October 06, 2003 - Current Activity

The CERT/CC has received reports of a new Trojan Horse program affecting Microsoft Windows systems. The QHosts or Qhosts-1 Trojan Horse has been reported to alter domain name service (DNS) settings on Windows systems and redirect users from legitimate web sites to those specified by the Trojan Horse program. The CERT/CC is tracking this activity as CERT#27882 and is interested in receiving reports thereof. Relevant artifacts or activity can be sent to cert@cert.org with "CERT#27882" in the subject line.

The CERT/CC strongly encourages users to install anti-virus software, and keep its virus signature files up-to-date.

You may also wish to visit the CERT/CC's computer virus resources page.

The CERT/CC has received reports of a new mass-emailing worm, referred to as "W32/Swen.A" or "W32/Gibe.F". This worm is similar to W32/Gibe.B in function. The worm has been reported to propagate through email, network shares, and file-sharing networks such as KaZaA and IRC. It arrives as an attachment. The subject, body, and From: address vary, but often claim to be a Microsoft Internet Explorer Update or a delivery failure notice from qmail. Upon opening the attachment, the worm attempts to mail itself to all e-mail addresses it finds on the system. Additionally, this worm attempts to terminate numerous security product processes on the system.

The CERT/CC strongly encourages users to install anti-virus software, and keep its virus signature files up-to-date.

You may also wish to visit the CERT/CC's computer virus resources page.

The CERT/CC has noticed an increase in traffic directed at port 554/tcp. This port is used by the Real Time Streaming Protocol (RTSP). This activity may be related to a recently discovered vulnerability in Real Networks' Media Server. We have published Vulnerability Note VU#934932, which provides further details on this vulnerability.

• Vulnerability Note VU#934932: RealNetworks media server RTSP protocol parser buffer overflow http://www.kb.cert.org/vuls/id/934932

The CERT/CC continues to receive reports of an new variant of the Sobig worm, 'W32/Sobig.F'. Like its' predecessors, Sobig.F attempts to replicate itself by sending out infected email. In addition, it can download and execute arbitrary code on the target machine, which potentially permits the worm to compromise confidential information, or set up and run other services, such as open mail relays. Please refer to CERT Incident Note IN-2003-03, "W32/Sobig.F Worm" for more information.

The CERT/CC is not aware of any continued activity related to the "second phase" of the worm's operation as described in the Incident Note, but encourages users who are still compromised to take action to recover their systems.

The CERT/CC strongly encourages users to install anti-virus software, and keep its virus signature files up-to-date.

You may also wish to visit the CERT/CC's computer virus resources page.

The CERT/CC has received reports of an new worm targeting systems vulnerable to the same vulnerability as W32/Blaster. This worm, known alternately as 'W32/Welchia', 'W32/Nachi', or 'WORM_MS_BLAST.D', has been reported to

• kill and remove the msblast.exe artifact left behind by W32/Blaster
• perform ICMP scanning to identify systems to target for exploitation
• apply the patch from Microsoft described in MS03-026
• reboot the system

The greatest impact of this worm appears to be the potential for denial-of-service conditions within an organization due to high levels of ICMP traffic. Sites are encouraged to apply the patch from Microsoft described in MS03-026 and apply network filters as necessary to reduce the impact of this worm. Sites can find specific information on how to recover a system which has been compromised by W32/Welchia by consulting an anti-virus vendor. The CERT/CC maintains a partial list of anti-virus vendors.

We are tracking this activity as incident CERT#33546, and are interested in receiving reports thereof. Relevant artifacts or activity can be sent to cert@cert.org with "CERT#33546" in the subject line.

The CERT/CC continues to receive reports of systems being compromised by a new worm referred to as "W32/Blaster" or "W32/Lovsan". This activity is related to a recently discovered vulnerability in the Microsoft Remote Procedure Call (RPC) service. Microsoft has produced a patch for this vulnerability which can be found at MS03-026. The CERT/CC has produced an advisory addressing this issue. Please refer to CERT Advisory CA-2003-20, "W32/Blaster worm".

Sites are strongly encouraged to apply the patch and block access to systems with open Microsoft RPC ports (135, 139, 445). Additionally, the CERT/CC strongly encourages users to install anti-virus software, and keep its virus signature files up-to-date.

You may also wish to visit the CERT/CC's computer virus resources page.

The CERT/CC continues to receive reports of systems being compromised by two recently discovered vulnerabilities in the Microsoft Remote Procedure Call (RPC) service. Additionally, the CERT/CC has received reports of widespread scanning for systems with open Microsoft RPC ports (135, 139, 445). The W32/Blaster worm (mentioned above) is just one example of this scanning and exploitation.

We are currently seeing reports involving two separate vulnerabilities. The first vulnerability is described in CA-2003-16 (VU#568148) and is resolved by applying patches found in MS03-026. The second denial-of-service vulnerability is described in CA-2003-19 (VU#326746). Microsoft is currently working on a patch to resolve this issue.

Note: The W32/Blaster worm will trigger a denial-of-service vulnerability in multiple implementations of the Distributed Computing Environment (DCE). This vulnerability is described in VU#377804.

Sites are encouraged to block access from outside their network perimeter, specifically by blocking access to TCP and UDP ports 135, 139, and 445. This will limit exposure to attacks. However, blocking at the network perimeter would still allow attackers within the perimeter of the network to exploit the vulnerability.

The CERT/CC is tracking activity related to exploitation of the first vulnerability (VU#568148) as CERT#27479 and the second vulnerability (VU#326746) as CERT#24523. Relevant artifacts or activity can be sent to cert@cert.org with the appropriate CERT# in the subject line.

The CERT/CC has received reports of activity consistent with attempts to exploit the Cisco IOS Interface Blocked Vulnerabilities described in CERT Advisories CA-2003-15 and CA-2003-17. To date, we are unaware of any sites whose operations have been interrupted by these attempts. Sites are strongly encouraged to read these two advisories, and take any actions necessary to protect their networks.

• CERT Advisory CA-2003-15, "Cisco IOS Interface Blocked by IPv4 Packet"
  http://www.cert.org/advisories/CA-2003-15.html
• CERT Advisory CA-2003-17, "Exploit Available for the Cisco IOS Interface Blocked Vulnerabilities"
  http://www.cert.org/advisories/CA-2003-17.html