March 29, 2004 - Current Activity

Exploit code has been publicly released that takes advantage of multiple vulnerabilities in various Cisco products. According to the Cisco advisory, these vulnerabilities have been previously addressed and patches or workarounds are available.

US-CERT strongly encourages sites affected by these vulnerabilities to ensure that proper steps have been taken to address these vulnerabilities.

US-CERT is aware of a worm known as "Witty". Witty is a worm that exploits a vulnerability in ISS' ICQ Parser Protocol Analysis Module. Systems running ISS BlackICE, RealSecure or Proventia products are affected by the ICQ parser vulnerability, however, the worm only targets systems running certain versions of BlackICE or RealSecure products. According to ISS, Proventia products are not affected by this worm. Systems with auto-update enabled may have already received the patch for this vulnerability. Witty infects machines by sending a UDP packet with a source port of 4000/UDP to a random destination port on the target system. Exploitation results in the overwriting of random sectors on the hard disk. For more information about the ISS ICQ Parser vulnerability please refer to the following Vulnerability Note:

• VU#947254 - Internet Security Systems Protocol Analysis Module (PAM) does not properly handle ICQ server response messages

US-CERT strongly encourages users to install and maintain anti-virus software as well as patch their systems to prevent exploitation of vulnerabilities.

You may also wish to visit the US-CERT's computer virus resources page.

US-CERT is aware of a Trojan known as "Phatbot". Phatbot is an IRC bot with characteristics and functionality similar to Agobot. Only systems running Microsoft Windows have been reported to be infected, however, this malicious code may affect other operating systems. Phatbot can propagate using several methods. It scans for NETBIOS shares and attempts to use common username and password combinations to gain access to the remote machine. Phatbot can also propagate by exploiting unpatched vulnerabilities in the Microsoft Windows operating system including vulnerabilities in WebDAV, DCOM, and the Windows Workstation service. These vulnerabilities may be related to the following Vulnerability Notes:

• VU#117394 - Buffer Overflow in Core Microsoft Windows DLL
• VU#568148 - Microsoft Windows RPC vulnerable to buffer overflow
• VU#254236 - Microsoft Windows RPCSS Service contains heap overflow in DCOM request filename handling
• VU#567620 - Microsoft Windows Workstation service vulnerable to buffer overflow when sent specially crafted network message

It also has the ability to infect a system by taking advantage of the backdoor installed when a system is infected with W32/MyDoom and by exploiting a vulnerability in Dameware.

• W32/Mydoom or W32/Novarg
• VU#909678 - DameWare Mini Remote Control vulnerable to buffer overflow via specially crafted packets

Once a system is infected, Phatbot will attempt to join an existing IRC channel or P2P network. An attacker can control infected systems by issuing commands to this IRC channel or by sending messages to this P2P network. Phatbot contains an extensive list of commands that provide control over the victim's system. Affected systems allow the remote user to have full access to the file system and the ability to execute arbitrary code on the victim's system. Additionally, Phatbot will attempt to terminate a large number of security related processes (i.e, firewall, anti-virus) and also attempts to terminate instances of other Trojans that have already infected the victim's system (i.e., MSBlast, Welchia, Sobig.F).

US-CERT strongly encourages users to install and maintain anti-virus software as well as patch their systems to prevent exploitation of the listed vulnerabilities.

You may also wish to visit the US-CERT's computer virus resources page.

US-CERT continues to receive reports of new variants of the W32/Beagle mass-mailing virus. The most recent variant is W32/Beagle.U (discovered on March 26th).

W32/Beagle arrives as an attachment to an email message containing a From: address that is spoofed to hide the identity of the sender. The virus is included as an attachment to this email message; often as an executable file (.EXE, .SCR), or more recently, as a password protected archive file (.ZIP, .RAR) containing the executable file. The password for the archive file is included in the body of the message. To be infected by variants arriving in an archive file, a user must open the .ZIP or .RAR archive, enter the password from the body of the email, extract the .EXE file, and then open it.

Some variants of W32/Beagle are known to open a backdoor on an infected system (2556/tcp, 2745/tcp, 6667/tcp or 8866/tcp).

US-CERT strongly encourages users to install and maintain anti-virus software and exercise caution when handling attachments. Anti-virus software may not be able to scan password protected archive files so users must use discretion when opening archive files and should scan files once extracted from an archive.

You may also wish to visit the US-CERT's computer virus resources page.

US-CERT continues to receive reports of new variants of the W32/Netsky mass-mailing virus. The most recent variant is W32/Netsky.P (discovered on March 10th).

W32/Netsky arrives as an attachment to an email message containing a From: address that is spoofed to hide the identity of the sender. The Subject and Body of the email message are randomly selected from a fixed list of strings. The attachment has a .PIF file extension with a file name selected from a fixed list of strings. Upon opening the attachment, the virus scans certain files on the user's system collecting email addresses and then attempts to mail itself to all email addresses it found. It has also been reported that certain variants of the virus will generate audible PC speaker beeps with varying pitches and rhythms. The newest variant has been reported to exploit a known vulnerability in Internet Explorer (VU#980499)to automatically execute the infected attachment in certain mail clients.

Please see US-CERT Incident Note IN-2004-02 for more information.

US-CERT strongly encourages users to install and maintain anti-virus software. We also encourage users to exercise discretion when opening any email attachment.

You may also wish to visit the US-CERT's computer virus resources page.

US-CERT continues to receive reports of new variants of the W32/MyDoom virus. The most recent variant is W32/MyDoom.H (discovered on March 3rd).

Many of these variants open backdoors on an infected system (on ports 3127/tcp, 3176/tcp or 1080/tcp) which allow the virus to download and execute arbitrary code. Some of the newer variants scan for and use the backdoors on previously infected systems to re-infect the system. These backdoors can also be used by an attacker to gain access to the system.

Some variants search for and may delete files with certain extensions (.mdb, .doc, .xls, .sav, .jpg, .avi, and .bmp).

During certain time periods, some variants may perform a Denial of Service (DoS) attack against certain websites.

The many variants of W32/MyDoom typically arrive as an email message with an attachment. In addition to email propagation, the virus attempts to spread through peer-to-peer file sharing networks by copying itself into directories typically used by file sharing software.

More information on early variants of W32/MyDoom is available in US-CERT Incident Note IN-2004-01 and US-CERT Advisory CA-2004-02.

US-CERT strongly encourages users to install and maintain anti-virus software. We also encourage users to exercise discretion when opening any email attachment.

You may also wish to visit the US-CERT's computer virus resources page.