Information Security News

Panda Software AdminSecure Agent Heap Overflow Vulnerability

CVE ID:
CVE-2007-3026

Affected Vendor:
Panda Software

Affected Products:
Panda AdminSecure 2006

Vulnerability Details:
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Panda AdminSecure. Authentication is not required to exploit this vulnerability.

The specific flaw exists within the AdminSecure agent which binds by default to TCP port 19226 or 19227. When processing traffic on the listening port, the agent trusts a user-supplied length value for a memory allocation. Specific size values can result in an integer overflow and subsequently insufficient allocation size. This results in a heap-based buffer overflow that can be leverage to execute arbitrary code.

Vendor Response:
Panda Software has issued an update to correct this vulnerability. More details can be found at:

http://www.pandasoftware.com/Download/tree/

Disclosure Timeline:
2006.11.15 - Vulnerability reported to vendor
2007.07.24 - Coordinated public release of advisory

Credit:
This vulnerability was discovered by Tenable Network Security.

Labels: Anti-Virus, Vulnerability

Symantec Enterprise Security Manager Remote Upgrade Missing Authentication

Secunia Advisory: SA24767
Release Date: 2007-04-06

Critical:
Moderately critical
Impact: System access
Where: From local network
Solution Status: Vendor Patch

Software: Symantec Enterprise Security Manager 5.x , Symantec Enterprise Security Manager 6.x

Description:
A vulnerability has been reported in Symantec Enterprise Security Manager (ESM), which can be exploited by malicious people to compromise a vulnerable system.

The problem is that the ESM agent remote upgrade interface does not authenticate the source of remote upgrade requests. This can be exploited to e.g. deploy a malicious program to a vulnerable system via a specially crafted ESM remote upgrade request.

All versions of ESM are reportedly affected, with the exception of ESM agents running on the following platforms since they do not support remote upgrade:
* NetWare 6.0
* NetWare 6.5
* OS/400 V5R2
* OS/400 V5R3
* OpenVMS AXP 7.2
* OpenVMS AXP 7.3

Solution:
Apply patches.
http://securityresponse.symantec.com/avcenter/security/Content/2007.04.05b.html

Provided and/or discovered by:
Reported by the vendor.

Original Advisory:
Symantec:
http://securityresponse.symantec.com/avcenter/security/Content/2007.04.05d.html

Labels: Anti-Virus, Vulnerability

Kaspersky AntiVirus Engine ARJ Archive Parsing Heap Overflow Vulnerability

April 5, 2007

CVE ID:
CVE-2007-0445

Affected Vendor:
Kaspersky

Affected Products:
Anti-Virus 6.0
Internet Security 6.0
Anti-Virus for Workstation
File Server version 6.0

Vulnerability Details:
This vulnerability allows remote attackers to execute arbitrary code on systems with affected installations of the Kaspersky Anti-Virus Engine. User interaction is not required to exploit this vulnerability.

The specific flaw exists in the engine's handling of the ARJ archive format. The Kaspersky engine copies data from scanned archives into an unchecked heap-based buffer. This results in heap corruption when a malformed ARJ archive is processed by an application that utilizes the engine. This corruption can be exploited to execute arbitrary code.

Vendor Response:
Kaspersky has issued an update to correct this vulnerability. More details can be found at:

http://www.kaspersky.com/technews?id=203038693
http://www.kaspersky.com/technews?id=203038694

Disclosure Timeline:2006.11.09 - Vulnerability reported to vendor
2006.12.12 - Digital Vaccine released to TippingPoint customers
2007.04.05 - Coordinated public release of advisory

Credit:
This vulnerability was discovered by an anonymous researcher.

About the Zero Day Initiative (ZDI):
Established by TippingPoint, a division of 3Com, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities.

Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at:

www.zerodayinitiative.com

The ZDI is unique in how the acquired vulnerability information is used. 3Com does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, 3Com provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, 3Com provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product.

Labels: Anti-Virus, Vulnerability

Kaspersky AntiVirus SysInfo ActiveX Control Information Disclosure Vulnerability

I. BACKGROUND

Kaspersky AntiVirus offers comprehensive protection from computer viruses and malware threats. More information can be found on the vendors site at the following URL.
http://usa.kaspersky-labs.com/products/anti-virus.php

II. DESCRIPTION

Remote exploitation of a information disclosure vulnerability in Kaspersky AntiVirus 6 could allow malicious websites to steal files off of a user's machine.

The vulnerability specifically lays with in the following ActiveX Control:
ProgID: KL.SysInfo
Clsid: BA61606B-258C-4021-AD27-E07A3F3B91DB
File: C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\AxKLSysInfo.dll
Version: 5.0.5.0

This control includes a method called "StartUploading" which allows malicious web scripts to perform an anonymous FTP transfer of any file they specify off of the victims machine.
III. ANALYSIS

Exploitation of this vulnerability allows attackers to steal files from a victim's computer.

This vulnerability can be triggered by a malicious website. Users would be required to have a vulnerable version of the target software installed and be lured to a malicious site.

No dialogs, warnings or user action is required to perform the transfer.

IV. DETECTION
iDefense has confirmed the existence of this vulnerability in version 6.0 of Kaspersky AntiVirus.

V. WORKAROUND
Setting the kill-bit for the target ActiveX control will prevent exploitation via Internet Explorer.

VI. VENDOR RESPONSE
Kaspersky has addressed this vulnerability by removing the vulnerable libraries upon installation of Maintenance Pack 2. More information is available from the vendor's advisory at the following URL.

http://www.kaspersky.com/technews?id=203038694

VII. CVE INFORMATION
A Mitre Corp. Common Vulnerabilities and Exposures (CVE) number has not been assigned yet.

VIII. DISCLOSURE TIMELINE

12/12/2006 Initial vendor notification
12/12/2006 Initial vendor response
04/04/2007 Coordinated public disclosure

IX. CREDIT
This vulnerability was reported to iDefense by Peter Vreugdenhil.

Get paid for vulnerability research
http://labs.idefense.com/methodology/vulnerability/vcp.php

Free tools, research and upcoming events
http://labs.idefense.com/

X. LEGAL NOTICES

Copyright © 2007 iDefense, Inc.

Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense.

Labels: Anti-Virus, Vulnerability

F-Secure Anti-Virus Client Security Local Format String Vulnerability

Mar 19 2007 10:41AM
dh layereddefense com
=================================================
Layered Defense Research Advisory 18 March 2007
=================================================
1) Affected Software
F-Secure Anti-Virus Client Security Version 6.02
=================================================
2) Severity Rating:
Low risk
Impact: Local read write arbitrary memory, denial of service.
=================================================
3) Description of Vulnerability
A format string vulnerability was discovered within F-Secure Anti-Virus Client Security Version 6.02. The vulnerability is due to improper processing of format strings when processing Management Server name field. When special crafted format strings are entered into the Management Server name field under Communication settings an attacker can read/write arbitrary memory and at a minimum can cause a denial of service condition.
=================================================
4) Solution
Fix: http://support.f-secure.com/enu/corporate/downloads/hotfixes/av-cs-hotfi
xes.shtml
=================================================
5) Time Table:
11/20/2006 Reported Vulnerability to Vendor.
11/29/2007 Vendor acknowledged the vulnerability
03/01/2007 Vendor published hot fix
=================================================
6) Credits Discovered by Deral Heiland, www.LayeredDefense.com
=================================================
7) Reference
=================================================
8) About Layered Defense Layered Defense, Is a group of security professionals that work together on ethical Research, Testing and Training within the information security arena. http://www.layereddefense.com
=================================================

Labels: Anti-Virus, Microsoft, Vulnerability

Trend Micro Antivirus UPX Parsing Kernel Divide by Zero Vulnerability, Denial of Service

Trend Micro Antivirus UPX Parsing Kernel Divide by Zero Vulnerability

I. BACKGROUND

Trend Micro AntiVirus is an virus scanning engine included in a wide array of products by Trend Micro. Several examples of vulnerable products include PC-cillin and Internet Security Suite.

http://www.trendmicro.com/en/home/us/home.htm

II. DESCRIPTION

Remote exploitation of a divide by zero error in Trend Micro AntiVirus may allow attackers to cause a denial of service.

The vulnerability exists in the kernel driver, VsapiNT.sys. This driver is responsible for scanning various file formats for malicious content. The code that parses UPX files takes an integer value from an attacker supplied file and uses it as a divisor. This results in a divide by zero error in kernel mode. This causes a kernel fault resulting in a blue screen of death (BSOD).

III. ANALYSIS

Exploitation of this vulnerability results not only in a DOS of the Trend Micro process, but in an operating system crash.

There are several different attack vectors depending on which product is being targeted. Someone targeting a home user would need to convince a user to download a file from a website or an attachment from an email message. The user would then need to manually scan this file or save it and have the Trend Micro auto scan process scan it at some later time. If instead a mail gateway is being targeted this vulnerability can be exploited automatically by sending a malicious attachment through a gateway that uses Trend Micro to scan content.

IV. DETECTION

iDefense has confirmed the existence of this vulnerability in Trend Micro AntiVirus version 14.10.1041, engine version 8.320.1003. Previous versions may also be affected.

V. WORKAROUND

iDefense is currently unaware of any workarounds for this issue.

VI. VENDOR RESPONSE

"To address this vulnerability, Trend Micro recommends customers to update to Virus Pattern File 4.335.00 or higher."

For more information, consult the Trend Micro Knowledge Base article at the link shown below.

http://esupport.trendmicro.com/support/viewxml.do?ContentID=EN-1034587

VII. CVE INFORMATION

A Mitre Corp. Common Vulnerabilities and Exposures (CVE) number has not been assigned yet.
VIII. DISCLOSURE TIMELINE

02/27/2007 Initial vendor notification
02/27/2007 Initial vendor response
03/14/2007 Coordinated public disclosure

IX. CREDIT

The discoverer of this vulnerability wishes to remain anonymous.

Get paid for vulnerability research
http://labs.idefense.com/methodology/vulnerability/vcp.php

Free tools, research and upcoming events
http://labs.idefense.com/

X. LEGAL NOTICES

Copyright © 2007 iDefense, Inc.

Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please e-mail customer service for permission.

Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.

Labels: Advisory, Anti-Virus, Microsoft, Vulnerability

Troj/Psychwa-S

Name Troj/Psychwa-S
Type Trojan
Affected operating systems Windows

Troj/Psychwa-S is a Trojan for the Windows platform.

Troj/Psychwa-S includes functionality to access the internet and communicate with a remote server via HTTP.

Labels: Anti-Virus, Microsoft, Trojan

JS_SPACESTALK.A

Malware type: JavaScript
Aliases: No Alias Found
In the wild: Yes
Destructive: No
Language: English
Platform: Windows 98, ME, NT, 2000, XP, Server 2003, Mac OS X
Encrypted: No

Overall risk rating: Low

Reported infections: Low

Damage potential: High

Distribution potential: Low

Size of malware: 5,609 Bytes

Initial samples received on: Mar 16, 2007

Related to: TROJ_DLOADER.JHV

Payload 1: Steals information

Details:

This malicious JavaScript may be dropped by another malware. It may also be downloaded from the Internet, particularly by the malware TROJ_DLOADER.JHV.

It is used to steal information, such as login credentials, used in MySpace accounts. MySpace (www.myspace.com) is a popular social networking Web site that hosts profiles of users from all around the world.

This JavaScript uploads the stolen information to the URL http://BLOCKED}ofileawareness.com/logs4/connect.php. As a result, remote users may view and use the uploaded information for malicious purposes.

It runs on Mac OS X, Windows 98, ME, NT, 2000, XP, and Server 2003.

Analysis By: Carlo Panganiban

Labels: Anti-Virus, http, Microsoft, Trojan

Troj/Singu-AQ Spyware Trojan

Name Troj/Singu-AQ
Type Spyware Trojan
Affected operating systems Windows
Side effects Steals information, Records keystrokes, Installs itself in the Registry, Installs a browser helper object

Troj/Singu-AQ is a password-stealing Trojan for the Windows platform.

When first run, Troj/Singu-AQ copies itself to \gdien32.exe and creates the following files:

\lmrtend.dll
\shlapi.dll

lmrtend.dll is also detected as Troj/Singu-AQ
shlapi.dll contains logged keypresses

The Trojan creates the following registry entries in order to be run automatically:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
gdien32
\gdien32.exe

lmrtend.dll is installed as a BHO (browser helper object).

Labels: Anti-Virus, Microsoft, Virus

Microsoft OneCare Problems

As with any new Microsoft product, OneCare Anti-virus has problems. However the competition should not take this to mean that they can rest easy. Microsoft has the staying power and determination to develop their products into world beaters. Once MS has come into a market they will keep spending money until they dominate it.

Best quotes from this article:
"Usually Microsoft doesn't develop products, we buy products. It's not a bad product, but bits and pieces are missing,"

"OneCare is a new product — they shouldn't have rolled it out when they did, but they're fixing the problems now,"

"Microsoft is not a security company. Security is important, but it's just a little part of Microsoft,"

Ouch.

===================================

Microsoft: OneCare should not have been rolled out

Tom Espiner ZDNet UK
Published: 16 Mar 2007 13:03 GMT

Microsoft has said that its OneCare security suite has "a problem" with the underlying antivirus code, and admitted that security is just "a little part of Microsoft".

Speaking to ZDNet UK exclusively at the CeBIT show in Hanover, a senior manager for the software giant said that its consumer security product is far from perfect and that pieces are actually "missing".

OneCare has been dogged by controversy since its launch last May. Signs that the software was not up to scratch came earlier this month when OneCare failed to achieve certification in an independent test of security products. Shortly before that, it emerged that the product did not sufficiently protect users of Microsoft's Vista operating system against malware.

But the latest and most serious problems arose in March this year after the product mistakenly quarantined and even deleted Outlook and Outlook Express files for the second time.

Microsoft apologised for the problems and has issued an update that has now been automatically pushed out to OneCare customers, to halt the false positive identification as malware of Outlook .pst and Outlook Express .dbx files.

Asked about these problems, Arno Edelmann, Microsoft's European business security product manager, told ZDNet UK on Thursday that the code itself has pieces missing.

"Usually Microsoft doesn't develop products, we buy products. It's not a bad product, but bits and pieces are missing," said Edelmann.

The problem lies with a core technology of OneCare, the GeCAD antivirus code, and how it interacts with Microsoft mailservers. According to Edelmann, the Microsoft updates and mailserver infrastructure do not harmonise.

"It's a problem with the updates, and it's a problem with the implementation," said Edelmann.

If mail is received from a server running Exchange 2007, users are unlikely to encounter problems. However, if mail is received from servers running Exchange 2000 or 2003, the likelihood of quarantining is high, said Edelmann.

"OneCare is a new product — they shouldn't have rolled it out when they did, but they're fixing the problems now," said Edelmann.

According to the security manager, security is only a small part of what Microsoft does, suggesting it does not have as much security expertise as established security vendors.

"Microsoft is not a security company. Security is important, but it's just a little part of Microsoft," said Edelmann.

Security vendor Kaspersky said that it was not acceptable for two Microsoft products — such as OneCare and Exchange 2007 — to be incompatible, especially as Microsoft has market dominance.

"Microsoft, welcome to our business," said Eugene Kaspersky, the founder of the company. "All in all it's a bad thing. It's not acceptable for Microsoft products to do that. Microsoft dominates the market. If they do that it creates a big noise, many affected people, and happy lawyers."

This is not the first time Microsoft has had a problem with OneCare and Outlook. In January OneCare also erroneously quarantined Outlook files. However, Kaspersky said that although the problems then and now were the same, the cause of the problems in January was different.

"They fixed the first false positive, and now they have the next one," said Kaspersky.

Kaspersky said that false positives are not just a problem for Microsoft, but for the whole antivirus industry. He said that about 1 percent of Kaspersky records were false positives, but they were almost totally stopped by the company's test robots. He added, however, that sometimes false positives are released by Kaspersky.

Microsoft purchased the Romanian GeCAD company in 2003.

Labels: Anti-Virus, Microsoft, News Article

Buffer Overflow Vulnerabilities in McAfee ePolicy Orchestrator

hi full-disclosure,

McAfee ePolicy Orchestrator Multiple Remote Buffer Overflow Vulnerabilities

by cocoruder of FSRT(Fortinet Security Research Team)
hfli_at_fortinet.com

Summary:

Multiple remote buffer overflow vulnerabilities exist in the ActiveX Control named "SiteManager.Dll" of McAfee ePolicy Orchestrator. A remote attacker who successfully exploit these vulnerabilities can completely take control of the affected system.

Affected Software Versions:

McAfee ePolicy Orchestrator 3.6.1
McAfee ePolicy Orchestrator 3.5 patch 6

Details:

1.Function "ExportSiteList()" educed by "SiteManager.dll" stack overflow.

InprocServer32: SiteManager.dll
ClassID : 4124FDF6-B540-44C5-96B4-A380CEE9826A
ProgID : SiteManager.SiteMgr.1
Function Name : ExportSiteList

When we set the parameter of "ExportSiteList" a long string, there will cause a stack base overflow. The following is the related code:
(SiteManager.dll,version=3.6.1.166)

.text:5262B1DE ; func_ExportSiteList
.text:5262B1DE ; Attributes: bp-based frame
.text:5262B1DE
.text:5262B1DE ; int __stdcall sub_5262B1DE(int,wchar_t *,int)
.text:5262B1DE sub_5262B1DE proc near ; DATA XREF: .rdata:5265B504o
.text:5262B1DE ; .rdata:5265B614o
.text:5262B1DE
.text:5262B1DE var_414 = word ptr -414h
.text:5262B1DE var_20E = word ptr -20Eh
.text:5262B1DE var_20C = word ptr -20Ch
.text:5262B1DE var_4 = dword ptr -4
.text:5262B1DE arg_0 = dword ptr 8
.text:5262B1DE arg_4 = dword ptr 0Ch
.text:5262B1DE arg_8 = dword ptr 10h
.text:5262B1DE
.text:5262B1DE push ebp
.text:5262B1DF mov ebp, esp
.text:5262B1E1 sub esp, 414h
.text:5262B1E7 mov eax, dword_52670218 ; set stack cookie
.text:5262B1EC push esi
.text:5262B1ED push [ebp+arg_4] ; lpSrcBuff
.text:5262B1F0 mov [ebp+var_4], eax
.text:5262B1F3 lea eax, [ebp+var_20C]
.text:5262B1F9 push eax ; lpDestBuff
.text:5262B1FA call ds:wcscpy ; stack overflow

2.Moreover, we think that the following "swprintf" function also has carried out the copy action without attestation, as follows:

.text:5262B257 push ebx
.text:5262B258 push edi
.text:5262B259 mov edi, offset aSitelist_xml ; "SiteList.xml"
.text:5262B25E push edi
.text:5262B25F lea eax, [ebp+var_20C]
.text:5262B265 push eax
.text:5262B266 lea eax, [ebp+var_414]
.text:5262B26C push offset aSS_0 ; "%s\\%s"
.text:5262B271 push eax ; lpSrcBuff
.text:5262B272 call ds:swprintf ; stack overflow

3.Function "VerifyPackageCatalog()" educed by "SiteManager.dll" stack overflow.

InprocServer32: SiteManager.dll
ClassID : 4124FDF6-B540-44C5-96B4-A380CEE9826A
ProgID : SiteManager.SiteMgr.1
Function Name : VerifyPackageCatalog

When we set the parameter of "VerifyPackageCatalog" a long string, there will cause a stack base overflow. The following is the related code:
(SiteManager.dll,version=3.6.1.166)

part1:

.text:5262CFAC func_VerifyPackageCatalog proc near
.text:5262CFAC
.text:5262CFAC mov eax, offset loc_52649F86
.text:5262CFB1 call __EH_prolog
...
.text:5262D00C lea eax, [ebp-28h]
.text:5262D00F push eax
.text:5262D010 push ebx
.text:5262D011 push esi
.text:5262D012 push offset loc_5263AD1A
.text:5262D017 push ebx
.text:5262D018 push ebx
.text:5262D019 call ds:_beginthreadex

part2:

.text:5263AD1A mov eax, offset loc_5264B221
.text:5263AD1F call __EH_prolog
.text:52637229 push ecx
.text:5263722A mov eax, 1774h
.text:5263722F call __alloca_probe ; int
.text:52637234 mov eax, dword_52670218
.text:52637239 mov [ebp-14h], eax ; set stack-cookie
...
.text:5263AD9A lea ecx, [ebp-23Ch]
.text:5263ADA0 push ecx
.text:5263ADA1 push eax
.text:5263ADA2 mov ecx, edi
.text:5263ADA4 call sub_5263721F
|
|_____ .text:5263721F mov eax, offset loc_5264AD1C
.text:52637224 call __EH_prolog
...
.text:5263731A push dword ptr [ebp+8] ; lpSrcBuff,"AAA..."
.text:5263731D lea eax, [ebp-62Ch]
.text:52637323 push eax ; lpDestBuff
.text:52637324 call ds:wcscpy ; stack overflow

Solution:

McAfee has released two patches and advisories which are available on:

https://knowledge.mcafee.com/SupportSite/search.do?cmd=displayKC&docType=kc&sliceId=SAL_Public&externalId=612495
https://knowledge.mcafee.com/SupportSite/search.do?cmd=displayKC&docType=kc&sliceId=SAL_Public&externalId=612496

Disclosure Timeline:

2006.12.19 Submitted vul1 and vul2 via security-alerts at mcafee.com
2006.12.19 Vendor responded
2006.12.30 Submitted vul3 via security-alerts at mcafee.com
2006.12.30 Vendor responded
2007.03.12 Vendor noticed patches has been developed completely
2007.03.13 Coordinated public disclosure

Disclaimer:

Although Fortinet has attempted to provide accurate information in
these materials, Fortinet assumes no legal responsibility for the
accuracy or completeness of the information. More specific information
is available on request from Fortinet. Please note that Fortinet's
product information does not constitute or contain any guarantee,
warranty or legally binding representation, unless expressly
identified as such in a duly signed writing.

Fortinet Security Research
secresearch at fortinet.com
http://www.fortinet.com

Best Regards,

¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡hfli
¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡hfli at fortinet.com
¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡2007-03-14

Labels: Anti-Virus, Exploit, Vulnerability

W32.Fujacks.BH W32/Catcher-A

W32.Fujacks.BH W32/Catcher-A

Discovered: March 14, 2007
Also Known As: W32/Fujacks.z [McAfee], W32/Fujacks.dll [McAfee]
Type: Virus, Worm
Infection Length: 80,384 bytes
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP

Once executed, the worm copies itself as the following files:
%System%\[RANDOM].dll
%System%\[RANDOM].exe

The worm creates the following registry entry so that it runs every time Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{21LYYSYS-9421-2126-L2Y1-L2Y1Y1S3Y1S4}\"StubPath" = "%System%\[RANDOM].exe"

The worm injects itself into the following processes:
Explorer.exe
Services.exe
Winlogon.exe

The worm attempts to download a file from the following URL:
[http://]www.lovesa.info/logo[REMOVED]

Note: At the time of writing, the file was unavailable.

The worm scans the compromised computer and prepends itself to .exe and .scr files. It avoids infecting files located in the following folders:
ComPlus Applications
Common Files
Delphi
Internet Explorer
Messenger
Microsoft Frontpage
Movie Maker
NetMeeting
Online Services
Outlook Express
RECYCLER
System Volume Information
System32
Temp
WINNT
WIndows Media Player
WIndows NT
WinRAR
Windows

Note: Executable files increase in size by 80,384 bytes.

The worm also appends a reference to the domain www.lovesa.info into all files it finds with the following extensions:
.asa
.asp
.aspx
.bat
.cdx
.cer
.css
.htm
.html
.inc
.jsp
.php

Uses the following list of passwords in attempt to copy itself to available network shares:
000000
00000000
1
110
111
111111
11111111
12
120
121212
123
123123
123321
1234
12345
123456
1234567
12345678
123456789
1234qwer
123abc
123asd
123qwe
2000
2004
2005
2006
2007
2008
2k
321
4321
5021314
520
5201314
520520
54321
654321
88888
88888888
999999
Admin
Administrator
Password
Root
abc
abc123
abcd
abcd123
admin
admin123
administrator
adsl
asdf
asdf123
bye
byebye
cctv
china
computer
data
database
date
enable
foobar
fuck
fuckyou
ghost
god
godblessyou
goodbye
guest
guest123
guest321
hao123
happy
home
ihavenopass
iloveyou
internet
japan
kaonima
live
login
love
loveyou
mylove
mypass
mypass123
no
oracle
pass
passwd
password
pwd
qq
qwer
root
sa
server
sex
super
sybase
temp
temp123
test
test123
user
users
wangba
window
windows
windows2000
windows2003
windowsxp.
xp
xxx
yxcv
zxcv

The worm then attempts to copy itself as one of the following filenames:
FuckJacks.exe
Logo1_.exe
Logo_1.exe
Rundl132.exe
c0nime.exe
iexpl0re.exe
nvscv32.exe
spoclsv.exe
svch0st.exe

Threat Assessment
Wild Level: Low
Number of Infections: 0 - 49
Number of Sites: 0 - 2
Geographical Distribution: Low
Threat Containment: Easy
Removal: Moderate
Damage
Damage Level: Medium
Payload: Infects various files.
Distribution
Distribution Level: Medium
Shared Drives: Copies itself to network shares.

Writeup By: Jeong Mun

Labels: Anti-Virus, Microsoft, Worm

Win32/Nirbot

Win32/Nirbot Family

Threat Assessment
Overall Risk: Low
Wild: Low
Destructiveness: Medium
Pervasiveness: Medium

Characteristics
Type: Worm
Category: Win32
Also known as W32/Delbot (Sophos), W32.Rinbot (Symantec), Backdoor.Win32.VanBot (Kaspersky)

Description

Win32/Nirbot is a family of IRC-controlled backdoors that can be used to gain unauthorized access to a victim's machine. They can also exhibit worm-like functionality by exploiting many different software vulnerabilities, including SYM06-010 and MS06-040.

Method of Infection

When executed, Win32/Nirbot copies itself to the %System% directory using filenames such as:

arman.exe
atievx.exe
crcss.exe
lemsrv.exe
msync.exe
navscnr.exe
netadp.exe
prevx.exe
rinsv.exe
symmec.exe

It then makes the following registry modification to ensure this copy is executed at each Windows start:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ = ""

where differs depending on the variant, for example:

ATI Active Graphics Card Monitor
JW Manager
LEMSRV
Network Bridge
Random Interface Network Manager
Symmetrical Network
Syncronization

Nirbot continuously checks for and sets the above registry entry.

The worm also creates a mutex to avoid running multiple instances of itself.

Note: '%System%' is a variable location. The malware determines the location of the current System folder by querying the operating system. The default installation location for the System directory for Windows 2000 and NT is C:\Winnt\System32; for 95,98 and ME is C:\Windows\System; and for XP is C:\Windows\System32.

Method of Distribution
Via Exploit

Win32/Nirbot spreads by exploiting a number of vulnerabilities in Windows operating systems and third party applications. Nirbot's spreading routine starts with scanning for vulnerable target machines. The worm can generate random values for all or part of each IP address it targets.

Nirbot variants can spread by exploiting the following vulnerabilites: Symantec Client Security and Symantec AntiVirus Elevation of Privilege (SYM06-010)

The worm opens a configurable port on the compromised machine and runs a TFTP server. The worm probes remote machines on port 2967 to determine if they are prone to the SYM06-010 vulnerability. If successful, the worm executes a small amount of code on the target machine that instructs it to connect back to the running TFTP server and retrieve a copy of the worm.

For more information on this vulnerability, please visit the following:
http://www.symantec.com/avcenter/security/Content/2006.05.25.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2630

Microsoft Windows Server service buffer overflow vulnerability (TCP port 139)

The worm creates an HTTP server on the system on a random port. The worm also checks if the IP address of the local machine partially matches a list of IPs contained in its code, for example:

192.168.*.*
10.*.*.*
111.*.*.*
15.*.*.*
16.*.*.*
101.*.*.*
110.*.*.*
112.*.*.*
170.65.*.*

If the IP does not match, the worm instructs the machine vulnerable to this exploit to connect back to the HTTP server running on the system and retrieve a copy of the worm. If the IPs do match, the worm executes a small amount of code on the targeted machine that instructs it to download a copy of the worm from a specific domain. The following is a list of domains and IPs that Nirbot variants have been observed to download from:

66.29.116.82
58.20.109.39
digiflex.info
t3arj3rk.com
sw1tchbck.net
pennysheet.com
jimmybuttons.com

For more information on this vulnerability, please visit the following:
http://www3.ca.com/securityadvisor/vulninfo/vuln.aspx?id=34486
http://www.microsoft.com/technet/security/Bulletin/MS06-040.mspx

Microsoft Windows RPCSS malformed DCOM message buffer overflow vulnerabilities (TCP port 135)

If the worm finds a machine vulnerable to this exploit, it executes a small amount of code on the targeted machine that instructs it to retrieve a copy of the worm. This is also done through a TFTP server the worm creates on the compromised system on a configurable port.

For more information on this vulnerability, please visit the following:
http://www3.ca.com/securityadvisor/vulninfo/vuln.aspx?id=25975
http://www.microsoft.com/technet/security/bulletin/MS03-039.mspx

Exploiting weak passwords on MS SQL servers, including the Microsoft SQL Server Desktop Engine blank 'sa' password vulnerability (TCP port 1433)

If Win32/Nirbot finds an exploitable machine, it attempts to log into SQL server accounts 'sa', 'root' and 'admin'. It attempts to authenticate these accounts using several passwords stored in its code. If the worm successfully logs into an account, it sends code to the remote machine instructing it to retrieve a copy of itself.

For more information on this vulnerability, please visit the following:
http://www3.ca.com/securityadvisor/vulninfo/vuln.aspx?id=5705
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q321081

Payload: Backdoor Functionality

Nirbot is an IRC-controlled backdoor. Variants of the worm usually attempt to connect to between two to four IRC servers before joining a specific channel. The following is a list of some known IRC servers Nirbot variants have attempted connection to (generally on port 8080, however this differs between variants):

crusade.godhatesfags.com
is.wayne.brady.gonna.have.to.chokeabitch.us
lol.godhatesfags.com
phatcamp.org
x.anti-viral.us
x.pennysheet.com
x.rofflewaffles.us

When the worm connects to one of these servers and joins a channel, it then has control of the compromised machine. Once the victim's computer is under control, the overseer is able to instruct Nirbot to attempt to perform malicious operations such as spreading.

Via its backdoor, the trojan can also be instructed to:

Retrieve system information such as operating system details
Download and execute files from the Internet
Run a SOCKS proxy on the affected host
Perform a Denial of Service attack
Execute commands on the affected host
Update itself
Remove itself
Steal CD keys
Downloads and Executes Arbitrary Files

When first run, some Nirbot variants download and execute a file. The file is downloaded from a specific domain and is usually executed from the C:\ directory. Downloaded files are usually Win32/Amahkey trojan variants - for example, Win32/Amahkey.F.

Analysis by Amir Fouda

Labels: Anti-Virus, Microsoft, Virus, Worm

Troj/IMspam-B

Troj/IMspam-B is a Trojan for the Windows platform.

Name Troj/IMspam-B
Type Trojan
Affected operating systems Windows
Side effects Forges the sender's email address. Uses its own emailing engine. Downloads code from the internet

Troj/IMspam-B is a mass spamming tool that targets MSN Messenger, Windows Live Messenger, AOL Instant Messenger and email addresses.

When run Troj/IMspam-B closes all other instances of itself and removes all EXEs in the root folder of the C drive.

Sample text appears as:

"Heeey i saw a pic of u online HAHAHA check "

At the time of writing, the EXE downloaded from the malicious link is detected as W32/Delbot-U.

Labels: Anti-Virus, Microsoft, Trojan, Virus

Staying safe without anti-virus

An interesting article from the BBC, however the author misses the easiest way, which is to stop using Windows. If you must use Windows then it is possible to make Windows more secure than it is by default. This stops many malware attacks.

========================================================================

Staying safe without anti-virus
By Mark Ward
Technology Correspondent, BBC News website

For a long time anti-virus software has been in the front line when it comes to stopping malicious programs infecting PCs.

But as the creators of viruses and other malicious programs adapt their methods to exploit the weaknesses of anti-virus software, some are looking to other methods to help them stay safe.

One such is Brent Rickels, the one-man IT department for the First National Bank of Bosque County in Texas, who has thrown out his anti-virus software and has a much quieter life as a result.

"I just wanted to be able to sleep at night," he said explaining the decision to stop using anti-virus.

"There had to be something better by now," Mr Rickels told the BBC News website. "Anti-virus is such a reactive model."

"The bad guys out there have copies of Symantec and Trend Micro and all of the anti-virus software and are using it to develop their stuff on and get their stuff past it," he said.

Game over

As its front line of defence the bank uses a so-called whitelist system that only lets a few programs run on every PC that bank staff use. Everything else, including viruses or malicious programs that try to strike via websites, are shut down before they can get a hold.

The bank has also imposed limits a 20 minute per day limit on the time staff can spend looking at non-work related websites.

"It seemed kind of restrictive at first but almost no one bumps up against it," said Mr Rickels.

Using the whitelist system, which the bank got from security firm Secure Wave, has stopped people falling victim to all kinds of malicious programs.

"It's a lot less work to me than making sure everyone has updated versions of the anti-virus," said Mr Rickels.

One type of application remains firmly on the banned list however - instant messaging.

"It's just was not worth it," said Mr Rickels, "nobody has had a good case or need for that in our organisation."

Copy cats

For many, the problem with anti-virus programs is the fact that they need a sample of a virus to analyse before they can update systems to look out for the new threat.

The virus writers have adapted to this by cranking out hundreds of copies of their malicious programs in an attempt to overwhelm the anti-virus companies.

It can mean that anti-virus companies take time to spot all variants of a particular program, said Carl Woodward of Sanctuary Software. "Anti-virus programs are often signature based in which case you always have some kind of window," he said. "A huge number of people could be infected before the protection is rolled out."
Drawing on work he did for the government Mr Woodward has developed software that can "armour" commonly used programs and files.
Once armoured the programs and files are permanently quarantined. Although programs run as normal and files can be opened and edited they cannot be used as a launch pad to infect the rest of a machine.

Malicious hackers have responded to the success of anti-virus programs by turning to techniques that involve the creation of polymorphic viruses.

These programs change their configuration on a regular basis in a bid to fool anti-virus signatures that they are no longer malicious.

"We're seeing a lot of malware designed to outwit the signatures," said Tim Eades of Sana Security.

He said that many malicious hackers were updating viruses developed to attack Windows XP so they could infect Windows Vista.

In some respects, he said, the virus writers were like any other software vendor and had to "port" their products over to the new operating system.

In a bid to stay current with viruses, Mr Eades said Sana's software used heuristics or behavioural modelling to spot when a malicious program is trying to infect a machine.

The security software builds up knowledge about how a PC works so it can spot when a program is doing something it should not.

The whole thrust of this protection, he said, was about not relying on users who tended to be the weakest link.

"You cannot rely on users to make smart decisions," he said, "you have to make the software make smart decisions for them."

Labels: Anti-Virus, Microsoft

Backdoor:W32/PcClient.YW

Name : Backdoor:W32/PcClient.YW
Alias: DR/PcClient.Gen, Trojan.Dropper.CI
Size: varies
Type: Backdoor
Category: Malware
Platform: W32
Date of Discovery: March 08, 2007

Summary
Backdoor:W32/PcClient.YW attempts to hide processes, files, and registry data. It allows the attacker to perform arbitrary actions on the infected machine. Backdoor:W32/PcClient.YW has a rootkit functionality and steals sensitive information from an infected computer.

Disinfection

If the rootkit is not detected or it is hidden and FSAV cannot detect its file, it is still possible to detect the malicious activity by scanning the system with a generic rootkit scanner, such as F-Secure BlackLight. More information about F-Secure BlackLight Rootkit Elimination Technology can be found here:

http://www.f-secure.com/blacklight/

Detailed Description
Once the Backdoor:W32/PcClient.YW had been executed, it will drop its components in the following path and filename:

%programfiles%\internet explorer\connection wizard\zhyrikwo.dll - backdoor
%programfiles%\internet explorer\connection wizard\zhyrikwo.drv - keylogger

Note: the file size of zhyrikwo.dll might vary due to garbage code appended at the end of the file.

It will also drop the following driver that will communicate with the .dll files in order to hide the malware processes, registry entries and files:

%programfiles%\internet explorer\connection wizard\zhyrikwo.sys - rootkit

It modifies the following known registry entry as its autostart technique:
Data before:
[HKLM\SYSTEM\CurrentControlSet\Services\sens\Parameters]
ServiceDll = %sysdir%\sens.dll

Data after:
[HKLM\SYSTEM\CurrentControlSet\Services\sens\Parameters]
ServiceDll = %programfiles%\internet explorer\connection wizard\zhyrikwo.dll

The file zhyrikwo.dll will intercept any access to the original file, sens.dll. as a stealth mechanism, and after executing its malicious routines, will transfer the correct parameters to sens.dll.

It also adds the following autostart registry entry for the driver:

[HKLM\System\ControlSet001\Services\zhyrikwo]
ImagePath= %programfiles%\internet explorer\connection wizard\zhyrikwo.sys

Note: This rootkit can be detected by F-Secure's BlackLight.

Part of its payload is that it logs all the keystrokes made by the user and sends this file to a remote hacker.

Another part of the payload is that it has a backdoor component. The backdoor routine is injected into svchost.exe, which is capable of doing the following:

updating itself , remote execution

This malware connects to the following site:
http://dynsev5299.2mydns.com/i[BLOCKED]x.asp

Detection
F-Secure Anti-Virus detects this malware with the following updates:
[FSAV_Database_Version] Version = 2007-03-07_10.

Labels: Anti-Virus, Backdoor, Microsoft, Worm

Kaspersky AntiVirus UPX File Decompression DoS Vulnerability

Kaspersky AntiVirus UPX File Decompression DoS Vulnerability
I. BACKGROUND

Kaspersky Antivirus is a popular client and gateway virus scanner for Unix and Windows. UPX, the ultimate packer for executables, is a method for compressing executable files to reduce their size on disk. For more information, visit the vendor's site at the following URL.

http://www.kaspersky.com/
II. DESCRIPTION

Remote exploitation of a denial of service (DoS) vulnerability in Kaspersky Lab's Antivirus could allow an attacker to conduct a DoS attack on a targeted host.

The antivirus engine is vulnerable to a DoS condition when processing an executable packed with UPX compression. Malformed compressed data causes the decompression routine to enter an infinite loop. Specifically, a negative data offset results in the same compressed data chunk being processed endlessly.
III. ANALYSIS

Exploitation allows an attacker to conduct a DoS attack.

If this attack is conducted against an e-mail gateway running Kaspersky, legitimate clients may be unable to send e-mail through the server.

The infinite loop being executed consists of a short sequence of instructions, which results in maximum CPU usage. On a client desktop, the infinite loop will render the machine nearly unusable. On a server, it severely degrades the quality of service of other applications running.
IV. DETECTION

iDefense has confirmed the existence of this vulnerability in Kaspersky Labs Antivirus Engine version 6.0.1.411 for Windows and 5.5-10 for Linux. Previous versions may also be affected. Any products that use the scanning engine are also affected, which includes the Kaspersky e-mail gateway scanner.
V. WORKAROUND

iDefense is currently unaware of any workarounds for this issue.
VI. VENDOR RESPONSE

Kaspersky Lab reports that it has fixed this vulnerability as of February 7th, 2007. In addition, they stated the following.

"There is no need to download any special patches. All installed Kaspersky Lab products are updated automatically through the regular signature-update functionality. There is not need to contact Kaspersky Lab to obtain this fix."
VII. CVE INFORMATION

A Mitre Corp. Common Vulnerabilities and Exposures (CVE) number has not been assigned yet.
VIII. DISCLOSURE TIMELINE

01/24/2007 Initial vendor notification
03/01/2007 Initial vendor response
03/02/2007 Coordinated public disclosure
IX. CREDIT

The discoverer of this vulnerability wishes to remain anonymous.

Get paid for vulnerability research
http://labs.idefense.com/methodology/vulnerability/vcp.php

Free tools, research and upcoming events
http://labs.idefense.com/
X. LEGAL NOTICES

Copyright © 2007 iDefense, Inc.

Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense.

Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.

Labels: Advisory, Anti-Virus, Microsoft, Virus, Vulnerability

Trend Micro ServerProtect eng50.dll Stack Overflow Vulnerabilities

Trend Micro ServerProtect eng50.dll Stack Overflow Vulnerabilities February 20, 2007

CVE ID: CVE-2007-1070

Affected Vendor: Trend Micro

Affected Products:
ServerProtect for Windows 5.58
ServerProtect for EMC 5.58
ServerProtect for Network Appliance Filer 5.61
ServerProtect for Network Appliance Filer 5.62
TippingPoint(TM) IPS Customer Protection:

TippingPoint IPS customers have been protected against this vulnerability since January 16, 2007 by a pre-existing Digital Vaccine protection filter ID 5101. For further product information on the TippingPoint IPS: http://www.tippingpoint.com

Vulnerability Details: These vulnerabilities allow attackers to execute arbitrary code on vulnerable installations of Trend Micro ServerProtect. Authentication is not required to exploit these vulnerabilities.

The specific flaws exist within the StCommon.dll library and are reachable remotely through a DCE/RPC endpoint on TCP port 5168 bound to by the service SpntSvc.exe. The RPC endpoint is exposed from TmRpcSrv.dll with the following IDL stub information:
// opcode: 0x00, address: 0x65741030
// uuid: 25288888-bd5b-11d1-9d53-0080c83a5c2c
// version: 1.0

error_status_t rpc_opnum_0 (
[in] handle_t arg_1,
[in] long trend_req_num,
[in][size_is(arg_4)] byte overflow_str[],
[in] long arg_4,
[out][size_is(arg_6)] byte arg_5[],
[in] long arg_6
);

The upper half of the 'trend_req_num' DWORD RPC argument from above is used within TmRpcSrv.dll as an index into a call table. It must specifically be 0x0003 which results in a call to StRpcSrv.65671000(). The original arguments to the RPC endpoint are then passed to this called routine:
657416E6 mov eax, opnum0_call_table[eax*4]
657416ED test eax, eax
657416EF jnz short loc_65741707
...
65741707 loc_65741707:
65741707 mov [ebp+var_4], 0
6574170E mov edx, [ebp+sizeof_arg5]
65741711 push edx
65741712 mov edx, [ebp+arg5_array]
65741715 push edx
65741716 mov edx, [ebp+sizeof_overflow_str]
65741719 push edx
6574171A mov edx, [ebp+overflow_str]
6574171D push edx
6574171E push ecx ; trend_req_num
6574171F call eax ; call handler

The lower half of the 'trend_req_num' DWORD RPC argument is then used within StRpcSrv.dll as an index into a second call table. The value of this lower half controls the code flow to the following vulnerabilities and is hereto referred to as the 'subcode'.

Vulnerability One
A subcode value of 0x0004 results in a call to ENG_SetRealTimeScanConfigInfo() which subsequently calls through Eng50.61181940() -> Eng50.611819E0() -> Eng50.61190F60() and can result in a stack overflow due to an unbounded widechar string copy into a ~600 byte stack-based buffer as shown in the following relevant excerpt:
61190FC7 lea edx, [esp+288h+szShortPath]
61190FCB push esi
61190FCC push edx
61190FCD call _wcscpy

Vulnerability Two
A subcode value of 0x0047 results in a call to ENG_SendEMail() which can result in a stack overflow due to an unbounded widechar string copy into a ~2k stack-based buffer as shown in the following relevant excerpt:
6118A161 mov esi, [esp+780h+arg_0]
6118A168 lea eax, [esp+780h+var_778]
6118A16C push esi
6118A16D push eax
6118A16E call _wcscpy

The resulting stack overflows can be leveraged to execute arbitrary code under the privileges of the SYSTEM user.
Vendor Response:

Trend Micro has issued an update to correct this vulnerability. More details can be found at:

http://esupport.trendmicro.com/support/viewxml.do?ContentID=EN-1034290

Disclosure Timeline: 2007.01.16 Digital Vaccine released to TippingPoint customers
2007.02.01 Vulnerability reported to vendor
2007.02.20 Coordinated public release of advisory

Credit:

This vulnerability was discovered by Pedram Amini, TippingPoint Security Research Team.

Labels: Anti-Virus, Microsoft, Virus, Vulnerability

Trend Micro ServerProtect eng50.dll Stack Overflow Vulnerabilities

Trend Micro ServerProtect eng50.dll Stack Overflow Vulnerabilities February 20, 2007

CVE ID: CVE-2007-1070

Affected Vendor: Trend Micro

Affected Products:
ServerProtect for Windows 5.58
ServerProtect for EMC 5.58
ServerProtect for Network Appliance Filer 5.61
ServerProtect for Network Appliance Filer 5.62
TippingPoint(TM) IPS Customer Protection:

TippingPoint IPS customers have been protected against this vulnerability since January 16, 2007 by a pre-existing Digital Vaccine protection filter ID 5101. For further product information on the TippingPoint IPS: http://www.tippingpoint.com

Vulnerability Details: These vulnerabilities allow attackers to execute arbitrary code on vulnerable installations of Trend Micro ServerProtect. Authentication is not required to exploit these vulnerabilities.

The specific flaws exist within the StCommon.dll library and are reachable remotely through a DCE/RPC endpoint on TCP port 5168 bound to by the service SpntSvc.exe. The RPC endpoint is exposed from TmRpcSrv.dll with the following IDL stub information:
// opcode: 0x00, address: 0x65741030
// uuid: 25288888-bd5b-11d1-9d53-0080c83a5c2c
// version: 1.0

error_status_t rpc_opnum_0 (
[in] handle_t arg_1,
[in] long trend_req_num,
[in][size_is(arg_4)] byte overflow_str[],
[in] long arg_4,
[out][size_is(arg_6)] byte arg_5[],
[in] long arg_6
);

The upper half of the 'trend_req_num' DWORD RPC argument from above is used within TmRpcSrv.dll as an index into a call table. It must specifically be 0x0003 which results in a call to StRpcSrv.65671000(). The original arguments to the RPC endpoint are then passed to this called routine:
657416E6 mov eax, opnum0_call_table[eax*4]
657416ED test eax, eax
657416EF jnz short loc_65741707
...
65741707 loc_65741707:
65741707 mov [ebp+var_4], 0
6574170E mov edx, [ebp+sizeof_arg5]
65741711 push edx
65741712 mov edx, [ebp+arg5_array]
65741715 push edx
65741716 mov edx, [ebp+sizeof_overflow_str]
65741719 push edx
6574171A mov edx, [ebp+overflow_str]
6574171D push edx
6574171E push ecx ; trend_req_num
6574171F call eax ; call handler

The lower half of the 'trend_req_num' DWORD RPC argument is then used within StRpcSrv.dll as an index into a second call table. The value of this lower half controls the code flow to the following vulnerabilities and is hereto referred to as the 'subcode'.

Vulnerability One
A subcode value of 0x0004 results in a call to ENG_SetRealTimeScanConfigInfo() which subsequently calls through Eng50.61181940() -> Eng50.611819E0() -> Eng50.61190F60() and can result in a stack overflow due to an unbounded widechar string copy into a ~600 byte stack-based buffer as shown in the following relevant excerpt:
61190FC7 lea edx, [esp+288h+szShortPath]
61190FCB push esi
61190FCC push edx
61190FCD call _wcscpy

Vulnerability Two
A subcode value of 0x0047 results in a call to ENG_SendEMail() which can result in a stack overflow due to an unbounded widechar string copy into a ~2k stack-based buffer as shown in the following relevant excerpt:
6118A161 mov esi, [esp+780h+arg_0]
6118A168 lea eax, [esp+780h+var_778]
6118A16C push esi
6118A16D push eax
6118A16E call _wcscpy

The resulting stack overflows can be leveraged to execute arbitrary code under the privileges of the SYSTEM user.
Vendor Response:

Trend Micro has issued an update to correct this vulnerability. More details can be found at:

http://esupport.trendmicro.com/support/viewxml.do?ContentID=EN-1034290

Disclosure Timeline: 2007.01.16 Digital Vaccine released to TippingPoint customers
2007.02.01 Vulnerability reported to vendor
2007.02.20 Coordinated public release of advisory

Credit:

This vulnerability was discovered by Pedram Amini, TippingPoint Security Research Team.

Labels: Anti-Virus, Microsoft, Virus, Vulnerability

W32.Spybot.ANDM

W32.Spybot.ANDM

Discovered: January 3, 2007
Updated: February 13, 2007 1:03:06 PM
Type: Worm
Infection Length: 168,960 bytes
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP

When W32.Spybot.ANDM is executed, it performs the following actions:
Copies itself as any of the following files:

%System%\wnuserv.exe
%System%\ctfmom.exe
%System%\napi32.exe
%System%\soundman.exe

Note: %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

Creates a temporary batch file named c:\a.bat, which in turn creates a registry file in the temporary folder named 1.reg.

Adds the values:

"Windows System Service" = "wnuserv.exe"
"Windows System Service" = "wnuserv.exe"
"Windows Update Firewall System" = "ctfmom.exe"
"Windows Update Firewall System" = "ctfmom.exe"
"Windows Logon Service" = "napi32.exe"
"Windows Logon Service" = "napi32.exe"
"Microsoft Sounds" = "soundman.exe"
"Microsoft Sounds" = "soundman.exe"

to the registry subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices

so that it runs every time Windows starts.

Adds the value:

"Windows System Service" = "wnuserv.exe"

to the registry subkey:

HKEY_CURRENT_USER\Software\Microsoft\OLE\Windows

Modifies the value:

"TransportBindName" = ""

in the registry subkey:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters

Modifies the value:

"Start" = "4"

in the registry subkeys:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\wscsvc

Modifies the values:

"EnableDCOM" = "N"
"EnableRemoteConnect" = "N"

in the registry subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole

Modifies the value:

"restrictanonymous" = "1"

in the registry subkey:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa

to prevent NULL session enumeration of the host.

Modifies the value:

"Enabled" = "0"

in the registry subkey:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT1.0\Server

Modifies the values:

"AutoShareWks" = "0"
"AutoShareServer" = "0"

in the registry subkey:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters

Modifies the values:

"NameServer" = ""
"ForwardBroadcasts" = "0"
"IPEnableRouter" = "0"
"Domain" = ""
"SearchList" = ""
"UseDomainNameDevolution" = "1"
"EnableICMPRedirect" = "0"
"DeadGWDetectDefault" = "1"
"DontAddDefaultGatewayDefault" = "0"
"EnableSecurityFilters" = "1"
"AllowUnqualifiedQuery" = "0"
"PrioritizeRecordData" = "1"
"TCP1320Opts" = "3"
"KeepAliveTime" = "23280"
"BcastQueryTimeout" = "002ee"
"BcastNameQueryCount" = "1"
"CacheTimeout" = "0ea60"
"Size/Small/Medium/Large" = "3"
"LargeBufferSize" = "01000"
"SynAckProtect" = "2"
"PerformRouterDiscovery" = "0"
"EnablePMTUBHDetect" = "0"
"FastSendDatagramThreshold " = "400"
"StandardAddressLength " = "18"
"DefaultReceiveWindow " = "4000"
"DefaultSendWindow" = "4000"
"BufferMultiplier" = "200"
"PriorityBoost" = "2"
"IrpStackSize" = "4"
"IgnorePushBitOnReceives" = "0"
"DisableAddressSharing" = "0"
"AllowUserRawAccess" = "0"
"DisableRawSecurity" = "0"
"DynamicBacklogGrowthDelta" = "32"
"FastCopyReceiveThreshold" = "400"
"LargeBufferListDepth" = "a"
"MaxActiveTransmitFileCount" = "2"
"MaxFastTransmit" = "40"
"OverheadChargeGranularity" = "1"
"SmallBufferListDepth" = "20"
"SmallerBufferSize" = "80"
"TransmitWorker" = "20"
"DNSQueryTimeouts" = "31,00,00,00,32,00,00,00,32,00,00,00,34,00,00,00,38,00,00,00,30,00,00,00,00,00"
"DefaultRegistrationTTL" = "14"
"DisableReplaceAddressesInConflicts" = "0"
"DisableReverseAddressRegistrations" = "1"
"UpdateSecurityLevel " = "0"
"DisjointNameSpace" = "1"
"QueryIpMatching" = "0"
"NoNameReleaseOnDemand" = "1"
"EnableDeadGWDetect" = "0"
"EnableFastRouteLookup" = "1"
"MaxFreeTcbs" = "7d0"
"MaxHashTableSize" = "800"
"SackOpts" = "1"
"Tcp1323Opts" = "3
"TcpMaxDupAcks" = "1"
"TcpRecvSegmentSize" = "585"
"TcpSendSegmentSize" = "585"
"TcpWindowSize" = "7d200"
"DefaultTTL" = "30"
"TcpMaxHalfOpen" = "4b"
"TcpMaxHalfOpenRetried" = "50"
"TcpTimedWaitDelay" = "0"
"MaxNormLookupMemory" = "30d40"
"FFPControlFlags" = "1"
"FFPFastForwardingCacheSize" = "30d40"
"MaxForwardBufferMemory" = "19df7"
"MaxFreeTWTcbs" = "7d0"
"GlobalMaxTcpWindowSize" = "7d200"
"EnablePMTUDiscovery" = "1"
"ForwardBufferMemory" = "19df7"

in the registry subkey:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters

Modifies the values:

"MaxConnectionsPer1_0Server" = "50"
"MaxConnectionsPerServer" = "50"

in the registry subkey:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings

Starts to log keystrokes whenever the user attempts to access sites that contain the following strings:

e-gold
PayPal
StormPay
Vodafone
Poste Italiane
eBay
Yahoo!
Banca Sella
Email
Bank of America
exploit
Benvenuto a gmail
Msn
pagamento paga

Opens a back door and connects to an IRC server at any of the following hosts:

baba.bestunix.org
server.cisco-systems.jp
pepe83.rr.nu
pepe84.rr.nu
pepe85.rr.nu

The attacker may perform the following actions on the compromised computer:

Copy or delete files
Upload and download files
Steal CD keys from various games
Log keystrokes and capture webcam
Show status
Show IP address
Portscan the network for vulnerable computers
Scan vulnerabilities
Start ftp and tftp
Start Internet Explorer
End processes
Stop other worms
Stop security-related services
List processes
Use a network sniffer

Spreads by exploiting the following vulnerabilities:

The Microsoft Windows DCOM RPC Interface Buffer Overrun Vulnerability (described in Microsoft Security Bulletin MS03-026).
The Microsoft ASN.1 Library Multiple Stack-Based Buffer Overflow vulnerabilities (as described in Microsoft Security Bulletin MS04-007).
The Microsoft Windows Local Security Authority Service Remote Buffer Overflow (as described in Microsoft Security Bulletin MS04-011).
The RealVNC Remote Authentication Bypass Vulnerability (as described in CVE-2006-2369).
Symantec Client Security and Symantec AntiVirus Elevation of Privilege (as described in Symantec Advisory SYM06-010).
The Microsoft SQL Server 2000 or MSDE 2000 audit (as described in Microsoft Security Bulletin MS02-061) using UDP port 1433.

Attempts to spread through mIRC and to network shares protected by weak passwords.

This worm attempts to exploit a previously addressed vulnerability in Symantec Client Security and Symantec Antivirus, SYM06-010; patches for the particular Symantec product vulnerability have been available since Thursday, May 25th, 2006. As a result, customers who have applied the patch in their environment are unaffected by the worm's attempt to leverage the Symantec vulnerability for an attack. Customers running Symantec Client Security or Symantec intrusion prevention (IPS) capable products are protected against all known and unknown exploits of SYM06-010 via IPS signatures released on May 26th, 2006.

Labels: Anti-Virus, Microsoft, Worm

Troj/DollarR-CG

Name Troj/DollarR-CG
Type Trojan
Affected operating systems Windows
Side effects Installs itself in the Registry
Aliases Trojan-Downloader.Win32.Adload.ic
DollarRevenue trojan

Troj/DollarR-CG is a downloader Trojan for the Windows platform.

Troj/DollarR-CG includes functionality to access the internet and communicate with a remote server via HTTP.

When Troj/DollarR-CG is installed it creates the file \newname.dat.

The following registry entry is created to run Troj/DollarR-CG on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
newname

Labels: Anti-Virus, Microsoft, Trojan

Information Security News

Monday, July 30, 2007

Sunday, April 8, 2007

Wednesday, March 21, 2007

Tuesday, March 20, 2007

Monday, March 19, 2007

Sunday, March 18, 2007

Saturday, March 17, 2007

Thursday, March 15, 2007

Wednesday, March 14, 2007

Tuesday, March 13, 2007

Monday, March 12, 2007

Friday, March 9, 2007

Monday, March 5, 2007

Thursday, February 22, 2007

Tuesday, January 9, 2007

Friday, January 5, 2007

About Me

Sections

Previous Posts

Archives