Current Activity Calendar
August 2003
Su M Tu W Th F Sa
          1 2
3 4 5 6 7 8 9
10 11 12 13 14 15 16
17 18 19 20 21 22 23
24 25 26 27 28 29 30
31            
Please click on a date above to see current activity for that day.

  • Latest Current Activity
    •

    August 18, 2003 - Current Activity

    This is an archived copy of current activity, if you would like to see the most recent version, please click here.

    updated W32/Welchia
    updated W32/Blaster
    updated Exploitation of Microsoft RPC Vulnerabilities
      W32/Mimail Virus
      Attempts To Exploit Cisco IOS Interface Blocked Vulnerabilities (VU#411332)


    W32/Welchia Worm
    added August 18 | updated August 18

    The CERT/CC has received reports of an new worm targeting systems vulnerable to the same vulnerability as W32/Blaster. This worm, known alternately as 'W32/Welchia', 'W32/Nachi', or 'WORM_MS_BLAST.D', has been reported to

    • kill and remove the msblast.exe artifact left behind by W32/Blaster
    • perform ICMP scanning to identify systems to target for exploitation
    • apply the patch from Microsoft described in MS03-026
    • reboot the system

    The greatest impact of this worm appears to be the potential for denial-of-service conditions within an organization due to high levels of ICMP traffic. Sites are encouraged to apply the patch from Microsoft described in MS03-026 and apply network filters as necessary to reduce the impact of this worm. Sites can find specific information on how to recover a system which has been compromised by W32/Welchia by consulting an anti-virus vendor. The CERT/CC maintains a partial list of anti-virus vendors.

    We are tracking this activity as incident CERT#33546, and are interested in receiving reports thereof. Relevant artifacts or activity can be sent to cert@cert.org with "CERT#33546" in the subject line.


    W32/Blaster Worm
    added August 11 | updated August 15

    The CERT/CC continues to receive reports of systems being compromised by a new worm referred to as "W32/Blaster" or "W32/Lovsan". This activity is related to a recently discovered vulnerability in the Microsoft Remote Procedure Call (RPC) service. Microsoft has produced a patch for this vulnerability which can be found at MS03-026. The CERT/CC has produced an advisory addressing this issue. Please refer to CERT Advisory CA-2003-20, "W32/Blaster worm".

    Sites are strongly encouraged to apply the patch and block access to systems with open Microsoft RPC ports (135, 139, 445). Additionally, the CERT/CC strongly encourages users to install anti-virus software, and keep its virus signature files up-to-date.

    You may also wish to visit the CERT/CC's computer virus resources page.


    Exploitation of Microsoft RPC Vulnerabilities
    added July 31 | updated August 15

    The CERT/CC continues to receive reports of systems being compromised by two recently discovered vulnerabilities in the Microsoft Remote Procedure Call (RPC) service. Additionally, the CERT/CC has received reports of widespread scanning for systems with open Microsoft RPC ports (135, 139, 445). The W32/Blaster worm (mentioned above) is just one example of this scanning and exploitation.

    We are currently seeing reports involving two separate vulnerabilities. The first vulnerability is described in CA-2003-16 (VU#568148) and is resolved by applying patches found in MS03-026. The second denial-of-service vulnerability is described in CA-2003-19 (VU#326746). Microsoft is currently working on a patch to resolve this issue.

    The scanning and attempted exploitation of these two vulnerabilities will trigger a denial-of-service vulnerability in multiple implementations of the Distributed Computing Environment (DCE). This vulnerability is described in VU#377804.

    Sites are encouraged to block access from outside their network perimeter, specifically by blocking access to TCP and UDP ports 135, 139, and 445. This will limit exposure to attacks. However, blocking at the network perimeter would still allow attackers within the perimeter of the network to exploit the vulnerability.

    The CERT/CC is tracking activity related to exploitation of the first vulnerability (VU#568148) as CERT#27479 and the second vulnerability (VU#326746) as CERT#24523. Relevant artifacts or activity can be sent to cert@cert.org with the appropriate CERT# in the subject line.


    W32/Mimail Virus
    added August 1 | updated August 12

    The CERT/CC has received reports of a virus known as 'W32/Mimail'. The virus arrives in an email that claims to be from the 'admin' user of your domain. The subject of the message is 'Your Account', followed by a number of spaces and a string of 8 random characters. The text portion of the message warns the user that their email address is about to expire and to read the attached file for more details.

    The message attachment is 'message.zip'. If opened, the virus exploits a vulnerability in Microsoft Internet Explorer, which allows it to modify the system registry and install a mass-mailer masquerading as the process 'videodrv.exe'.

    The vulnerability which makes it possible for W32/Mimail to execute automatically once the .ZIP archive is opened is described in Vulnerability Note VU#208052 and Microsoft Security Bulletin MS03-014.

    The CERT/CC strongly encourages users to install anti-virus software, and keep its virus signature files up-to-date.

    You may also wish to visit the CERT/CC's computer virus resources page.


    Attempts To Exploit Cisco IOS Interface Blocked Vulnerabilities (VU#411332)
    added July 18

    The CERT/CC has received reports of activity consistent with attempts to exploit the Cisco IOS Interface Blocked Vulnerabilities described in CERT Advisories CA-2003-15 and CA-2003-17. To date, we are unaware of any sites whose operations have been interrupted by these attempts. Sites are strongly encouraged to read these two advisories, and take any actions necessary to protect their networks.