Current Activity Calendar
August 2003
Su M Tu W Th F Sa
          1 2
3 4 5 6 7 8 9
10 11 12 13 14 15 16
17 18 19 20 21 22 23
24 25 26 27 28 29 30
31            
Please click on a date above to see current activity for that day.

  • Latest Current Activity
    •

    August 05, 2003 - Current Activity

    This is an archived copy of current activity, if you would like to see the most recent version, please click here.

    new Exploitation of Microsoft RPC Vulnerabilities
    new W32/Mimail Virus
      Attempts To Exploit Cisco IOS Interface Blocked Vulnerabilities (VU#411332)


    Exploitation of Microsoft RPC Vulnerabilities
    added July 31

    The CERT/CC has received reports of systems being compromised by two recently discovered vulnerabilities in the Microsoft Remote Procedure Call (RPC) service. Additionally, the CERT/CC has received reports of widespread scanning for systems with open Microsoft RPC ports (135, 139, 445).

    We are currently seeing reports involving two separate vulnerabilities. The first vulnerability is described in CA-2003-16 (VU#568148) and is resolved by applying patches found in MS03-026. The second denial-of-service vulnerability is described in CA-2003-19 (VU#326746). Microsoft is currently working on a patch to resolve this issue.

    Sites are encouraged to block access from outside their network perimeter, specifically by blocking access to TCP and UDP ports 135, 139, and 445. This will limit exposure to attacks. However, blocking at the network perimeter would still allow attackers within the perimeter of the network to exploit the vulnerability.

    The CERT/CC is tracking activity related to exploitation of the first vulnerability (VU#568148) as CERT#27479 and the second vulnerability (VU#326746) as CERT#24523. Relevant artifacts or activity can be sent to cert@cert.org with the appropriate CERT# in the subject line.


    W32/Mimail Virus
    added August 1

    The CERT/CC has received reports of a virus known as 'W32/Mimail'. The virus arrives in an email that claims to be from the 'admin' user of your domain. The subject of the message is 'Your Account', followed by a number of spaces and a string of 8 random characters. The text portion of the message warns the user that their email address is about to expire and to read the attached file for more details.

    The message attachment is 'message.zip'. If opened, the virus exploits a vulnerability in Microsoft Internet Explorer, which allows it to modify the system registry and install a mass-mailer masquerading as the process 'videodrv.exe'.

    At this time, it is unclear which specific vulnerability is being exploited by this malicious code. The CERT/CC is currently investigating this issue, and will update this page as more information becomes available.

    The CERT/CC strongly encourages users to install anti-virus software, and keep its virus signature files up-to-date.

    You may also wish to visit the CERT/CC's computer virus resources page.


    Attempts To Exploit Cisco IOS Interface Blocked Vulnerabilities (VU#411332)
    added July 18

    The CERT/CC has received reports of activity consistent with attempts to exploit the Cisco IOS Interface Blocked Vulnerabilities described in CERT Advisories CA-2003-15 and CA-2003-17. To date, we are unaware of any sites whose operations have been interrupted by these attempts. Sites are strongly encouraged to read these two advisories, and take any actions necessary to protect their networks.