F-secure has some details on a dangerous payload for the Nyxem.E virus. (The Nyxem.E virus is very similar to the Email-Worm.Win32.VB.bi that was talked about earlier in the week.) In fact, this virus seems to be spreading fairly well (not the blockbuster spread of older email viruses, but it is spreading.) Anyway, according to f-secure it will on the 3rd of the month, delete all files matching the following patterns. *.doc *.xls *.mdb *.mde *.ppt *.pps *.zip *.rar *.pdf *.psd *.dmp *(on all accessible drives.)
Category: Viruses
-
New mass mailing virus
F-secure has information on a fairly aggressive new email virus. Their name for it is VB.bi although it’s aliases are…. W32.Blackmal.E@mm, WORM_GREW.A, W32/Nyxem-D, Email-Worm.Win32.VB.bi depending on which AV vendor you check with. It’s a worm as well, in that it tries to spread through remote shares. It attempts to disable antivirus software as well. Here are some details from their writeup:
-
Clamav 0.88 for Mandrake 10.0
I’ve got a couple of older Mandrake 10.0 servers that I’m still maintaining. They’re systems that it hasn’t been practical (yet) to do an upgrade to a more recent release of the base operating system. Two of those are currenlty using Clamantivirus for their mailscanning. So, with the recent security vulnerability an update was needed. I basically took the clamav 0.88 source rpm from cooker and rebuilt on a 10.0 system. For convenience I’m posting ALL of these for download. So…. I’ll post the original src rpm from Mandriva cooker. (Which you could make use of to rebuild for another release of Mandrake.) And also the resulting built rpm’s….
-
Sober virus watch…
Well, antivirus vendors and IT security folks are waiting now for the expected activation of the sober.y worm searching for a new downloads and a new revision of the pest. kaspersky’s log indicates the expected activation time is 00:00 GMT January 6th, which means here in the EST zone that would be 7PM EST… Of course many of the expected sites have been shut down. It appears that the virus will look periodically for sites to “upgrade” from for some time.
-
Another Sober.y reminder
f-secure.com has another warning for us about the pending awakening of the sober worm. From reports it’s expected to start looking for sites to download from January 5th into January 6th. There is an extensive list of URL’s to block. This from f-secure.com – if you’re in charge of block lists at a network, this could be a good start to make sure you don’t have any clients pulling a new version from the following sites…
-
Antivirus vs. WMF exploit
There are a number of references out today to a December 31st article (on a study by av-test) about how well antivirus products were keeping up with the shifting signatures of the WMF exploits. There was a list of about 12 products that were at 100% detection. Unfortunately, the important point is that the original article was December 31st. I don’t know if there are new variations in the wild, but I DO know that the metasploit module has changed and currently seems to evade detection from Clamav. (Although clamav has caught up to the most recent batch of the exploit.)
-
Another trojan using WMF exploit in SPAM
F-Secure is reporting on another SPAM attack that tries to get people to click on a link to a site with an exploit-crafted WMF file. The message is along the lines of a claimed Professor at Yale announcing the unfortunate vandalism over the New Year holiday, the link purports to be pictures of the act in the “hope that someone may recognize the culprits work”. I’m sure this won’t be the last of that sort….
-
Microsoft advisory on Sober “Awakening”
Microsoft has posted a security advisory (912920) on the previously reported “awakening” of the Sober worm, expected January 6th.
Systems that are infected with Win32/Sober.Z@mm may download and run malicious files from certain Web domains beginning on January 6, 2006
Further they give the following note….
(more…) -
More testing on the second WMF exploit
After my Windows 98 tests which failed to exploit the system with either the first or the second vulnerability, I started wondering how well the antivirus companies were doing in detecting this second exploit variation. I had setup and updated metasploit so I could test my Windows 98 SE install against the latest version of the exploit and with each connection to the locally hosted page I got a new random file. After I collected five of these I ran them through virustotal.com to see how well detection has come in just 24 hours.
-
Version 2 of the WMF exploit vs Windows 98 SE
Ok, I wasn’t quite satisfied with the results of the tests against the first version of the WMF (Windows Metafile) zero day exploit that’s now up to 4 or 5 days or so… Windows 98 is listed as being vulnerable, but there are no patches or workarounds currently available for Windows 98 users. I was mostly curious to see if current exploits could wreck a Windows 98 system. The answer at this point is not that I can see.