/pcq/media/agency_attachments/L8pkS8gpnodJThOdAfv1.jpg)
Follow UsIP vulnerability in Windows patched
|
Microsoft ActiveX control vulnerability exploited by worms |
| Vulnerabilities in two ActiveX controls–scriptlet.typelib and Eyedog–shipped with IE 4 and 5 –can be used by malicious Website operators to take unauthorized actions on your machine, that is, they can do anything on your machine that you can do. The scriptlet.typelib vulnerability is also used by worms like WScript.KakWorm to create and modify local files on your system. Microsoft has already issued a patch for these.
The ActiveX control vulnerabilities affect IE 4 and 5, and arise because both controls have incorrectly been marked as “safe for scripting”–a tag which means that the control doesn’t take any harmful action on your computer, and therefore can be executed without asking for your approval. This is clearly not the case with these two controls. Scriptlet.typelib is used by developers to generate Type Libraries for Windows Script Components. It shouldn’t be marked as “safe for scripting” because it allows local files to be created or modified. So, a Web page could change or delete any files on your computer, including system files. WScript.KakWorm also uses this hole to modify and create files on your system. Eyedog is used by diagnostic software on Windows to collect hardware information about the machine. It allows registry information to be queried and machine characteristics to be gathered, and so can allow a Web page to gather information like registry settings, username, etc. You can download the patch from any of the following sites: |
Microsoft has issued a patch for a vulnerability in Win 9x/NT
4/2000, which would make an affected machine vulnerable to DoS (denial of
service) attacks.
The vulnerability arises in the way Windows reassembles
fragmented IP packets. IP datagrams are usually subdivided into smaller packets
when they’re being transferred. These fragments then travel separately to
their destination, and are reassembled there. The IP protocol provides
guidelines about how packets should be fragmented and reassembled, but in the
case of Windows, a bug prevents this from working properly. So, if a continuous
stream of fragmented IP datagrams with a particular malformation are sent to an
affected machine even at moderate data transfer rates, the machine’s CPU
utilization in reassembling these packets could shoot up to 100 percent–which
amounts to a denial of service, because the machine wouldn’t do any other
useful work. Machines most at risk are those on the edge of a network, such as
proxy servers or Web servers.
The patch for this vulnerability is available at:
-
Win 95: http:/download.microsoft. com/download/win
95/update/8070/w95/EN-US/259728USA5.EXE -
Win 98: http://download. microsoft. com/down load/win
98/update/8070/w98/EN-US/259728USA8. EXE -
Win NT 4 Workstation, Server and Server Enterprise
Edition: www. microsoft.com/Downloads/Release. asp?ReleaseID=20829 -
Win NT 4 Server, Terminal Server Edition: www.microsoft.
com/Downloads/Release.asp? ReleaseID=20830 -
Win 2000 Professional, Server, and Advanced Server:
www.microsoft. com/Downloads/Release.asp? Release ID=20827
VBS.Stages.A Worm
Also known as IRC/Stages.Worm, and Life_Stages Worm, this
worm spreads as an attachment named Life_Stages.txt.shs to an e-mail, which
would contain "Life stages", "Funny", "Jokes" in
its subject.
The worm spreads through Outlook, ICQ, mIRC, and PIRCH. When
you run the attachment, a text file will open. As you’re reading the text, a
script runs in the background, executing the tasks described below.
The worm sends an e-mail to the addresses in your Outlook
address book, with the above attachment.
It then creates the following files in your Windows\System
folder–scanreg. vbs, vbaset.olb, and msinfo16.tlb. The scanreg. vbs value is
added to the registry key HKEY _LOCAL_MACHINE\ Software\ Microsoft \WindowsCurrent Version\ RunService, so that the file runs the next time you start your
machine. It adds the Life_Stages. txt.shs file in the Windows folder, and a
randomly named file to each of the following locations–the root directory of
all mapped drives, My Documents folder, and WindowsStart menu>Programs
folder. The name of the file would contain the word Important, Info, Report,
Secret, or Unknown; a hyphen or an underscore; and a random number between 1 and
1,000. For example, it could be Important-235.txt.shs. Your registry editor–regedit.
exe–is moved to the Recycle Bin as a hidden system file called Recycled.vxd.
Three more files are added to the Recycle Bin as hidden, system files–msrcycld.dat,
which is a copy of the original SHS file; rcycldbn.dat, which is a copy of the
scanreg.vbs file; and dbindex.vbs, which is set to be run when ICQ is run. The
mIRC script is modified to call the sound32b.dll file, which helps the worm to
spread through mIRC and PIRCH.
Most anti-virus packages have been updated to catch the worm.
A tool to repair the damage caused by the worm is available at www.symantec.com/avcenter/venc/data/fix.vbs.stages.html.
This Website also contains manual instructions to fix the damage, though this a
slightly longer process.
Wscript.KakWorm
This worm’s been around for a long time, but its incidence
seems to have increased in recent times. It spreads using Outlook Express,
exploiting a known hole which allows a viral file to be created on your system,
even though you haven’t run any attachment. Just reading the received e-mail
message will place the virus on your system.
This is because Outlook Express 5 and Outlook 2000 use IE to
render HTML-format e-mail messages. So, the worm comes as a malicious VBScript
in an HTML-format message, which when rendered by IE, exploits an ActiveX
control vulnerability to create and modify local files on your system (see box
for details). Microsoft has already issued a patch for this hole.
When you receive the message, the worm automatically adds
itself as a signature to outgoing messages. It also inserts a copy of itself–called
kak.hta–into the StartUp directory of your Windows OS, for both English and
French versions.
Once you reboot the system, the file is executed, and the
worm modifies the registry key HKEY_CURRENT_USER/Iden tities/
which helps to add its own signature file to outgoing messages. This is the
infected file kak.hta. It also adds the registry key–HKEY_LOCAL_MACHINE/Software/Microsoft/Windows/CurrentVersion/Run/cAgOu–due
to which the worm is executed every time you reboot your machine.
If it’s the first of the month, and the time is 5 pm, the
worm displays the message:
Kagou-Anti-Kro$oft says not today!
After this, Windows is sent the message to shutdown.
To remove the worm, if you’ve been infected, delete the
file kak.hta from your machine, and delete the registry key HKEY_LOCAL_MACHINE/Software/Microsoft/Windows/CurrentVersion/Run/cAgOu.