Current Activity Calendar
August 2003
Su M Tu W Th F Sa
          1 2
3 4 5 6 7 8 9
10 11 12 13 14 15 16
17 18 19 20 21 22 23
24 25 26 27 28 29 30
31            
Please click on a date above to see current activity for that day.

  • Latest Current Activity
    •

    August 20, 2003 - Current Activity

    This is an archived copy of current activity, if you would like to see the most recent version, please click here.

    new W32/Sobig.F Worm
    updated W32/Welchia
    updated W32/Blaster
    updated Exploitation of Microsoft RPC Vulnerabilities
      Attempts To Exploit Cisco IOS Interface Blocked Vulnerabilities (VU#411332)


    W32/Sobig.F Worm
    added August 19

    The CERT/CC has received reports of an new variant of the Sobig worm, 'W32/Sobig.F'. Like its' predecessors, Sobig.F attempts to replicate itself by sending out infected email. In addition, it can download and execute arbitrary code on the target machine, which potentially permits the worm to compromise confidential information, or set up and run other services, such as open mail relays.

    The CERT/CC strongly encourages users to install anti-virus software, and keep its virus signature files up-to-date.

    You may also wish to visit the CERT/CC's computer virus resources page.


    W32/Welchia Worm
    added August 18 | updated August 18

    The CERT/CC has received reports of an new worm targeting systems vulnerable to the same vulnerability as W32/Blaster. This worm, known alternately as 'W32/Welchia', 'W32/Nachi', or 'WORM_MS_BLAST.D', has been reported to

    • kill and remove the msblast.exe artifact left behind by W32/Blaster
    • perform ICMP scanning to identify systems to target for exploitation
    • apply the patch from Microsoft described in MS03-026
    • reboot the system

    The greatest impact of this worm appears to be the potential for denial-of-service conditions within an organization due to high levels of ICMP traffic. Sites are encouraged to apply the patch from Microsoft described in MS03-026 and apply network filters as necessary to reduce the impact of this worm. Sites can find specific information on how to recover a system which has been compromised by W32/Welchia by consulting an anti-virus vendor. The CERT/CC maintains a partial list of anti-virus vendors.

    We are tracking this activity as incident CERT#33546, and are interested in receiving reports thereof. Relevant artifacts or activity can be sent to cert@cert.org with "CERT#33546" in the subject line.


    W32/Blaster Worm
    added August 11 | updated August 15

    The CERT/CC continues to receive reports of systems being compromised by a new worm referred to as "W32/Blaster" or "W32/Lovsan". This activity is related to a recently discovered vulnerability in the Microsoft Remote Procedure Call (RPC) service. Microsoft has produced a patch for this vulnerability which can be found at MS03-026. The CERT/CC has produced an advisory addressing this issue. Please refer to CERT Advisory CA-2003-20, "W32/Blaster worm".

    Sites are strongly encouraged to apply the patch and block access to systems with open Microsoft RPC ports (135, 139, 445). Additionally, the CERT/CC strongly encourages users to install anti-virus software, and keep its virus signature files up-to-date.

    You may also wish to visit the CERT/CC's computer virus resources page.


    Exploitation of Microsoft RPC Vulnerabilities
    added July 31 | updated August 15

    The CERT/CC continues to receive reports of systems being compromised by two recently discovered vulnerabilities in the Microsoft Remote Procedure Call (RPC) service. Additionally, the CERT/CC has received reports of widespread scanning for systems with open Microsoft RPC ports (135, 139, 445). The W32/Blaster worm (mentioned above) is just one example of this scanning and exploitation.

    We are currently seeing reports involving two separate vulnerabilities. The first vulnerability is described in CA-2003-16 (VU#568148) and is resolved by applying patches found in MS03-026. The second denial-of-service vulnerability is described in CA-2003-19 (VU#326746). Microsoft is currently working on a patch to resolve this issue.

    Note: The W32/Blaster worm will trigger a denial-of-service vulnerability in multiple implementations of the Distributed Computing Environment (DCE). This vulnerability is described in VU#377804.

    Sites are encouraged to block access from outside their network perimeter, specifically by blocking access to TCP and UDP ports 135, 139, and 445. This will limit exposure to attacks. However, blocking at the network perimeter would still allow attackers within the perimeter of the network to exploit the vulnerability.

    The CERT/CC is tracking activity related to exploitation of the first vulnerability (VU#568148) as CERT#27479 and the second vulnerability (VU#326746) as CERT#24523. Relevant artifacts or activity can be sent to cert@cert.org with the appropriate CERT# in the subject line.


    Attempts To Exploit Cisco IOS Interface Blocked Vulnerabilities (VU#411332)
    added July 18

    The CERT/CC has received reports of activity consistent with attempts to exploit the Cisco IOS Interface Blocked Vulnerabilities described in CERT Advisories CA-2003-15 and CA-2003-17. To date, we are unaware of any sites whose operations have been interrupted by these attempts. Sites are strongly encouraged to read these two advisories, and take any actions necessary to protect their networks.