Trojan on MS Word
A Trojan called Goga that exploits a vulnerability in MS Word can get into your system and give your login name and password to malicious users. The Trojan comes as an RTF (Rich Text Format) attachment to an e-mail. When you open this, it links to a Word template file on a Russian website, which has a macro that sends your private information to the guest book of another site.
Normally, Word scans documents and warns you of macros before you open a document. However, the vulnerability exploited here is that Word doesn’t scan the template for macros when opening an RTF document that’s linked to a Word template.
Fixing it: Go to www.microsoft.com/technet/security/bulletin/MS01-028.asp
for more details and patches. Also update your anti-virus software, scan your machine, and repair infected files.
Mass-mailing worm on Macs
A worm called MacSimpsons is making its way into Macs running OS 9.0 or 9.1. It comes as an attachment called ‘Simpsons Episodes’, and the message prompts you to open the attachment to see secret episodes of ‘The
Simpsons’ series. Opening the attachment executes the AppleScript worm, which opens a copy of your e-mail program (Outlook Express or Entourage) and sends a copy of the message with the attachment to everyone in your address book. The worm doesn’t have any other payload.
VBS/VBSWG.Z@MM
This is a VBScript mass-mailing worm that arrives as an attachment. The subject of the message is Mawanella, the body reads ‘Mawanella is one of the Sri Lanka’s Muslim village’ and the attachment is called ‘Mawanella. vbs’. When you run the attachment it displays a text box entitled ‘VBScript:Mawanella’ that tells you about a brutal incident in a Sri Lankan village called Mawanella and warns you that it can destroy your computer. However, the worm doesn’t have a dangerous payload–it only mass-mails itself to everyone in your Outlook address book. This happens whenever the attachment is executed.
Fixing it: Update your anti-virus software and scan your
machine.
Worm on Solaris systems and IIS Web servers
A worm now doing the rounds exploits buffer-overflow vulnerability in Solaris systems and subsequently installs software to crack into IIS Web servers, using a vulnerability in the latter to do so. The content on websites hosted on compromised IIS servers can be modified to read anything that the malicious user wants. The worm also spreads itself automatically to other vulnerable Solaris systems. A malicious user can use this worm to execute code with root privileges on Solaris systems.
Fixing it: Sun’s patch for Solaris systems is available at http://sunsolve.com/pub-cgi/retrieve.pl? doctype=coll&doc=secbull/191&type=0&nav=sec.sba. For Microsoft’s patch for your version of IIS, and for more details on this IIS vulnerability, go to
www.microsoft.com/technet/security/bulletin/MS00-078.asp
Vulnerability in Windows Class IDs
A Windows Class ID (CLSID) is a 128-bit number that identifies a COM object and tells the OS how to execute it. Malicious users can use this CLSID extension to disguise a dangerous COM object in an innocuous extension like TXT or DOC. Such an object can be used to do anything: edit your registry, delete files, clean out your hard drive, etc.
A CLSID appended to an innocuous extension like TXT doesn’t show up in Windows Explorer at first glance. However, the icon of such an application will be different than that of a normal TXT file on your system. This is the biggest warning sign. Also, if you right-click on the file and go to Properties or go to View>details in Windows Explorer after selecting the file, the truth will be revealed.
Fixing it: No patch for this is available yet. So, don’t open any file on your network blindly–first check to see that its icon matches the extension, and probe further in case of any doubt.
Compiled by Pragya Madan