Advertisment

Security Alert

author-image
PCQ Bureau
New Update

W95.Hybris.gen



This worm spreads as an attachment to outgoing e-mail. The message could include
the text ‘Snow White and the seven dwarves’ and will have an EXE or SCR

attachment with a random name.

Advertisment

Once you click on the attachment, the worm modifies the file wsock32.dll,

which enables it to attach itself to outgoing e-mail. If your system is using

that file, however, the worm can’t modify it. In that case, it adds a registry

key to either HKEY_LOCAL_MACHINE\Software\ Microsoft\Windows\CurrentVersion\Run

Once or to HKEY_CURRENT_USER\ Software\Microsoft\Windows\Current Version\RunOnce.

The worm then connects to the newsgroup alt.comp. virus, and uploads its own

plug-ins in an encrypted form to this newsgroup. It goes through the subject

header of these messages to see if there are any attached plug-ins and their

version numbers. If it finds a newer version of its plug-ins, it downloads them

and updates its behavior. For example, some plug-ins give make the worm infect

ZIP files.

Whenever you send out e-mail to someone, the worm will also send out another

e-mail to the same person, and attach a copy of itself with a random filename.

Removal: Use your anti-virus software to repair the infected

wsock32.dll, and delete all files that are detected as W95.Hybris.

Advertisment

W32.HLLW.Bymer



This is a high-level language worm, and spreads via shared network drives.

There are two versions of the worm–wininit.exe and msinit.exe–but both

affect your system in almost the same way. When it’s first executed, the worm

modifies registry keys so that it can be executed every time you start your

computer. It then tries to spread itself by checking IP addresses for shared

drives. If it finds a shared drive, it checks if the Windows folder of the drive

is also shared. If it is, it inserts itself into the Windows\System folder and

modifies the Load= line in the win.ini file. The Wininit.exe worm carries a

Dnetc client with it, while the msinit.exe doesn’t. Dnetc is a client-side

software from an organization called distributed. net, and is used for

distributed computing. The organization specializes in running projects that

require lots of computing power, by combining the idle processing cycles of

members’ computers. Wininit.exe inserts the Dnetc client in the Windows

folder, while msinit.exe copies it to this folder. However, the Dnetc client is

not viral in nature.

Removal: Scan your system and delete all files detected as W32.HLLW. Bymer.

Modify the Load= line in win.ini. You’ll also need to modify the registry keys

modified by the worm, which would beHKEY_LOCAL_MACHINESoftware\Microsoft\Windows\Current Version\Run orHKEY_LOCAL_MACHINESoftware\Microsoft\Windows\Current Version\RunServices, depending on the

version. To remove the Dnetc client, download a utility called Wormfree

available at www.distributed. net/trojans.html.en. One precaution you can take

is to share folders only if you have to, and provide read-only access as far as

possible. Avoid giving full-control access, especially to system folders.

W95.MTX



This is a worm-cum-virus that spreads via e-mail as an attachment that could

have a PIF (this extension may not be visible in your e-mail client), SCR, or

EXE extension. The attachment could have one of several names, some of which are

I_wanna_see_you.txt.pif, Matrix_screen_saver.scr,Love_letter_for_

you.txt.pif,New_playboy_screen_saver.scr, Bill_gates_piece.jpg.pif, and Anti_cih.

exe. When you execute the attachment, the worm component makes a copy of

wsock32.dll and names it wsock32.mtx. It modifies the latter, to enable the

virus component to mail a copy of the worm-cum-virus to people to whom the user

send e-mail. The worm component also creates a file called wininit.ini, which

executes every time you start the computer; and enables the deletion of

wsock32.dll, and the renaming of wsock32.mtx to wsock32.dll. After creating this

file, the worm component runs the virus component.

Advertisment

The virus component searches to see if any anti-virus programs are running,

and doesn’t run if it finds one. If it continues to run, it decompresses the

worm component, drops a copy of it into the user’s Windows directory–called

le_pack.exe–and runs it. After this file is executed, it’s renamed to

win32.dll. The virus also drops a downloader program called mtx_.exe and runs

it. This program goes to a specific Website where plug-ins for the virus are

downloaded and executed. It also adds a registry entry that lets the downloader

run automatically every time the system is started. The downloader won’t be

visible on your system’s task list.

The virus also searches for Win32 executables in the current director,

Windows directory, and the Temp directory. If it finds a file whose size isn’t

divisible by 101, is greater than 8 kB in size, and has at least 20 import call

instructions; it infects the file. If it doesn’t find such a file, it doesn’t

cause any infection.

Removal: This virus modifies system files that may never get repaired

on some systems and is difficult to remove. Complete removal instructions for

this virus are available at www.symantec. com/avcenter/venc/data/w95.mtx.html.

Advertisment

Bug bash

Security holes in Windows Media Player



Windows Media Player 6.4 and 7 installed is vulnerable to two security

holes. The first one arises from a buffer overrun in the handling of ASX (Active

Stream Redirector) streaming media files, which lets users play streaming media

from Internet sites or intranet servers. The other one can happen due to script

execution in WMS files. These are ‘skins’ that let you customize the looks

of the player.

In the case of the ASX vulnerability, which occurs only on Windows 2000 with

Service Pack 1 installed, the unchecked buffer can lead to a malicious user

running code of his choice on your machine. He could send you an affected media

file by mail, or host it on a Website and cause it to launch automatically when

anyone visits that site. The code will then let him control your machine, and do

anything on it that you can do.

Advertisment

The WMS vulnerability affects Windows Media Player 7 only, because skins were

introduced in this version, but it can run on all Windows platforms, that is

Windows 95, 98, 2000, ME, and NT. In this case, a WMS file could include script

that will execute if Windows Media Player is run and the skin is selected. Such

a skin could be mailed to you or hosted on a Website. If it were mailed to you,

the code would be executed when you open the mail, provided you have Windows

Media Player, and HTML scripts are allowed in your mail client. The code will be

able to execute all ActiveX controls, including those not marked ‘safe for

scripting’ in your Internet Options. So, the code could take any action that’s

possible via an ActiveX control.

Patches: Microsoft has issued patches for both these vulnerabilities.

These are available at:

Windows Media Player 6.4: www.microsoft.com/Downloads/Release.asp?ReleaseID=26069

Advertisment

Windows Media Player 7: www.microsoft.com/Downloads/Release.asp?ReleaseID=26079

Vulnerabilities in Internet Information Server 4 and 5



Two vulnerabilities have been discovered in IIS 4 and IIS 5, which let

malicious users gain access to your server and modify the data there. Patches

were released for both vulnerabilities separately, but the patch that fixed one

on IIS 5 re-opened the security hole in the other. So, Microsoft has now

released an updated patch that fixes both holes for IIS 5.

One of these vulnerabilities lets a malicious person run programs directly on

the Web server. To do this, he has to request for a CMB or BAT file that exists

on the server (the malicious user should also execute permissions on the file)

and send certain specific operating system commands with it.

Advertisment

The vulnerability arises because whenever IIS receives a request for an

executable file, it passes the name of the requested file to the operating

system for processing. Due to an implementation flaw, it’s possible to create

a specific malformed request, which contains the name of a CMB or BAT file that

exists on the server and some operating system commands. When this file is sent

to the IIS and it passes it on the underlying OS, the OS processes the file and

executes the command. The ability to run operating system commands on the Web

server enables the malicious user to take any action on IIS that a user who’s

logged on to it can take. He can add, delete, or change files; run code of his

choice on the server; etc.

The other vulnerability lets a malicious visitor to your Website take

destructive actions on it. The malicious visitor can use a specific type of

malformed URL to get access to all files and folders that lie on the drive that

contains your Web folders. So, he can potentially do anything that a locally

logged-on user could do on your machine. The request would be processed under

the security context of the IUSR_machinename account, the anonymous user account

for IIS. Because it belongs to the Everyone and Users group, this account gives

the malicious visitor limited access to Web folders, but also allows him access

to data on the drive outside these folders. So, he can execute operating system

commands on your system, unless you’ve removed the Everyone and Users groups

from permissions on your server, or have hosted the Web folders on a different

drive from the operating system.

For IIS 5, a common patch for both these vulnerabilities is available at:

www.microsoft.com/Downloads/Release.asp?ReleaseID=25547

For IIS 4 users, the two patches are available at:

www.microsoft.com/ntserver/nts/downloads/critical/q277873

www.microsoft.com/ntserver/nts/downloads/critical/q269862/default.asp

Compiled by Pragya Madan

Advertisment