From: Security Threat Watch Newsletter (NetworkComputingupdate.networkcomputing.com)
Date: Mon Jan 30 2006 - 13:26:29 CST

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Security Threat Watch
    Number 116
    Monday, January 30, 2006
    Created for you by Network Computing & Neohapsis

The mass-mailing Blackmal.E virus has been in the spotlight this week,
as the projected 9 million infected machines raised a few eyebrows.
The virus, also known as Blackworm or Nyxem.E, will usually attach
itself to e-mail messages as an executable file with suggestive
subject lines and may spread via shared folders. It will completely
compromise the systems of those users who open the attachment,
attempting to disable security software and making extensive changes
to the registry.

The worm uses a Web counter to track itself, and while the counter
currently stands at over 9 million hits, there are suspicions that the
data cannot be trusted. The counter may have started above zero and it
may log any browser that also goes to the Web address, thereby
counting observers as well as infected machines. In addition, there is
speculation that someone was DoSing the counter to artificially
inflate the value, which brings up the question, how many machines are
infected? And what about infected machines behind proxies/firewalls
that cannot browse to the counter to increase the hit count? Although
no one knows for sure, according to the analysis of the data
retrieved, the number of infected machines is estimated at around
500,000.

Even though this number is far less than the projected counter, the
virus yields a destructive payload. The hard drives of computers that
remain infected on February 3 will have 11 types of data deleted,
including any Word, Excel, PowerPoint or PDF documents.

Besides the usual antivirus signature updates, Snort signatures for
the worm can be found at:
http://www.bleedingsnort.com/cgi-bin/viewcvs.cgi/sigs/VIRUS/WORM_Nyxem?rev=1.5&only_with_tag=HEAD&view=markup

F-Secure has a free removal utility (F-Force) available on its Web
site at: http://www.f-secure.com/v-descs/nyxem_e.shtml

Until next issue,
- The Neohapsis Security Threat Watch Team

--- Advertisement
-----------------------------------------------------

Network Computing invites you to a FREE webcast: The Role of
Remote Management in Assuring IT Infrastructure Uptime
Raritan and Enterprise Management Associates, teach you:
how to simplify and enhance uptime control; ba! rriers to
reducing mean-time-to-repair and expanding MTBF; and more.
Wed., Feb. 15, 2006 - 11:00 AM PT / 2:00 PM ET
Register now:

--- InformationWeek's 9th Annual National IT Salary Survey
-----------------------------------------------

Do you deserve a raise? Is your career on track? The editors of
InformationWeek magazine invite you to participate in their 9th
annual National IT Salary Survey.

Here's why you should participate:
+ It's fast. It's convenient. It's confidential.
+ Win prizes if you respond by February 1. (Grand Prize: Sony 42"
ED-ready plasma TV valued at $2,500)
+ It compares your salary and job satisfaction responses to those
of your peers in a 30+ page report.
+ It compares salaries regionally and nationally (for free).

To participate in the survey:
http://cmp.inquisiteasp.com/cgi-bin/qwebcorporate.dll?idx=QRM3M9&campaign=24

--- New Vulnerabilities
-----------------------------------------------

Below is a list of new vulnerabilities announced this week.
Vulnerabilities considered to be 'critical' involve highly-deployed
software, or carry a high-risk of system compromise. Note that
vulnerabilities not highlighted may still be of critical severity
to your environment.

**** Highlighted critical vulnerabilities ****

Red Hat Directory/Certificate Server: admin console remote overflow

**** Newly announced vulnerabilities this week ****

____Windows____

Sami FTP 2.0.1: remote overflow
http://archives.neohapsis.com/archives/bugtraq/2006-01/0425.html

____Network Devices____

Cisco IOS: tclsh bypasses AAA command authorization checks
http://archives.neohapsis.com/archives/cisco/2006-q1/0007.html

Cisco VPN 3000 Concentrator: HTTP service remote DoS
http://archives.neohapsis.com/archives/vulnwatch/2006-q1/0036.html

____CGI____

ASPThai 8.0: SQL tampering
http://archives.neohapsis.com/archives/bugtraq/2006-01/0446.html

AndoNET: SQL tampering
http://archives.neohapsis.com/archives/bugtraq/2006-01/0429.html

BBCode: XSS
http://archives.neohapsis.com/archives/bugtraq/2006-01/0431.html

BlogPHP: SQL tampering
http://archives.neohapsis.com/archives/bugtraq/2006-01/0381.html

CheesyBlog 1.0: XSS
http://archives.neohapsis.com/archives/bugtraq/2006-01/0398.html

ExpressionEngine 1.4.1: XSS
http://archives.neohapsis.com/archives/bugtraq/2006-01/0403.html

MyBB 1.0.2: XSS
http://archives.neohapsis.com/archives/bugtraq/2006-01/0415.html

MyBB 1.0.2: information exposure
http://archives.neohapsis.com/archives/bugtraq/2006-01/0375.html

Newsphp: SQL tampering
http://archives.neohapsis.com/archives/bugtraq/2006-01/0411.html

Note-A-Day Weblog 2.1: user authentication credentials exposure
http://archives.neohapsis.com/archives/bugtraq/2006-01/0389.html

Phpclanwebsite 1.23.1: multiple vulnerabilities
http://archives.neohapsis.com/archives/bugtraq/2006-01/0422.html

Text Rider 2.4: information exposure
http://archives.neohapsis.com/archives/bugtraq/2006-01/0412.html

Trac 0.9.3: XSS
http://archives.neohapsis.com/archives/bugtraq/2006-01/0419.html

e-CMS: vis.pl remote file reading
http://archives.neohapsis.com/archives/bugtraq/2006-01/0427.html

e-moBLOG 1.3: SQL tampering
http://archives.neohapsis.com/archives/bugtraq/2006-01/0388.html

miniBloggie 1.0: SQL tampering
http://archives.neohapsis.com/archives/bugtraq/2006-01/0408.html

phpBB 2.0.19: DOS
http://archives.neohapsis.com/archives/bugtraq/2006-01/0399.html

____Cross-Platform____

123flashchat: multiple vulnerabilities
http://archives.neohapsis.com/archives/bugtraq/2006-01/0428.html

CA multiple products: iGateway component remote overflow
http://archives.neohapsis.com/archives/bugtraq/2006-01/0451.html

Eterm-LibAST: local overflow
http://archives.neohapsis.com/archives/bugtraq/2006-01/0438.html

Oracle 10gR1: stored procedures local overflows
http://archives.neohapsis.com/archives/vulnwatch/2006-q1/0037.html

Oracle PLSQL Gateway: PLSQL exclusion list bypass
http://archives.neohapsis.com/archives/bugtraq/2006-01/0397.html

Red Hat Directory/Certificate Server: admin console remote overflow
http://archives.neohapsis.com/archives/bugtraq/2006-01/0386.html

Shareaza P2P: remote integer overflow
http://archives.neohapsis.com/archives/bugtraq/2006-01/0452.html

--- Patches and Updates
-----------------------------------------------

The following contains a list of vendor patches and updates released
this week.

____Linux____

Debian > DSA 947-2: clamav
http://archives.neohapsis.com/archives/bugtraq/2006-01/0400.html

Debian > DSA 949-1: crawl
http://archives.neohapsis.com/archives/bugtraq/2006-01/0382.html

Debian > DSA 950-1: CUPS
http://archives.neohapsis.com/archives/bugtraq/2006-01/0436.html

Debian > DSA 951-1: trac
http://archives.neohapsis.com/archives/vendor/2006-q1/0030.html

Debian > DSA 952-1: libapache-auth-ldap
http://archives.neohapsis.com/archives/bugtraq/2006-01/0444.html

Debian > DSA 953-1: flyspray
http://archives.neohapsis.com/archives/bugtraq/2006-01/0409.html

Debian > DSA 954-1: wine
http://archives.neohapsis.com/archives/vendor/2006-q1/0033.html

Debian > DSA 955-1: mailman
http://archives.neohapsis.com/archives/vendor/2006-q1/0035.html

Debian > DSA 956-1: lsh-utils
http://archives.neohapsis.com/archives/bugtraq/2006-01/0418.html

Debian > DSA 957-1: ImageMagick
http://archives.neohapsis.com/archives/bugtraq/2006-01/0432.html

Debian > DSA 958-1: drupal
http://archives.neohapsis.com/archives/bugtraq/2006-01/0449.html

Gentoo > GLSA200601-11: KDE
http://archives.neohapsis.com/archives/bugtraq/2006-01/0392.html

Mandriva > MDKSA-2006:019: kdelibs
http://archives.neohapsis.com/archives/bugtraq/2006-01/0378.html

Mandriva > MDKSA-2006:020: ipsec-tools
http://archives.neohapsis.com/archives/linux/mandrake/2006-q1/0033.html

Mandriva > MDKSA-2006:021: mozilla-thunderbird
http://archives.neohapsis.com/archives/linux/mandrake/2006-q1/0034.html

Mandriva > MDKSA-2006:022: perl-Convert-UUlib
http://archives.neohapsis.com/archives/linux/mandrake/2006-q1/0035.html

Mandriva > MDKSA-2006:023: perl-Net_SSLeay
http://archives.neohapsis.com/archives/linux/mandrake/2006-q1/0036.html

Mandriva > MDKSA-2006:024: ImageMagick
http://archives.neohapsis.com/archives/linux/mandrake/2006-q1/0037.html

Mandriva > MDKSA-2006:025: net-snmp
http://archives.neohapsis.com/archives/linux/mandrake/2006-q1/0042.html

SuSE > SUSE-SA:2006:004: phpMyAdmin
http://archives.neohapsis.com/archives/linux/suse/2006-q1/0070.html

SuSE > SUSE-SA:2006:005: nfs-server/rpc.mountd
http://archives.neohapsis.com/archives/linux/suse/2006-q1/0071.html

Ubuntu > USN-245-1: KDE library
http://archives.neohapsis.com/archives/bugtraq/2006-01/0385.html

____BSD____

FreeBSD > FreeBSD-SA-06:06: kernel
http://archives.neohapsis.com/archives/bugtraq/2006-01/0405.html

FreeBSD > FreeBSD-SA-06:07: kernel
http://archives.neohapsis.com/archives/bugtraq/2006-01/0401.html

____HP-UX____

SSRT061099: shlibs
http://archives.neohapsis.com/archives/bugtraq/2006-01/0407.html

____Cross-Platform____

SSRT061104: HP Oracle for OpenView
http://archives.neohapsis.com/archives/bugtraq/2006-01/0420.html

--- Advertisement
-----------------------------------------------------

Network Computing invites you to a FREE webcast: The Role of
Remote Management in Assuring IT Infrastructure Uptime
Raritan and Enterprise Management Associates, teach you:
how to simplify and enhance uptime control; ba! rriers to
reducing mean-time-to-repair and expanding MTBF; and more.
Wed., Feb. 15, 2006 - 11:00 AM PT / 2:00 PM ET
Register now:

--- Sign Off
----------------------------------------------------------

If this e-mail was passed to you, and you would like to begin receiving
our free security e-mail newsletter on a weekly basis, we invite you to
subscribe today by forwarding this message to [subscribe_stwupdate.networkcomputing.com].
Or you can subscribe directly here:
http://www.networkcomputing.com/go/stw.jhtml

To manage all aspects of your subscription and newsletter account,
simply use the URL below. You'll need your e-mail address and
password to log in. If you don't have your password, you can generate
a new one using the same URL. Once logged in, you can change your
e-mail address and password as well as select specific platforms for
which you'd like to receive information on patches and vulnerabilities.
If you have any questions regarding this system, please don't hesitate
to e-mail us at stwnwc.com.
http://stwpref.update.networkcomputing.com/CMP/NWC/prefctr.asp

Put Us On Your White List
Don't let an over-eager e-mail filter bounce the Network Computing
Security Threat Watch newsletter! Our address:

NetworkComputingupdate.networkcomputing.com

needs to be in your address book or on your anti-spam white list. Ask your
admin or ISP how to do this, or check your anti-spam utility documentation.

Important subscription contacts:
CMP Media LLC
600 Community Drive
Manhasset, NY 11030

Unsubscribe to Network Computing's newsletters.
http://www.networkcomputing.com/newsletters/unsubscribe.html

Sign up for your own issue of this newsletter.
http://www.networkcomputing.com/newsletters/subscriptions.html

Subscribe to Network Computing's newsletters.
http://www.networkcomputing.com/newsletters/subscriptions.html

Still not receiving your own FREE subscription to Network Computing
magazine?
http://networkcomputingsubscriptions.com/customerservice/

ADDITIONAL SUBSCRIPTION CONTACT:
Please send an e-mail message to mailto:newsletterscmp.com if you need
assistance changing your e-mail address, unsubscribing from this
newsletter, or require additional assistance with your subscription.
Please be sure to include the name of this newsletter in your message.

Missed an issue? You can find all back issues of Security Threat Watch
(as well as Security Alert Consensus and Security Express) online.
http://archives.neohapsis.com/

Note: To better serve you we use dynamic URLs within our advertisments,
which allow us to see how many readers click on a given ad. We do not
share this information, or your personal information, with any outside
party. Concerned about the privacy of your information relative to these
tracking URLs? Please refer to our privacy policy.
http://www.doubleclick.net/us/corporate/privacy

We'd like to know what you think about the newsletter and what
information you'd like to see in future editions. E-mail your comments
to (stwnwc.com).

To unsubscribe from this newsletter, forward this message to
[unsubscribe_stwupdate.networkcomputing.com].

Copyright (c) 2006 Network Computing, a CMP Media LLC publication. All
Rights Reserved. Distributed by Network Computing
(http://www.networkcomputing.com). Powered by Neohapsis Inc., a
Chicago-based security assessment and integration services consulting
group (infoneohapsis.com | http://www.neohapsis.com/).

This message powered by DARTmail
http://www.doubleclick.net/us/corporate/privacy

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]