Current Activity Calendar
June 2003
Su M Tu W Th F Sa
1 2 3 4 5 6 7
8 9 10 11 12 13 14
15 16 17 18 19 20 21
22 23 24 25 26 27 28
29 30          
Please click on a date above to see current activity for that day.

  • Latest Current Activity
    •

    June 10, 2003 - Current Activity

    This is an archived copy of current activity, if you would like to see the most recent version, please click here.

      W32/BugBear.B
    W32/Sobig variants
      Buffer Overflow Vulnerability in Core Windows DLL
      Increased Activity Targeting Windows Shares


    W32/BugBear.B
    added June 5

    The CERT/CC has received reports of a variant of the BugBear mass-emailing worm, referred to as "W32/BugBear.B", "W32/Kijmo" or "W32/Shamur". It arrives as an attachment with a .pif, .scr, or .exe extension. Upon opening the attachment, the worm attempts to mail itself to all e-mail addresses it finds in the current inbox and in files with a .dbx, .eml, .mbx, .mmf, .nch, .ocs, or .tbb file extension. Additionally, this worm has a built-in keylogger, a backdoor that listens on port 1080/tcp, and attempts to terminate numerous security product processes on the system.

    The worm also attempts to propogate by copying itself to the following folders on the local machine as well as other machines that it has access to using a random file name:

  • Windows\Start Menu\Programs\Startup\[random_name].exe when executed on a Windows 95/98/Me-based system
  • Documents and Settings\<current user name>\Start Menu\Programs\Startup\[random_name].exe when executed on a Windows NT/2000/XP-based system

    • The CERT/CC strongly encourages users to install anti-virus software, and keep its virus information files up-to-date.

    Users may also wish to consider filtering email attachments with the extensions listed above and to monitor traffic destined for port 1080/tcp.

    You may also wish to visit the CERT/CC's computer virus resources page.


    W32/Sobig variants
    added May 19 | updated June 4

    The CERT/CC continues to receive reports of three variants of a mass-emailing worm, referred to as "W32/Sobig", or sometimes "Win32/Mankx" or "Win32/Palyh". It arrives as an attachment with a .pif extension in an email message spoofed to appear as though it was from "support@microsoft.com" or "bill@microsoft.com", or possibly other addresses. Upon opening the attachment, the worm attempts to mail itself to all e-mail addresses it finds in files with a .wab, .dbx, .htm, .html, .eml, or .txt file extension.

    The worm also attempts to propogate by copying itself to the following folders on other machines that it has access to:

  • Windows\All Users\Start Menu\Programs\StartUp
  • Documents and Settings\All Users\Start Menu\Programs\Startup

    • The CERT/CC strongly encourages users to install anti-virus software, and keep its virus information files up-to-date.

    Users may also wish to consider filtering email attachments with the extensions listed above.

    You may also wish to visit the CERT/CC's computer virus resources page.


    Buffer Overflow Vulnerability in Core Windows DLL
    added March 19

    A buffer overflow vulnerability exists in ntdll.dll. This vulnerability may allow a remote attacker to execute arbitrary code on the victim machine.

    An exploit is publicly available for this vulnerability which increases the urgency that system administrators apply a patch. The CERT/CC strongly encourages sites Windows to read CERT Advisory CA-2003-09, examine their systems for signs of compromise and apply the appropriate patch as soon as possible.


    Increased Activity Targeting Windows Shares
    updated March 13 | portions added March 10, March 13

    The CERT/CC has received reports of propagation of a worm known as W32.Deloder as well as other malicious code which exploit network shares with null or weak Administrator passwords on Windows 2000/XP systems. This malicious code propagates via port 445/tcp and often installs backdoor applications on compromised systems. Additional details can be found in CERT Advisory CA-2003-08.