NAC - regarding the virus fyi

edwulf edwulf at msn.com
Tue Feb 13 21:24:59 EST 2001


----- Original Message -----
From: "CERT Advisory" <cert-advisory at cert.org>
To: <cert-advisory at cert.org>
Sent: Monday, February 12, 2001 9:05 PM
Subject: CERT Advisory CA-2001-03


>
> -----BEGIN PGP SIGNED MESSAGE-----
>
> CERT Advisory CA-2001-03 VBS/OnTheFly (Anna Kournikova) Malicious Code
>
>    Original release date: February 12, 2001
>    Last revised: February 12, 2001
>    Source: CERT/CC
>
>    A complete revision history can be found at the end of this file.
>
> Systems Affected
>
>    Users of Microsoft Outlook who have not applied previously available
>    security updates.
>
> Overview
>
>    The "VBS/OnTheFly" malicious code is a VBScript program that spreads
>    via email. As of 7:00 pm EST(GMT-5) Feb 12, 2001, the CERT
>    Coordination Center had received reports from more than 100 individual
>    sites. Several of these sites have reported suffering network
>    degradation as a result of mail traffic generated by the
>    "VBS/OnTheFly" malicious code.
>
>    This malicious code can infect a system if the enclosed email
>    attachment is run. Once the malicious code has executed on a system,
>    it will take the actions described in the Impact section.
>
> I. Description
>
>    When the malicious code executes, it attempts to send copies of
>    itself, using Microsoft Outlook, to all entries in each of the address
>    books. The sent mail has the following characteristics:
>
>      SUBJECT: "Here you have, ;o)"
>
>      BODY:
>
>           Hi:
>           Check This!
>
>      ATTACHMENT: "AnnaKournikova.jpg.vbs"
>
>    Users who receive copies of the malicious code via electronic mail
>    will probably recognize the sender. We encourage users to avoid
>    executing code, including VBScripts, received through electronic mail,
>    regardless of the sender's name, without prior knowledge of the origin
>    of the code or a valid digital signature.
>
>    It is possible for the recipients to be be tricked into opening this
>    malicious attachment since file will appear without the .VBS extension
>    if "Hide file extensions for known file types" is turned on in
>    Windows.
>
> II. Impact
>
>    When the attached VBS file is executed, the malicious code attempts to
>    modify the registry by creating the following key:
>
>           HKEY_CURRENT_USER\Software\OnTheFly="Worm made with Vbswg1.50b"
>
>    Next, the it will then place a copy of itself into the Windows
>    directory.
>
>           C:\WINDOWS\AnnaKournikova.jpg.vbs
>
>    Finally, the malicious code will attempt to send separate, infected
>    email messages to all recipients in the Windows Address Book. Once the
>    mail has been sent, the malicious code creates the following registry
>    key to prevent future mailings of the malicious code.
>
>           HKEY_USERS\.DEFAULT\Software\OnTheFly\mailed=1
>
>    The code's propagation can lead to congestion in mail servers that may
>    prevent them from functioning as expected.
>
>    Beyond this effect, there does not appear to be a destructive payload
>    associated with this malicious code. However, historical data has
>    shown that the intruder community can quickly modify the code for more
>    destructive behavior.
>
> III. Solution
>
> Update Your Anti-Virus Product
>
>    It is important for users to update their anti-virus software. Some
>    anti-virus software vendors have released updated information, tools,
>    or virus databases to help combat this malicious code. A list of
>    vendor-specific anti-virus information can be found in Appendix A.
>
> Apply the Microsoft Outlook E-mail Security Update
>
>    To protect against this malicious code, and others like it, users of
>    Outlook 98 and 2000 may want to install the Outlook E-mail Security
>    update included in an Outlook SR-1. More information about this update
>    is available at
>
>      http://office.microsoft.com/2000/downloaddetails/Out2ksec.htm
>
>    You may also find the following document on Outlook security useful
>
>      http://www.microsoft.com/office/outlook/downloads/security.htm
>
>    The Outlook E-mail security update provides features that can prevent
>    attachments containing executable content from being displayed to
>    users. Other types of attachments can be configured so that they must
>    be saved to disk before they can be opened (or executed). These
>    features may greatly reduce the chances that a user will incorrectly
>    execute a malicious attachment.
>
> Filter the Virus in Email
>
>    Sites can use email filtering techniques to delete messages containing
>    subject lines known to contain the malicious code, or can filter
>    attachments outright.
>
> Exercise Caution When Opening Attachments
>
>    Exercise caution when receiving email with attachments. Users should
>    disable auto-opening or previewing of email attachments in their mail
>    programs. Users should never open attachments from an untrusted
>    origin, or that appear suspicious in any way. Finally, cryptographic
>    checksums should also be used to validate the integrity of the file.
>
> IV. General protection from email Trojan horses and viruses
>
>    Some previous examples of malicious files known to have propagated
>    through electronic mail include:
>
>      Melissa macro virus - discussed in CA-99-04
>      http://www.cert.org/advisories/CA-1999-04.html
>
>      False upgrade to Internet Explorer - discussed in CA-99-02
>      http://www.cert.org/advisories/CA-1999-02.html
>
>      Happy99.exe Trojan Horse - discussed in IN-99-02
>      http://www.cert.org/incident_notes/IN-99-02.html
>
>      CIH/Chernobyl virus - discussed in IN-99-03
>      http://www.cert.org/incident_notes/IN-99-03.htm
>
>    In each of the above cases, the effects of the malicious file are
>    activated only when the file in question is executed. Social
>    engineering is typically employed to trick a recipient into executing
>    the malicious file. Some of the social engineering techniques we have
>    seen used include
>
>      * Making false claims that a file attachment contains a software
>        patch or update
>      * Implying or using entertaining content to entice a user into
>        executing a malicious file
>      * Using email delivery techniques that cause the message to appear
>        to have come from a familiar or trusted source
>      * Packaging malicious files in deceptively familiar ways (e.g., use
>        of familiar but deceptive program icons or file names)
>
>    The best advice with regard to malicious files is to avoid executing
>    them in the first place. CERT advisory CA-1999-02.html and the
>    following CERT tech tip discuss malicious code and offers suggestions
>    to avoid them.
>
>      http://www.cert.org/advisories/CA-99-02.html
>
>      http://www.cert.org/tech_tips/malicious_code_FAQ.html
>
> Appendix A. - Vendor Information
>
>    Appendix A. Anti-Virus Vendor Information
>
> Aladdin Knowledge Systems
>
>      http://www.aks.com/home/csrt/valerts.asp#AnnaK
>
> Command Software Systems, Inc.
>
>      http://www.commandcom.com/virus/vbsvwg.html
>
> Computer Associates
>
>      http://ca.com/virusinfo/virusalert.htm#vbs_sstworm
>
> F-Secure
>
>      http://www.f-secure.com/v-descs/onthefly.shtml
>
> Finjan Software, Ltd.
>
>      http://www.finjan.com/attack_release_detail.cfm?attack_release_id=47
>
> McAfee
>
>      http://www.mcafee.com/anti-virus/viruses/vbssst/default.asp
>
> Dr. Solomon, NAI
>
>      http://vil.nai.com/vil/virusSummary.asp?virus_k=99011
>
> Sophos
>
>      http://www.sophos.com/virusinfo/analyses/vbsssta.htm
>
> Symantec
>
>      http://www.symantec.com/avcenter/venc/data/vbs.sst@mm.html
>
> Trend Micro
>
>
http://www.antivirus.com/pc-cillin/vinfo/virusencyclo/default5.asp?VName=VBS
_KALAMAR.A
>
>    You may wish to visit the CERT/CC's Computer Virus Resources Page
>    located at:
>
>      http://www.cert.org/other_sources/viruses.html
>    ______________________________________________________________________
>
>    This document was written by Cory Cohen, Roman Danyliw, Ian Finlay,
>    John Shaffer, Shawn Hernan, Kevin Houle, Brian B. King, and Shawn Van
>    Ittersum.
>    ______________________________________________________________________
>
>    This document is available from:
>    http://www.cert.org/advisories/CA-2001-03.html
>    ______________________________________________________________________
>
> CERT/CC Contact Information
>
>    Email: cert at cert.org
>           Phone: +1 412-268-7090 (24-hour hotline)
>           Fax: +1 412-268-6989
>           Postal address:
>           CERT Coordination Center
>           Software Engineering Institute
>           Carnegie Mellon University
>           Pittsburgh PA 15213-3890
>           U.S.A.
>
>    CERT personnel answer the hotline 08:00-20:00 EST(GMT-5) / EDT(GMT-4)
>    Monday through Friday; they are on call for emergencies during other
>    hours, on U.S. holidays, and on weekends.
>
> Using encryption
>
>    We strongly urge you to encrypt sensitive information sent by email.
>    Our public PGP key is available from
>
>    http://www.cert.org/CERT_PGP.key
>
>    If you prefer to use DES, please call the CERT hotline for more
>    information.
>
> Getting security information
>
>    CERT publications and other security information are available from
>    our web site
>
>    http://www.cert.org/
>
>    To subscribe to the CERT mailing list for advisories and bulletins,
>    send email to majordomo at cert.org. Please include in the body of your
>    message
>
>    subscribe cert-advisory
>
>    * "CERT" and "CERT Coordination Center" are registered in the U.S.
>    Patent and Trademark Office.
>    ______________________________________________________________________
>
>    NO WARRANTY
>    Any material furnished by Carnegie Mellon University and the Software
>    Engineering Institute is furnished on an "as is" basis. Carnegie
>    Mellon University makes no warranties of any kind, either expressed or
>    implied as to any matter including, but not limited to, warranty of
>    fitness for a particular purpose or merchantability, exclusivity or
>    results obtained from use of the material. Carnegie Mellon University
>    does not make any warranty of any kind with respect to freedom from
>    patent, trademark, or copyright infringement.
>    _____________________________________________________________________
>
>    Conditions for use, disclaimers, and sponsorship information
>
>    Copyright 2001 Carnegie Mellon University.
>
>    Revision History
>      February 12, 2001: Initial release
>
>
>
>
>
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGP for Personal Privacy 5.0
> Charset: noconv
>
> iQCVAwUBOoiQEgYcfu8gsZJZAQE5ywQAiY1gtNtBfjO79N0O4NocSq9lzNJKsXlE
> fSxC3vcBKZcnew5BGFJD/kGOnKvJvl1aYltDiLoRvfDGxoG3QisD+kzp3L76zBI2
> JwK8xk8/EAqM7YvVqAKHGxwujkTAU5Y9K5ioeuZsIvqkXTUlTYxNV2aI9iM6teG2
> d8+/N4weQ1M=
> =cD9T
> -----END PGP SIGNATURE-----
>




More information about the quattro mailing list