NAC - regarding the virus fyi
edwulf
edwulf at msn.com
Tue Feb 13 21:24:59 EST 2001
----- Original Message -----
From: "CERT Advisory" <cert-advisory at cert.org>
To: <cert-advisory at cert.org>
Sent: Monday, February 12, 2001 9:05 PM
Subject: CERT Advisory CA-2001-03
>
> -----BEGIN PGP SIGNED MESSAGE-----
>
> CERT Advisory CA-2001-03 VBS/OnTheFly (Anna Kournikova) Malicious Code
>
> Original release date: February 12, 2001
> Last revised: February 12, 2001
> Source: CERT/CC
>
> A complete revision history can be found at the end of this file.
>
> Systems Affected
>
> Users of Microsoft Outlook who have not applied previously available
> security updates.
>
> Overview
>
> The "VBS/OnTheFly" malicious code is a VBScript program that spreads
> via email. As of 7:00 pm EST(GMT-5) Feb 12, 2001, the CERT
> Coordination Center had received reports from more than 100 individual
> sites. Several of these sites have reported suffering network
> degradation as a result of mail traffic generated by the
> "VBS/OnTheFly" malicious code.
>
> This malicious code can infect a system if the enclosed email
> attachment is run. Once the malicious code has executed on a system,
> it will take the actions described in the Impact section.
>
> I. Description
>
> When the malicious code executes, it attempts to send copies of
> itself, using Microsoft Outlook, to all entries in each of the address
> books. The sent mail has the following characteristics:
>
> SUBJECT: "Here you have, ;o)"
>
> BODY:
>
> Hi:
> Check This!
>
> ATTACHMENT: "AnnaKournikova.jpg.vbs"
>
> Users who receive copies of the malicious code via electronic mail
> will probably recognize the sender. We encourage users to avoid
> executing code, including VBScripts, received through electronic mail,
> regardless of the sender's name, without prior knowledge of the origin
> of the code or a valid digital signature.
>
> It is possible for the recipients to be be tricked into opening this
> malicious attachment since file will appear without the .VBS extension
> if "Hide file extensions for known file types" is turned on in
> Windows.
>
> II. Impact
>
> When the attached VBS file is executed, the malicious code attempts to
> modify the registry by creating the following key:
>
> HKEY_CURRENT_USER\Software\OnTheFly="Worm made with Vbswg1.50b"
>
> Next, the it will then place a copy of itself into the Windows
> directory.
>
> C:\WINDOWS\AnnaKournikova.jpg.vbs
>
> Finally, the malicious code will attempt to send separate, infected
> email messages to all recipients in the Windows Address Book. Once the
> mail has been sent, the malicious code creates the following registry
> key to prevent future mailings of the malicious code.
>
> HKEY_USERS\.DEFAULT\Software\OnTheFly\mailed=1
>
> The code's propagation can lead to congestion in mail servers that may
> prevent them from functioning as expected.
>
> Beyond this effect, there does not appear to be a destructive payload
> associated with this malicious code. However, historical data has
> shown that the intruder community can quickly modify the code for more
> destructive behavior.
>
> III. Solution
>
> Update Your Anti-Virus Product
>
> It is important for users to update their anti-virus software. Some
> anti-virus software vendors have released updated information, tools,
> or virus databases to help combat this malicious code. A list of
> vendor-specific anti-virus information can be found in Appendix A.
>
> Apply the Microsoft Outlook E-mail Security Update
>
> To protect against this malicious code, and others like it, users of
> Outlook 98 and 2000 may want to install the Outlook E-mail Security
> update included in an Outlook SR-1. More information about this update
> is available at
>
> http://office.microsoft.com/2000/downloaddetails/Out2ksec.htm
>
> You may also find the following document on Outlook security useful
>
> http://www.microsoft.com/office/outlook/downloads/security.htm
>
> The Outlook E-mail security update provides features that can prevent
> attachments containing executable content from being displayed to
> users. Other types of attachments can be configured so that they must
> be saved to disk before they can be opened (or executed). These
> features may greatly reduce the chances that a user will incorrectly
> execute a malicious attachment.
>
> Filter the Virus in Email
>
> Sites can use email filtering techniques to delete messages containing
> subject lines known to contain the malicious code, or can filter
> attachments outright.
>
> Exercise Caution When Opening Attachments
>
> Exercise caution when receiving email with attachments. Users should
> disable auto-opening or previewing of email attachments in their mail
> programs. Users should never open attachments from an untrusted
> origin, or that appear suspicious in any way. Finally, cryptographic
> checksums should also be used to validate the integrity of the file.
>
> IV. General protection from email Trojan horses and viruses
>
> Some previous examples of malicious files known to have propagated
> through electronic mail include:
>
> Melissa macro virus - discussed in CA-99-04
> http://www.cert.org/advisories/CA-1999-04.html
>
> False upgrade to Internet Explorer - discussed in CA-99-02
> http://www.cert.org/advisories/CA-1999-02.html
>
> Happy99.exe Trojan Horse - discussed in IN-99-02
> http://www.cert.org/incident_notes/IN-99-02.html
>
> CIH/Chernobyl virus - discussed in IN-99-03
> http://www.cert.org/incident_notes/IN-99-03.htm
>
> In each of the above cases, the effects of the malicious file are
> activated only when the file in question is executed. Social
> engineering is typically employed to trick a recipient into executing
> the malicious file. Some of the social engineering techniques we have
> seen used include
>
> * Making false claims that a file attachment contains a software
> patch or update
> * Implying or using entertaining content to entice a user into
> executing a malicious file
> * Using email delivery techniques that cause the message to appear
> to have come from a familiar or trusted source
> * Packaging malicious files in deceptively familiar ways (e.g., use
> of familiar but deceptive program icons or file names)
>
> The best advice with regard to malicious files is to avoid executing
> them in the first place. CERT advisory CA-1999-02.html and the
> following CERT tech tip discuss malicious code and offers suggestions
> to avoid them.
>
> http://www.cert.org/advisories/CA-99-02.html
>
> http://www.cert.org/tech_tips/malicious_code_FAQ.html
>
> Appendix A. - Vendor Information
>
> Appendix A. Anti-Virus Vendor Information
>
> Aladdin Knowledge Systems
>
> http://www.aks.com/home/csrt/valerts.asp#AnnaK
>
> Command Software Systems, Inc.
>
> http://www.commandcom.com/virus/vbsvwg.html
>
> Computer Associates
>
> http://ca.com/virusinfo/virusalert.htm#vbs_sstworm
>
> F-Secure
>
> http://www.f-secure.com/v-descs/onthefly.shtml
>
> Finjan Software, Ltd.
>
> http://www.finjan.com/attack_release_detail.cfm?attack_release_id=47
>
> McAfee
>
> http://www.mcafee.com/anti-virus/viruses/vbssst/default.asp
>
> Dr. Solomon, NAI
>
> http://vil.nai.com/vil/virusSummary.asp?virus_k=99011
>
> Sophos
>
> http://www.sophos.com/virusinfo/analyses/vbsssta.htm
>
> Symantec
>
> http://www.symantec.com/avcenter/venc/data/vbs.sst@mm.html
>
> Trend Micro
>
>
http://www.antivirus.com/pc-cillin/vinfo/virusencyclo/default5.asp?VName=VBS
_KALAMAR.A
>
> You may wish to visit the CERT/CC's Computer Virus Resources Page
> located at:
>
> http://www.cert.org/other_sources/viruses.html
> ______________________________________________________________________
>
> This document was written by Cory Cohen, Roman Danyliw, Ian Finlay,
> John Shaffer, Shawn Hernan, Kevin Houle, Brian B. King, and Shawn Van
> Ittersum.
> ______________________________________________________________________
>
> This document is available from:
> http://www.cert.org/advisories/CA-2001-03.html
> ______________________________________________________________________
>
> CERT/CC Contact Information
>
> Email: cert at cert.org
> Phone: +1 412-268-7090 (24-hour hotline)
> Fax: +1 412-268-6989
> Postal address:
> CERT Coordination Center
> Software Engineering Institute
> Carnegie Mellon University
> Pittsburgh PA 15213-3890
> U.S.A.
>
> CERT personnel answer the hotline 08:00-20:00 EST(GMT-5) / EDT(GMT-4)
> Monday through Friday; they are on call for emergencies during other
> hours, on U.S. holidays, and on weekends.
>
> Using encryption
>
> We strongly urge you to encrypt sensitive information sent by email.
> Our public PGP key is available from
>
> http://www.cert.org/CERT_PGP.key
>
> If you prefer to use DES, please call the CERT hotline for more
> information.
>
> Getting security information
>
> CERT publications and other security information are available from
> our web site
>
> http://www.cert.org/
>
> To subscribe to the CERT mailing list for advisories and bulletins,
> send email to majordomo at cert.org. Please include in the body of your
> message
>
> subscribe cert-advisory
>
> * "CERT" and "CERT Coordination Center" are registered in the U.S.
> Patent and Trademark Office.
> ______________________________________________________________________
>
> NO WARRANTY
> Any material furnished by Carnegie Mellon University and the Software
> Engineering Institute is furnished on an "as is" basis. Carnegie
> Mellon University makes no warranties of any kind, either expressed or
> implied as to any matter including, but not limited to, warranty of
> fitness for a particular purpose or merchantability, exclusivity or
> results obtained from use of the material. Carnegie Mellon University
> does not make any warranty of any kind with respect to freedom from
> patent, trademark, or copyright infringement.
> _____________________________________________________________________
>
> Conditions for use, disclaimers, and sponsorship information
>
> Copyright 2001 Carnegie Mellon University.
>
> Revision History
> February 12, 2001: Initial release
>
>
>
>
>
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGP for Personal Privacy 5.0
> Charset: noconv
>
> iQCVAwUBOoiQEgYcfu8gsZJZAQE5ywQAiY1gtNtBfjO79N0O4NocSq9lzNJKsXlE
> fSxC3vcBKZcnew5BGFJD/kGOnKvJvl1aYltDiLoRvfDGxoG3QisD+kzp3L76zBI2
> JwK8xk8/EAqM7YvVqAKHGxwujkTAU5Y9K5ioeuZsIvqkXTUlTYxNV2aI9iM6teG2
> d8+/N4weQ1M=
> =cD9T
> -----END PGP SIGNATURE-----
>
More information about the quattro
mailing list