolution Service Port. Beginning at 5:31am GMT 1/24/2003 , we started to see a significant increase in the unique number of source IPs scanning for UDP port 1434. Symantec Security Response highly recommends all users of either Microsoft SQL Server 2000 or MSDE 2000 audit their machines for the vulnerabilities referred to in the Microsoft advisory at http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS02-039.asp , and install the patch referred to by http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS02-061.asp.

Symantec Security Response also recommends configuring perimeter devices to block UDP traffic to port 1434 from untrusted hosts Click here for the article .

CNN Computer worm grounds flights, blocks ATMs Click here for the article .  And on a related note Gates pledges better software security Click here for the article .

01/23/2003 Thursday Microsoft While there is much work still to do, Microsoft has made important progress under the four pillars of Trustworthy Computing: security, privacy, reliability and business integrity. Here is a snapshot of various resources that may be of interest to you in the area of security.  Click here for the article .

01/09/2003 Thursday Symantec The W32.Sobig.A@mm worm sends itself to all the addresses it finds in the .txt, .eml, .html, .htm, .dbx, and .wab files. The email message has the following characteristics.  Click here more details.  MSNBC - Joe Stewart was poring over the complex computer code of a widespread new virus named “SoBig,” wondering what it was really designed to do. Then it hit him. This was not your typical attention-getting nuisance. The virus, he says, was actually designed to hack into home users’ computers and quietly use them to send out spam. Click here for the article.  McAfee AVERT Stinger - Stinger is a stand-alone utility used to detect and remove specific viruses. It is not a substitute for full anti-virus protection, but rather a tool to assist administrators and users when dealing with an infected system.  Click here to download the scan removal tool.  For more details about McAfee AVERT Stinger Click here .

 

©2000-2006 Internet Partners, Inc.
1800 NW 167th Place Suite 160 - Beaverton, Oregon 97006-8132
+1 503 690 2700    FAX +1 503 690 9700