The Antivirus Guy Blog

Keeping people up to date with antivirus and security information

SANS – Internet Storm Center – Musings on the Internet Explorer 0-day vulnerability

Handler’s Diary November 30th 2005

Musings on the Internet Explorer 0-day vulnerability (NEW)

Published: 2005-11-30,
Last Updated: 2005-11-30 17:16:11 UTC by Scott Fendley (Version: 1)
So are any of you like me with regard to the Internet Explorer vulnerability mentioned last week http://isc.sans.org/diary.php?storyid=874? I know that I am watching and waiting to see if Microsoft is going to release an out of cycle patch, or wait for December 13th patch day. If I were a gambler, I might actually bet on Microsoft releasing it early.

Why do I think this way? Well…. Glad you asked.

Yesterday, Microsoft updated the advisory located at KB911302 with a couple of tidbits. First, they made mention of both Proof of Conecept and malicious software which appear to be targeting the reported vulnerability. Second, they also mention the Windows Live Safety Center where end users can scan and remove any malicious software and variants that may be running around now.

Throwing in that Microsoft has on occasion released out-of-cycle patches (June 2004 is a case in point in my mind), then I think it is a safe bet that Microsoft will take appropriate steps to fix the problem as quickly as possible. In the meantime there are 2 things I can continue to suggest.

1) Be vigilant. Know that a patch will be forthcoming hopefully within the next 2 weeks and be ready to deploy quickly.

2) If your organization can operate with one of the workarounds Microsoft has mentioned in KB911302, then I recommend mitigating your risk as much as possible. We all have at least one person who is a litle too…uhm…liberal with browsing the Internet on company time. Think about it, that very person is probably shopping for Christmas* presents right now on less-than-secure sites. SO….I would suggest doing those workarounds to that computer first. 🙂

* For those that celebrate other holidays in December than Christmas, this statement is not meant to be offensive in any shape or form, or otherwise slight your holiday of choice.

November 30, 2005 Posted by | Antivirus News, Security News | Leave a comment

Microsoft Security Advisory Notification – Security Advisory (911302) – Updated 11/29/05

**********************************

Title: Microsoft Security Advisory Notification

Issued: November 29, 2005

**********************************

Security Advisory Updated Today

==============================================

* Security Advisory (911302)

– Title: Vulnerability in the way Internet Explorer Handles Mismatched Document Object Model Objects Could Allow Remote Code Execution.

– Reason For Update: Added information regarding proof of concept code, malicious software, and reference to Windows Live Safety Center.

– Web site: http://go.microsoft.com/fwlink/?LinkId=56599

November 30, 2005 Posted by | Antivirus News, Security News | Leave a comment

CME-473: Beagle/Bagle worm variant (11/22/2004)

CME-473: Beagle\Bagle worm variant

Date added to list: 11/22/2004

Aliases:

Removal Tools:

Virus Characteristics(from sources above):

  1. Creates these files :
    • %System%\wingo.exe
    • %System%\wingo.exeopen
    • %System%\wingo.exeopenopen
  2. May also create these files:
    • %System%\wingo.exeopenopenopen
    • %System%\wingo.exeopenopenopenopen
  3. Creates the following Registry key
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
      Run “wingo” = C:\WINNT\SYSTEM32\WINGO.EXE
  4. Adds the value
    • “Timekey” = “[Random variables]” to HKEY_CURRENT_USER\Software\Microsoft\Params
  5. Termitates processes of security programs
  6. Tries to download and run that %System%\re_file.exe file from various websites coded into the virus.
  7. Searches the hard disk for folders containing the string “shar” and copies various files that are infected with the virus as to spread through peer-to-peer networks
  8. Tries to stop operating system services:
    • SharedAccess” – Internet Connection Sharing
    • “wscsvc” – MS security center
  9. Opens backdoors on TCP port 81
  10. Deletes values from the Run section of the Registry, pertaining to certain security programs, to prevent them from running at startup
  11. Searches for e-mail addresses contained in various files located on infected computer.
  12. Use its own built in SMTP server to send e-mails with spoofed addresses that it found on the infected computer, but skipping some with that contain certain strings. These e-mails have a .com, .cpl, .exe, or, . scr file extension and are infected by the virus.
  13. Also deletes registry entires related to the Netsky virus, and creates mutexes to keep that virus from running and to keep multiple copies of itself from running.

Trend Micro Behavior Diagram
Trend Micro Behavior Diagram

Please report in errors or broken links in the comments section.

November 29, 2005 Posted by | CME Listings | Leave a comment

SANS – Internet Storm Center – DoS Exploit for MS05-053 released

This has “virus outbreak” written all over it.

SANS – Internet Storm Center – Cooperative Cyber Threat Monitor And Alert System

Handler’s Diary November 29th 2005

DoS Exploit for MS05-053 released (NEW)

Published: 2005-11-29,
Last Updated: 2005-11-29 13:46:54 UTC by Pedro Bueno (Version: 1)

Today we received some alerts about exploits for MS05-053 that have been released and can be found on specialized websites.
This exploit claims to cause a DoS condition when viewing a special file on IE.

from the code:
“The crafted metafile from this code when viewed in internet explorer raises the CPU utilization to 100%. The code was tested on Windows 2000 server SP4. The issue does not occur with the hotfix for GDI (MS05-053) installed”

Did I say PATCH yet?
Go on…

———————————————
Pedro Bueno ( pbueno //&&// isc. sans. org)

November 29, 2005 Posted by | Security News | Leave a comment

What this blog is all about.

Welcome to The Antivirus Guy Blog.

I have started the blog for a couple of reasons, but primarily it is to provide a place for “one stop shopping” for antivirus information.

I would also like to provide some of the infromation that is missing from the Common Malware Enumeration (CME) site, like the links to the actual virus descriptions in each of the CME identifiers and maybe some more detail on exactly what each virus does. A post on the Internet Storm Center, shows just what I am talking about.

I will also try to provide timely information on worldwide virus outbreaks. Who is seeing what virus where, and any information I can find on how to stop it until dat files from antivirus vendors can be released.

Hopefully you will find this blog in your fight against malware in the future. Feel free to post comments at any time.

Thanks,
The Antivirus Guy

November 28, 2005 Posted by | Uncategorized | Leave a comment