Updates

A compilation of the latest information about viruses and worms, security issues and patches to rectify the same.

Symantec reports critical vulnerability in Windows Workstation service

A remote code execution vulnerability exists in the Workstation service of Windows 2000 SP4/XP SP2 that could allow an attacker to take complete control of an affected system. Symantec Security Response rates this vulnerability in Microsoft’s Workstation service memory to be the most critical of the security bulletins issued by it this month.

This remote code execution vulnerability is caused by an unchecked buffer in the Workstation service. An attacker can try to exploit the vulnerability by creating a specially-crafted message and sending it to an affected system. The message will then cause the affected system to execute code.

Systems running Windows 2000 Service Pack 4, Windows XP Service Pack 2 and (possibly) Windows Server 2003 are at risk. On a Windows 2000 SP 4 system, a specially-crafted message delivered by any anonymous user can exploit this vulnerability. On PCs running Windows XP Service Pack 2, the attack will only be successful if performed by a user with administrator privileges.

This issue impacts a wide swathe of component technologies and services. An attacker who successfully exploits this vulnerability can install programs; view, change, or delete data; or create new accounts with full user rights. An attacker could try to exploit this vulnerability over the Internet too.

Trend Micro reports WORM_SOHANAD.AF

This memory-resident worm arrives on an affected system via instant messaging applications such as Yahoo Messenger, Windows Live Messenger, and Windows Messenger. It does this by sending an instant message to all of an active user’s contacts. This message will contain a link to a remote copy of the worm. When a recipient clicks the link, the copy is executed on his system. Upon execution, the worm modifies the registry to disable Registry Editor and Task Manager, and terminates processes, most of which are related to security applications. It also modifies the Internet Explorer home page and prevents any further change in this setting. It also hides the Run option on the Start menu, making it hard to detect and remove the worm. It is capable of downloading and executing files from certain URLs. As a result, malicious routines of downloaded files may be exhibited on the affected system.

Sophos reports W32/Rbot-FWW

W32/Rbot-FWW is a worm with IRC backdoor functionality that targets Windows. It spreads to other computers on a network by exploiting common buffer overflow vulnerabilities—WKS (MS03-049) (CAN-2003-0812) and ASN.1 (MS04-007)—and through AOL Instant Messenger. It allows others to access the computer, downloads code from the Internet, installs itself in the Registry, and exploits system or software vulnerabilities.

Panda Antivirus reports Foamer.A

The worm attempts to connect to the Web to download malware. It disables Task Manager and Registry Editor. It also sends out an e-mail message to its author containing data from the infected computer including user names, the computer name, etc. If a user runs CMD (command shell), the worm clears the screen, displays the message THE WORLD-WIDE DONT ACCEPT COMMAND PROMPT!!!! and automatically closes the shell. Foamer.A spreads across networks. It is difficult to recognise as it does not display any messages or warnings indicating that it has infected a computer.