Updates

A compilation of the latest information about viruses and worms, security issues and patches to rectify the same

Trend Micro reports on JS_FEEBS.CZ

JS_FEEBS.CZ is a malicious piece of JavaScript code that is embedded in a Web site and runs on a system when a user visits said Web site. It may also arrive attached to spam e-mail.

When installed on the affected system, it shows a fake aol.com, gmail.com, hotmail.com, msn.com, or yahoo.com loading page. This page displays a text message saying there is no available connection. While tricking users into thinking that a Web page is inaccessible, this malicious JavaScript is downloading the file USERINIT.EXE, which Trend Micro detects as WORM_FEEBS.LR. USERINIT.EXE is stored in the C:\Recycled folder. In addition, it downloads an encrypted file from various URLs. The encrypted file contains a copy of WORM_FEEBS.LR which is decrypted and executed. If the malicious script is unable to create registry entries for the worm’s auto-startup, it stores the downloaded WORM_FEEBS.LR file in the Common Startup folder.

It also deletes anti-virus and security-related registry keys. This action makes detection and removal of the malicious script rather difficult. It also increases the risk of acquiring other malware threats.

Sophos reports W32/Sdbot-AVZ

W32/Sdbot-AVZ is a Trojan for the Windows platform. This Trojan has the aliases Backdoor.Win32.Pakes and W32/Sdbot.OGP. It includes functionality to access the Internet and communicate with a remote server via HTTP. When first run, W32/Sdbot-AVZ copies itself to Windows\secure32.exe. The file secure32.exe is registered as a new system driver service with a display name of Network Configuration Security Manager and a startup type of automatic so that it is started automatically when the PC boots.

Symantec reports Backdoor.Hesive.B

Backdoor.Hesive.B is a Trojan that opens a back door on the compromised computer. It may arrive as a malicious Microsoft Access file that exploits the Microsoft Jet Database Engine Malformed Database File Buffer Overflow vulnerability. It also creates a hidden device service which is a kernel-mode rootkit that enables the Trojan to hide any files and registry entries it creates.

Vulnerabilities in Lotus Notes

Secunia Research has discovered multiple vulnerabilities in Lotus Notes which can be exploited to bypass certain security restrictions or compromise a user’s system.

• A boundary error in kvarcve.dll when constructing the full pathname of a compressed file to check for its existence before extracting it from a ZIP archive can be exploited to cause a stack-based buffer overflow. Successful exploitation allows execution of arbitrary code when the user extracts a compressed file from within the Notes attachment viewer. The vulnerability has been confirmed in version 6.5.4.
• A boundary error in uudrdr.dll when handling UUE files containing an encoded file with an overly long filename can be exploited to cause a stack-based buffer overflow. Successful exploitation allows execution of arbitrary code when a malicious UUE file is opened in the Notes attachment viewer. The vulnerability has been confirmed in versions 6.5.4 and 7.0.
• Directory traversal errors in kvarcve.dll when generating the preview of a compressed file from ZIP, UUE and TAR archives can be exploited to delete arbitrary files that are accessible to the Notes user. The vulnerability has been confirmed in versions 6.5.4 and 7.0. Prior versions may also be affected.
• A boundary error exists in the HTML speed reader (htmsr.dll) which is used for viewing HTML attachments in e-mail. This can be exploited to cause a stack-based buffer overflow via a malicious e-mail containing an overly long link beginning with either “http”, “ftp” or “//”. Successful exploitation enables the execution of arbitrary code with the privileges of the user running Lotus Notes. It requires that the user follow the link in the HTML document.

The vulnerability has been confirmed in versions 6.5.4 and 7.0. Prior versions may also be affected.