Virus Security Information Page

12/28/2005 Thursday US Department of Homeland Security - US-CERT is aware of a vulnerability reported within Microsoft Windows handling of corrupted Windows Metafiles (".wmf"). This vulnerability may be exploited through the viewing of a corrupted ".wmf" file or by viewing a malicious web site hosting a corrupted ".wmf" file. US-CERT is also aware that exploit code is publicly available and that there are active attempts to exploit this vulnerability. Once exploited, a remote attacker may be able to perform any of the following malicious activities:

     Execute arbitrary code
     Cause a denial-of-service condition
     Take complete control of a vulnerable system

More information about this vulnerability can be found in the following US-CERT Vulnerability Note:

• VU#181038 - Microsoft Windows may be vulnerable to buffer overflow via specially crafted WMF file

On Tuesday, December 27, 2005, Microsoft became aware of public reports of malicious attacks on some customers involving a previously unknown security vulnerability in the Windows Meta File (WMF) code area in the Windows platform.

Upon learning of the attacks, Microsoft mobilized under its Software Security Incident Response Process (SSIRP) to analyze the attack, assess its scope, define an engineering plan, and determine the appropriate guidance for customers, as well as to engage with anti-virus partners and law enforcement.

Microsoft confirmed the technical details of the attack on December 28, 2005 and immediately began developing a security update for the WMF vulnerability on an expedited track.

Microsoft has completed development of the security update for the vulnerability. The security update is now being localized and tested to ensure quality and application compatibility. Microsoft’s goal is to release the update on Tuesday, January 10, 2006, as part of its monthly release of security bulletins. This release is predicated on successful completion of quality testing.

12/20/2005 Tuesday US Department of Homeland Security - US-CERT is aware of a third-party report of multiple heap buffer overflows in the Symantec RAR decompression library (Dec2RAR.dll). Using a specially crafted RAR archive, a remote attacker may be able to perform any of the following malicious activities:

     Execute arbitrary code, possibly SYSTEM privileges
     Cause a denial-of-service condition, possibly disabling antivirus capabilities
     Take complete control of a vulnerable system

More information about this vulnerability can be found in the following US-CERT Vulnerability Note:

* VU#305272 - Symantec RAR decompression library contains multiple heap overflows

Although there is limited information concerning this reported vulnerability, US-CERT encourages users and system administrators to consider filtering or disabling the scanning of RAR archives at email or proxy gateways. However, disabling RAR scanning may compromise the effectiveness of the security product. In addition, blocking RAR archives may prevent legitimate information from entering the network.

12/14/2005 Wednesday - IDG News Service By Robert McMillan - Infoworld - Microsoft has now fixed a widely reported flaw in its Internet Explorer (IE (Overview, Articles, Company)) browser that had been used by attackers over the past few weeks to take over the PCs of unsuspecting users. The flaw was one of four IE bugs fixed Tuesday in Microsoft's regularly scheduled software update, which also addressed some of the problems caused by Sony (Profile, Products, Articles) BMG Music Entertainment's XCP copy protection software.  Click here for details.  Run Windows Update

12/08/2005 Thursday  - MSNBC/Reuters - SAN FRANCISCO - A new "Sober" worm is set to hit in January in an attack tied to the founding of the Nazi party that could slow the Internet with tens of millions of politically-motivated spam e-mails, security experts said Wednesday. . . . The company said the variant set to hit in January has already infected millions of systems as a prelude to the attack, scanning computers' address books to send hundreds of millions of messages claiming to be from various government entities.  Click here for details.

11/10/2005 Thursday - eWeek - An anti-virus vendor spots the first signs of a Trojan attack against a critical flaw just patched by Microsoft. It causes a disruptive denial-of-service attack against unpatched Windows systems.

Anti-virus vendor Trend Micro Inc. has spotted a Trojan in the wild attacking Windows users via the image rendering flaws patched by Microsoft Corp. two days ago.

The Trojan, identified as TROJ_EMFSPLOIT.A, causes the "explorer.exe" file to crash, causing the taskbar on unpatched Windows machines to disappear.

The "explorer.exe" process is a required file used to manage the Windows Graphical Shell including the Start menu, taskbar, desktop and File Manager. A malicious attack that disrupts those essential services is considered very disruptive.

Trend Micro described the exploit as a "proof-of-concept Trojan" that exploits the Graphics Rendering Engine vulnerability patched by Microsoft earlier this week.

Microsoft rated the flaw as "critical" and warned that a successful exploit could let an attack take "complete control" of unpatched Windows 2000, Windows XP (including SP2) and Windows Server 2003, but the Trojan identified by Trend Micro simply causes a denial-of-service condition.

Prior to Microsoft's Patch Day release, company spokesman Stephen Toulouse confirmed to Ziff Davis Internet News that exploit code that could cause a denial-of-service attack was publicly available.  Click here for details.
 

11/09/2005 Wednesday  - MSNBC/Reuters - SEATTLE - Microsoft Corp. warned users Tuesday of a new "critical"-rated flaw in recent versions of Windows that could allow attackers to take control of a system by embedding malicious software code into digital images.  Click here for details.

10/11/2005 Tuesday  - MSNBC/Reuters - SAN FRANCISCO - Microsoft Corp. warned users of its Windows operating system Tuesday of three newly found "critical" security flaws in its software that could allow attackers to take complete control of a computer.  Click here for details.

08/24/2005 Wednesday InfoWorld - IDG News Service - By James Niccolai - Zotob worm also targets Windows XP PCs running Windows XP Service Pack 1 are also at risk of attack.

PCs running a certain configuration of Microsoft's (Profile, Products, Articles) Windows XP operating system are vulnerable to attack from the Zotob worm that ran riot on Windows 2000 systems last week, Microsoft said. Click here for details.
 

08/17/2005 Wednesday InfoWorld - IDG News Service - By Robert McMillan and James Niccolai - Malicious software that takes advantage of a recently disclosed vulnerability in Microsoft's (Profile, Products, Articles) Windows operating system has spread rapidly and has now infected more than 250,000 systems, primarily Windows 2000 systems being run in corporate environments, according to security vendor Computer Associates (Profile, Products, Articles) International Inc. (CA).  Click here for details.

08/16/2005 Tuesday Symantec Corporation - W32.Zotob.E (Also Known As: WORM_RBOT.CBQ [Trend Micro]) is a worm that opens a back door and exploits the Microsoft Windows Plug and Play Buffer Overflow Vulnerability (described in Microsoft Security Bulletin MS05-039) on TCP port 445.  W32.Zotob.E can run on, but not infect, computers running Windows 95/98/Me/NT4/XP. Although computers running these operating systems cannot be infected, they can still be used to infect vulnerable computers that they can connect to.  Click here for details.

08/14/2005 Saturday U.S. Department of Homeland Security - US-CERT has seen reports of a new worm, known as Zotob, that takes advantage of the vulnerability described in Microsoft Bulletin MS05-039. The worm scans for vulnerable systems on port 445/tcp. Once compromised, the worm will download and execute itself from another infected host via FTP on a random high TCP port. The FTP server is used by the worm to host the malicious code for download when other systems are compromised.

Based on reports, this malicious code has been incorporated into several Trojan horses which are actively exploiting this vulnerability.

More information on the vulnerability is available in the following US-CERT Vulnerability Note:
VU#998653 - Microsoft Plug and Play contains a buffer overflow vulnerability

US-CERT urges users to apply the update described in Microsoft Security Bulletin MS05-039. If users are unable to apply the update, Microsoft provides several workarounds that may help to mitigate against known attacks on this vulnerability.

MSNBC - Reuters Singapore - A new Internet virus has been detected that can infect Microsoft's Windows platforms faster than previous computer worms, said an anti-virus computer software maker.

The ZOTOB virus appeared shortly after the world's largest software maker warned of three newly found "critical" security flaws in its software, including one that could allow attackers to take complete control of a computer.

The latest worm exploits security holes in Microsoft's Windows 95, 98, ME, NE, 2000 and XP platforms and can give computer attackers remote access to affected systems, said Trend Micro Inc.  Click here for details.

06/14/2005 Tuesday InfoWorld - Microsoft released 10 security patches, including three deemed "critical," for bugs in a variety of the company's products. Released Tuesday as part of the company's monthly updates, the critical patches repair flaws in Windows and Internet Explorer that could allow attackers to take complete control of a computer, Microsoft (Profile, Products, Articles) said.  Click here for details.  MSNBC/Reuters - Microsoft releases 3 ‘critical’ patches Security flaws affect Windows, Internet Explorer users SEATTLE - Microsoft Corp., the world's largest software maker, warned users of three new security flaws affecting Windows and Internet Explorer and urged them to download patches to fix the software.  "For all consumers we recommend that they have Automatic Updates enabled," Toulouse said, referring to a feature in Windows that downloads the software patches automatically.  See note above about "Windows Update" to set Automatic Updates.   Click here for details.

05/02/2005 Monday Symantec - W32.Sober.O@mm is a mass-mailing worm that sends itself as an email attachment to addresses gathered from the compromised computer. It uses its own SMTP engine to spread. The email may be in either English or German.  Click here for details.

04/08/2005 Friday InfoWorld Microsoft on Tuesday 04/12/2005 plans to issue eight security alerts with patches, some critical, for Windows, Office, MSN Messenger, and Exchange.  Click here for details.

03/07/2005 Monday MSNBC Instant message worm attacks increasing - A spate of instant message worms released over the last few days has some antivirus researchers concerned: With e-mail viruses less effective than before, virus writers, they say, are now turning their attention to the popular — and not very secure — chat tools used by millions. Click Here for details.

02/09/2005 Wednesday InfoWorld/Techworld.com Symantec has issued patches to fix a "high impact" security hole that affects almost every product it currently sells.  Click here for details.  Note: You will need to run a manual 'Live Update' to update the product(s).  Run 'Live Update' after each reboot until the program states that there are no more updates.  Symantec UPX Parsing Engine Heap Overflow - Affected Products.  Click here for details.

02/09/2005 Wednesday InfoWorld/IDG News Service - Malicious code that can take advantage of a newly disclosed hole in Microsoft's (Profile, Products, Articles) MSN Messenger instant messenger (IM) program has been published on the Internet. The publication of the code could set the stage for a possibly virulent IM worm or virus, according to security experts.  Click here for details.

02/08/2005 Tuesday MSNBC - Microsoft Corporation released eight security fixes Tuesday that carry its highest threat rating and urged computer users to install them quickly because all the vulnerabilities they address could let attackers take complete control of systems. Click here for details.  Microsoft - Windows Security Updates Summary for February 2005.  Click here for details.

01/11/2004 Tuesday Reuters - Seattle Washington - Microsoft Corp. (MSFT.O: Quote, Profile, Research) warned Windows users on Tuesday of two new "critical"-rated security flaws in its software that could allow attackers to take control of a computer and delete or copy information.  Click here for details.  Microsoft Security Bulletin Summary for January, 2005 Click here for details.
 

01/06/2005 Thursday Microsoft Corporation - What is Spyware? - Spyware is a general term used for software that performs certain behaviors such as advertising, collecting personal information, or changing the configuration of your computer, generally without appropriately obtaining your consent. You might have Spyware or other unwanted software on your computer if:

• You see pop-up advertisements even when you're not on the Web.

• The page your Web browser first opens to (your home page) or your browser search settings have changed without your knowledge.

• You notice a new toolbar in your browser that you didn't want, and find it difficult to get rid of.

• Your computer takes longer than usual to complete certain tasks.

• You experience a sudden rise in computer crashes.

If you use Microsoft Windows 2000, or Microsoft Windows XP use this link to review, and download Microsoft Windows AntiSpyware (beta) software.