Breaking News: Recent Malware News
Recent Malware News
In the past 30 days, Symantec has reported 143 detections in its “Detections Added” pages. This includes 108 items rated on the Category 1 to 4 Risk Assessment scale, plus an additional 39 items (27 spyware items, nine adware, one hacktool and two dialers) that aren’t listed as worms, viruses, Trojan horses or backdoors. (The numbers don’t add up exactly because some of these other threats are rated, others are not.) By category, the breakdown of the 108 rated items is as follows: 35 unrated, 74 at Category 1, 32 at Category 2 and one each at Categories 3 and 4. In the interests of brevity, Table 1 lists only items at Category 3 or higher. The daily average for detections in this period was 4.76 (but 3.6 if only rated items are counted).
Table 1: New Category 3 & 4 Items from 6/29-7/27/2004
Notes: Please prepend http://www.symantec.com/avcenter/venc/data/ to the preceding URLs to construct complete links.
Category 4 entries in bold.
Both Beagle and Mydoom are familiar worms. What makes this Beagle variant dangerous is widespread distribution in the wild and a fast rate of propagation. It uses its own SMTP engine to generate mail and opens TCP port number 1080. It also affects most modern Windows variants from Windows 95 through Windows XP (Windows Server 2003 is not listed). This MyDoom variant executes a backdoor that can be detected as Backdoor.Zincite.A (listens on TCP port 1034), and uses a spoofed “from” address with varying subject lines and body text. It gets a rare Category 4 rating because it’s wisespread in the wild, propagates quickly and has a medium damage rating. Removal tools are available for both worms.
On July 13, seven security updates were released or updated:
- MS04-024: Vulnerability in Windows Shell Could Allow Remote Code Execution (839645; Severity: Important). Affects Windows NT 4.0 SP6a; Windows 2000: SP2, SP3 and SP4; Windows XP (with or without SP1) and Windows Server 2003. Users logged on with administrative privileges can take over system level access to a machine.
- MS04-023: Vulnerability in HTML Help Could Allow Code Execution (840315; Severity: Critical). Affects Windows 2000, Windows XP and Windows Server 2003 (all versions), could impact Windows 98 SE or Windows Me as well. If a user is logged onto a system with administrator privileges, an attacker could assume those privileges remotely.
- MS04-022: Vulnerability in Task Scheduler Could Allow Execution (841873; Severity: Critical). Affects Windows 2000, SP 2, SP3 and SP4, plus Windows XP with or without SP1 (and 64-bit Windows X only with SP1). An unchecked buffer permits execution of arbitrary remote code through the Microsoft Task Scheduler.
- MS04-021: Security Update for IIS 4.0 (841373; Severity: Important). Affects Windows NT 4.0 SP6a only. Buffer overrun vulnerability that allows arbitrary remote code execution.
- MS04-020: Vulnerability in POSIX Could Allow Code Execution (841872; Severity: Important). Affects Windows NT 4.0 SP6a and Windows 2000 with SP2, SP3 or SP4. A privilege-elevation vulnerability exists in the POSIX subsystem that allows attackers to assume system privileges.
- MS04-019: Vulnerability in Utility Manager Could Allow Code Execution (843526; Severity: Important). Affects Windows 2000 with SP2, SP3 or SP4. A logged on user could force Utility Manager to run an application with System-level privileges.
- MS04-018: Cumulative Security Update for Outlook Express (823353; Severity: Moderate). Affects all versions of Windows that include Outlook Express (All modern versions starting with Outlook Express 5.5 and all 6.0 releases.) Lack of robust verification of malformed e-mail headers creates denial-of-service vulnerability.
Updates for all seven vulnerabilities are available from Microsoft, and should be installed as soon as testing and deployment considerations will allow.