July 07, 2003 - Current Activity

The CERT/CC has received reports of a variant of the Sobig mass-emailing worm, referred to as "W32/Sobig.E." It arrives as an attachment with a .zip extension. Within that .zip file is a file with either a .scr or .pif extension. Upon opening the attachment, the worm attempts to mail itself to all e-mail addresses it finds in files with a .wab, .dbx, .htm, .html, .eml, or .txt file extension. Additionally, this worm spoofs the "From" address, therefore it is likely that the sender address is not that of the infected user.

Upon execution, the worm places the following files in the "%Windir%" directory:

The following registry keys are created:

The worm also attempts to propogate by copying itself to the following folders:

The CERT/CC strongly encourages users to install anti-virus software, and keep its virus information files up-to-date.

Users may also wish to consider filtering email attachments with the extensions listed above.

You may also wish to visit the CERT/CC's computer virus resources page.

In recent weeks, there have been numerous accounts of activity surrounding TCP packets with a window size of 55808. Initial reports of this activity received by the CERT/CC indicate that the Selective Acknowledgement bit is set and the window scale option is set to 2. Selective Acknowledgments are described in more detail in RFC2018 "TCP Selective Acknowledgment Options"; the window scale field is described in RFC1323 "TCP Extensions for High Performance". The window scale value designates the number of bits that the window size value should be shifted in order to compute the actual window size. Thus, with a window size of 55808 and a scale of 2, the actual window size being requested is 223,232 bytes.

To date, there are several pieces of malicious code that have been identified capable of generating traffic with a window size of 55808. This includes the "Stumbler" malicious code reported by Internet Security Systems (ISS) and "55808 Trojan - Variant A" described by Intrusec on June 19, 2003. We have also received reports that a variant of a common IRC bot (sdbot) is capable of generating TCP packets with a window size of 55808. A previous variant of the sdbot malicious code was mentioned briefly in CA-2003-08.

Analysis indicates that while these various pieces of malicious code will generate TCP packets with a window size of 55808, not all of them set the window scale option. This is an important detail because it indicates that there may be multiple artifacts responsible for generating the reported traffic.

We are tracking this activity as incident CERT#26124, and are interested in receiving reports thereof. Relevant artifacts or activity can be sent to cert@cert.org with "CERT#26124" in the subject line.

The CERT/CC has received reports of a variant of the BugBear mass-emailing worm, referred to as "W32/BugBear.B", "W32/Kijmo" or "W32/Shamur". It arrives as an attachment with a .pif, .scr, or .exe extension. Upon opening the attachment, the worm attempts to mail itself to all e-mail addresses it finds in the current inbox and in files with a .dbx, .eml, .mbx, .mmf, .nch, .ocs, or .tbb file extension. Additionally, this worm has a built-in keylogger, a backdoor that listens on port 1080/tcp, and attempts to terminate numerous security product processes on the system.

The worm also attempts to propogate by copying itself to the following folders on the local machine as well as other machines that it has access to using a random file name:

The CERT/CC strongly encourages users to install anti-virus software, and keep its virus information files up-to-date.

Users may also wish to consider filtering email attachments with the extensions listed above and to monitor traffic destined for port 1080/tcp.

You may also wish to visit the CERT/CC's computer virus resources page.

The CERT/CC continues to receive reports of three variants of a mass-emailing worm, referred to as "W32/Sobig", or sometimes "Win32/Mankx" or "Win32/Palyh". It arrives as an attachment with a .pif extension in an email message spoofed to appear as though it was from "support@microsoft.com" or "bill@microsoft.com", or possibly other addresses. Upon opening the attachment, the worm attempts to mail itself to all e-mail addresses it finds in files with a .wab, .dbx, .htm, .html, .eml, or .txt file extension.

The worm also attempts to propogate by copying itself to the following folders on other machines that it has access to:

The CERT/CC strongly encourages users to install anti-virus software, and keep its virus information files up-to-date.

Users may also wish to consider filtering email attachments with the extensions listed above.

You may also wish to visit the CERT/CC's computer virus resources page.

Buffer Overflow Vulnerability in Core Windows DLL
added March 19

A buffer overflow vulnerability exists in ntdll.dll. This vulnerability may allow a remote attacker to execute arbitrary code on the victim machine.

An exploit is publicly available for this vulnerability which increases the urgency that system administrators apply a patch. The CERT/CC strongly encourages sites Windows to read CERT Advisory CA-2003-09, examine their systems for signs of compromise and apply the appropriate patch as soon as possible.

The CERT/CC has received reports of propagation of a worm known as W32.Deloder as well as other malicious code which exploit network shares with null or weak Administrator passwords on Windows 2000/XP systems. This malicious code propagates via port 445/tcp and often installs backdoor applications on compromised systems. Additional details can be found in CERT Advisory CA-2003-08.