-----Original Message----- From: information_technology-admin@private [mailto:information_technology-admin@private] On Behalf Of InfraGard Sent: Thursday, January 08, 2004 7:10 AM To: Information Technology Subject: [Information_technology] Daily News 1/08/04 January 07, Register - Microsoft releases Blaster clean-up tool. Microsoft this week released a tool to clean up systems infected by the infamous Blaster worm and its sundry variants. The software should eradicate the worm from infected Windows XP and Windows 2000 machines. However, users will still have to apply the original patch to prevent re-infection. Normally, such clean-up technology is left to antivirus firms. But this isn't a normal viral epidemic: ISPs say the worm is still generating malicious traffic, months after its first appearance. Microsoft's Windows Blaster Worm Removal Tool will disinfect machines infected with either the Blaster or Nachi worms. Nachi, released shortly after the first appearance of Blaster in August, was designed to patch vulnerable systems. Rather than help out, Nachi has instead become a serious nuisance. Its aggressive scanning behavior blighted the operation of many networks - hence the need to kill the "cure", along with the original Blaster worm. The tool is available at http://www.microsoft.com/downloads/details.aspx?FamilyID=e70a0d8b-fe98-4 93f-ad76-bf673a38b4cf&displaylang=en Source: http://www.theregister.co.uk/content/56/34751.html January 06, esecurityplanet.com - Trojan sends spammed message with woman's picture. BackDoor-AWQ.b is a remote access Trojan written in Borland Delphi, according to McAfee, which issued an alert Tuesday, January 6. An email message constructed to download and execute the Trojan is known to have been spammed to users. The spammed message is constructed in HTML format. It is likely to have a random subject line, and its body is likely to bear a head portrait of a lady (loaded from a remote server upon viewing the message). The body contains HTML tags to load a second file from a remote server. This file is MIME, and contains the remote access Trojan (base64 encoded). Upon execution, the Trojan installs itself into the %SysDir% directory as GRAYPIGEON.EXE. A DLL file is extracted and also copied to this directory (where %Sysdir% is the Windows System directory, for example C:\WINNT\SYSTEM32) The following Registry key is added to hook system startup: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion \RunOnce "ScanRegedit" = "%SysDir%\GRAYPIGEON.EXE" The DLL file (which contains the backdoor functionality) is injected into the EXPLORER.EXE process on the victim machine. More information, including removal instructions, can be found at:http://us.mcafee.com/virusInfo/default.asp?id=description&viru_k=1009 38 Source: http://www.esecurityplanet.com/alerts/article.php/3295891 January 05, esecurityplanet.com - Multi-component worm searches for weak system passwords. Sophos issued a low-level alert for W32/Randon-AB, a multi-component network worm that attempts to spread by copying components of itself to and executing them on remote ADMIN$ shares with weak passwords, on Monday, January 5. One component of the worm, B4AK.EXE, then attempts to download and execute a copy of the worm from a remote URL as a file called C:\SVCHOST.EXE. The main file is an SFX EXE which creates a folder called AL within the Windows system folder and drops and executes several files, some of which are legitimate utilities or innocuous files. The worm adds an entry to the registry Run Key to run H00D.EXE on system restart. Instructions for removing worms are at http://www.sophos.com/virusinfo/analyses/w32randonab.html Source: http://www.esecurityplanet.com/alerts/article.php/3295121 January 05, eweek.com - Agencies beef up IT security. The Department of Justice (DOJ), one of a handful of agencies that received a failing grade on last month's report card on IT security delivered by a congressional subcommittee, is at the forefront of the movement. The DOJ has made a number of changes, including the establishment of a department-wide IT security staff that answers directly to the CIO, according to DOJ officials. That group, in turn, has set about organizing a security council within the department, they said. The council comprises the top security officials from each of Justice's dozens of component organizations, and is now responsible for implementing and overseeing all the security programs in the department. So far, the results have been encouraging, department officials said. Another agency, the Environmental Protection Agency has created an automated security evaluation and remediation application capable of testing the security posture of each machine and monitoring the remediation process for any problems found. The Department of Transportation recently implemented a comprehensive vulnerability assessment and remediation package that performs continuous scans, instead of the traditional monthly or quarterly assessments. Source: http://www.eweek.com/article2/0,4149,1426312,00.asp Internet Alert Dashboard Current Alert Levels AlertCon: 1 out of 4 https://gtoc.iss.net Security Focus ThreatCon: 1 out of 4 http://analyzer.securityfocus.com/ Current Virus and Port Attacks Virus: #1 Virus in the United States: WORM_LOVGATE.G Source: http://wtc.trendmicro.com/wtc/wmap.html, Trend World Micro Virus Tracking Center [Infected Computers, North America, Past 24 hours, #1 in United States] Top 10 Target Ports 12901 (realsecure), 6129 (dameware), 135 (epmap), 1434(ms?sql?m), 137 (netbios?ns), 139 (netbios?ssn), 23(telnet), 21 (ftp), 445 (microsoft?ds), 27374 (SubSeven) Source: http://isc.incidents.org/top10.html; Internet Storm Center _______________________________________________ Information_technology mailing list Information_technology@listserv
This archive was generated by hypermail 2b30 : Thu Jan 08 2004 - 09:31:23 PST