The Antivirus Guy Blog

Keeping people up to date with antivirus and security information

SANS – Internet Storm Center – What’s the threat? And who is noticing it? Nyxem_e versus CME 508

 What’s the threat? And who is noticing it? Nyxem_e versus CME 508

Published: 2006-01-22,
Last Updated: 2006-01-22 20:00:45 UTC by Patrick Nolan (Version: 4(click to highlight changes))

CME 508 does not threaten like Nyxem_e, on February 3rd and every third day of the month thereafter Nyxem.E will destroy users work (see F-Secure’s blog) when the worm activates and replaces “the content of user’s files with a text string “DATA Error [47 0F 94 93 F4 K5]”. Among these files are: DOC, XLS, MDB, MDE, PPT, PPS, ZIP, RAR, PDF, PSD and DMP” “on all available drives”, and yes, available = shared drives.

fwiw, I look at published email malware statistics daily, both Nyxem_e and CME 508 are approximately the same in volume reports, and nowhere near sober was last year as far as raw numbers go. But Nyxem.E has legs, it’s more like a centipede than a worm, and it’s not likely to drop off the radar soon, certainly not before the 3rd of February.

The Handlers diary previously referenced Nyxem.E in More on Blackmal/Grew/Nyxem (file deletion payload.
Source info – see the F-Secure Virus Information Pages : Nyxem.E

The vendors below do not mention the destruction of user work, as of the checking I just did, ymmv.
Also Known As: 

WORM_GREW.{A, B} [Trend Micro],
“It gathers email addresses from files with the following extension names:

DMP
DOC
MDB
MDE
PDF
PPS
PPT
PSD
RAR
XLS
ZIP”.

W32.Blackmal.E@mm Symantec

W32/Nyxem-D [Sophos],

W32/MyWife.d@MM  [McAfee],

W32/Grew.A!wm (Fortinet),

W32/Small.KI@mm [Norman],

Win32/Blackmal.F [Computer Associates]

Tearec.A Panda

UPDATE
The CME reference is difficult but not impossible to follow. I’m reading CME links which show “Latest CME Identifiers CME-508“, however, that last 508 link has english that says the newest CME-ID is “CME-503  – Date Assigned 2006-01-20”. In any event I base my comment that “CME-508” is not a threat because I interpret vendor malware write-ups mentioning CME 503 as the “new” threat called CME-508 at cme.mitre.org. The vendors are listing 503, none are using 508 ……

SANS – Internet Storm Center – Cooperative Cyber Threat Monitor And Alert System.

January 23, 2006 Posted by | Administrative | Leave a comment

SANS – Internet Storm Center – Apple QuickTime and iTunes continued

Apple QuickTime and iTunes continued(NEW)

Published: 2006-01-14,
Last Updated: 2006-01-14 02:11:18 UTC by Swa Frantzen (Version: 1)
Apple seems to hit a rough spot in the road with their latest patches.

iTunes

Accusations of the software’s main new feature calling home with track and artist names of the files you play. Now of course that’s needed to show related albums for you to buy, but there are a number of questions remaining open. Till then, perhaps it’s better not to have the call home feature if you value privacy or just have too many mp3s …

QuickTime

I have the original upgrade myself and no problem so far, but aparantly Apple has recalled it. And they also seem to have published it again. Bottom line: I’m confused. Take care with not updating QuickTime to 7.0.4. as it did patch 8 vulnerabilities. Perhaps that silly joke movie can wait a little longer than getting exploited.

Of course if you produce movies quicktime’s functionality might be more important than the security of your browser on the Internet and your risks might be different.

  • For general users, I would urge not to downgrade as you’ll have the vulnerabilities back. Moreover the problems seem to be not that clear. I’m running the initial Quicktime 7.0.4 uprade and it works just fine.
  • Still the uninstaller is here should you not be able to continue without the old version.

Before some of our readers think I’m bashing Apple: I’m typing this on a Mac, a Mac I like a lot.
Before some think I love Apple for all they do: I don’t, but that’s another story.


Swa Frantzen

SANS – Internet Storm Center – Cooperative Cyber Threat Monitor And Alert System.

January 14, 2006 Posted by | Administrative | Leave a comment

SANS – Internet Storm Center – Windows WMF 0-day exploit in the wild

So far,Symantec, McAfee and F-Secure has heuristic detections for this 0–day exploit. Secunia has a write up on this exploit as well.

SANS – Internet Storm Center – Cooperative Cyber Threat Monitor And Alert System.

Handler’s Diary December 28th 2005

Windows WMF 0-day exploit in the wild (NEW)

Published: 2005-12-28,
Last Updated: 2005-12-28 10:04:51 UTC by Daniel Wesemann (Version: 1)

Just when we thought that this will be another slow day, a link to a working unpatched exploit in, what looks like Windows Graphics Rendering Engine, has been posted to Bugtraq.

The posted URL is   [ uni on seek. com/   d/t    1/  wmf_exp.  htm ]
(DON’T GO HERE UNLESS YOU KNOW WHAT YOU’RE DOING. Added spaces to avoid accidental clicking. See Firefox note below!!)

The HTML file runs another WMF (Windows Meta File) which executes a trojan dropper on a fully patched Windows XP SP2 machine. The dropper will then download Winhound, a fake anti-spyware/virus program which asks user to purchase a registered version of software in order to remove the reported threats.

During the test Johannes ran, it was interesting that the DEP (Data Execution Prevention) on his system stopped this from working. However, as this was tested on a AMD64 machine, we still have to confirm whether (or not) the software DEP also stops this – let us know if you tested this.

Internet Explorer will automatically launch the “Windows Picture and Fax Viewer”.  Note that Firefox users are not totally imune either. In my install of Firefox, a dialog box will ask me if I would like to load the image in “Windows Picture and Fax Viewer”. If I allow this to happen (“pictures are safe after all” NOT!), the exploit will execute.

For more information, see also http://vil.mcafeesecurity.com/vil/content/v_137760.htm and http://www.securityfocus.com/bid/16074/info

 
F-Secure Blog entry:
 
New WMF 0-day exploit Posted by Mika @ 08:38 GMT


There’s a new zero-day vulnerability related to Windows’ image rendering – namely WMF files (Windows Metafiles). Trojan downloaders, available from unionseek[DOT]com, have been actively exploiting this vulnerability. Right now, fully patched Windows XP SP2 machines machines are vulnerable, with no known patch.

spyware_traffic.png

The exploit is currently being used to distribute the following threats:
  Trojan-Downloader.Win32.Agent.abs
  Trojan-Dropper.Win32.Small.zp
  Trojan.Win32.Small.ga
  Trojan.Win32.Small.ev.

Some of these install hoax anti-malware programs the likes of Avgold.

spyware_warning.png

Note that you can get infected if you visit a web site that has an image file containing the exploit. Internet Explorer users might automatically get infected. Firefox users can get infected if they decide to run or download the image file.

In our tests (under XP SP2) older versions of Firefox (1.0.4) defaulted to open WMF files with “Windows Picture and Fax Viewer”, which is vulnerable. Newer versions (1.5) defaulted to open them with Windows Media Player, which is not vulnerable…but then again, Windows Media Player is not able to show WMF files at all so this might be a bug in Firefox. Opera 8.51 defaults to open WMF files with “Windows Picture and Fax Viewer” too. However, all versions of Firefox and Opera prompt the user first.

As a precaution, we recommend administrators to block access to unionseek[DOT]com and to filter all WMF files at HTTP proxy and SMTP level.

F-Secure Anti-Virus detects the offending WMF file as W32/PFV-Exploit with the 2005-12-28_01 updates.

We expect Microsoft to issue a patch on this as soon as they can.

Update:

 Trend Micro now has a description for the Trojan that exploits this unpatched vulnerability
 

December 28, 2005 Posted by | Administrative | Leave a comment