December 23, 2003 - Current Activity

The CERT/CC has received reports of several new variants of the 'Mimail' worm. The most recent variant of the worm (W32/Mimail.J) arrives as an email message alleging to be from the Paypal financial service, requesting that the recipient 'verify' their account information to prevent the suspension of their Paypal account. Attached to the email is an executable file which captures this information (if entered), and remails it to a number of email addresses.

The CERT/CC strongly encourages users to use caution and discretion when disclosing personal information. Verify the identity of the requestor, the validity of the request, and understand the potential risks if this information is compromised.

The CERT/CC also encourages users to install anti-virus software, and keep its virus signature files up-to-date.

You may also wish to visit the CERT/CC's computer virus resources page.

The CERT/CC has received reports of a new mass-emailing worm, referred to as "W32/Swen.A" or "W32/Gibe.F". This worm is similar to W32/Gibe.B in function. The worm has been reported to propagate through email, network shares, and file-sharing networks such as KaZaA and IRC. It arrives as an attachment. The subject, body, and From: address vary, but often claim to be a Microsoft Internet Explorer Update or a delivery failure notice from qmail. Upon opening the attachment, the worm attempts to mail itself to all e-mail addresses it finds on the system. Additionally, this worm attempts to terminate numerous security product processes on the system.

The CERT/CC strongly encourages users to install anti-virus software, and keep its virus signature files up-to-date.

You may also wish to visit the CERT/CC's computer virus resources page.

The CERT/CC continues to receive reports of systems being compromised by two recently discovered vulnerabilities in the Microsoft Remote Procedure Call (RPC) service. Additionally, the CERT/CC has received reports of widespread scanning for systems with open Microsoft RPC ports (135, 139, 445). The W32/Blaster worm (mentioned above) is just one example of this scanning and exploitation.

We are currently seeing reports involving two separate vulnerabilities. The first vulnerability is described in CA-2003-16 (VU#568148) and is resolved by applying patches found in MS03-026. The second denial-of-service vulnerability is described in CA-2003-19 (VU#326746). Microsoft is currently working on a patch to resolve this issue.

Note: The W32/Blaster worm will trigger a denial-of-service vulnerability in multiple implementations of the Distributed Computing Environment (DCE). This vulnerability is described in VU#377804.

Sites are encouraged to block access from outside their network perimeter, specifically by blocking access to TCP and UDP ports 135, 139, and 445. This will limit exposure to attacks. However, blocking at the network perimeter would still allow attackers within the perimeter of the network to exploit the vulnerability.

The CERT/CC is tracking activity related to exploitation of the first vulnerability (VU#568148) as CERT#27479 and the second vulnerability (VU#326746) as CERT#24523. Relevant artifacts or activity can be sent to cert@cert.org with the appropriate CERT# in the subject line.