Current Activity Calendar
May 2003
Su M Tu W Th F Sa
        1 2 3
4 5 6 7 8 9 10
11 12 13 14 15 16 17
18 19 20 21 22 23 24
25 26 27 28 29 30 31
Please click on a date above to see current activity for that day.

  • Latest Current Activity
    •

    May 22, 2003 - Current Activity

    This is an archived copy of current activity, if you would like to see the most recent version, please click here.

    new Win32/Mankx Worm
      Win32/Fizzer Worm
      Buffer Overflow Vulnerability in Core Windows DLL
      Increased Activity Targeting Windows Shares


    Win32/Mankx Worm
    added May 19

    The CERT/CC has received reports of a mass-emailing worm known as "Win32/Mankx" or "Win32/Palyh". It arrives via an email message in an attachment with a .pif extension. Upon opening the attachment, the worm attempts to mail itself to all e-mail addresses it finds in files with a .wab, .dbx, .htm, .html, .eml, or .txt file extension.

    The worm also attempts to propogate by copying itself to the following folders on other machines that is has access to:

  • Windows\All Users\Start Menu\Programs\StartUp
  • Documents and Settings\All Users\Start Menu\Programs\Startup

    • The CERT/CC strongly encourages users to install anti-virus software, and keep its virus information files up-to-date.

    Users may also wish to consider filtering email attachments with the extensions listed above.

    You may also wish to visit the CERT/CC's computer virus resources page.


    Win32/Fizzer Worm
    added May 12

    The CERT/CC has received reports of a mass-emailing worm known as "Fizzer", "W32.Fizzer", or "Win32/Fizzer". It arrives via an email message in an attachment with a .exe, .pif, .com, or .scr extension. Upon opening the attachment, the worm uses various IRC networks to communicate with a remote attacker. This worm is also reported to contain a keystroke logger.

    The CERT/CC strongly encourages users to install anti-virus software, and keep its virus information files up-to-date.

    Users may also wish to consider:

  • Filtering email attachments with the extensions listed above.
  • Monitoring outgoing traffic for unexpected IRC connections

    • You may also wish to visit the CERT/CC's computer virus resources page.


    Buffer Overflow Vulnerability in Core Windows DLL
    added March 19

    A buffer overflow vulnerability exists in ntdll.dll. This vulnerability may allow a remote attacker to execute arbitrary code on the victim machine.

    An exploit is publicly available for this vulnerability which increases the urgency that system administrators apply a patch. The CERT/CC strongly encourages sites Windows to read CERT Advisory CA-2003-09, examine their systems for signs of compromise and apply the appropriate patch as soon as possible.


    Increased Activity Targeting Windows Shares
    updated March 13 | portions added March 10, March 13

    The CERT/CC has received reports of propagation of a worm known as W32.Deloder as well as other malicious code which exploit network shares with null or weak Administrator passwords on Windows 2000/XP systems. This malicious code propagates via port 445/tcp and often installs backdoor applications on compromised systems. Additional details can be found in CERT Advisory CA-2003-08.