Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2004-03-03 InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Virus Alphabet, War!, Port 3389 Spike, WinZip Issues

Published: 2004-03-03
Last Updated: 2004-03-04 04:05:11 UTC
by Tom Liston (Version: 1)
0 comment(s)
Virus Alphabet

As of the time I write this, the most current versions of the recent virus crop are:

NetSky : Variant F

Bagel: Variant K

MyDoom: Variant G

The most insidious of these is the latest Bagel version, 'K', which sends a message "from" the administrator of the user's email system claiming that their email service is in jeopardy for any of a number of reasons. Although the message content varies, it essentially tells the user that they must run an attached program in order to "fix" whatever issue has caused problems with their email service. Perhaps the most creative aspect of this version, however, is that it uses encrypted zipfiles in order to bypass virus filtering. The password for the file is contained within the context of the message instructing the user how to open the attachment.



Strings found within the latest versions of NetSky and Bagel seem to indicate that the authors of the current "Top Two" pieces of malware aren't particularly happy with each other. A string found within Bagel.K proclaims "Hey, NetSky, f**k off you b***h!", while a similar message from the author of NetSky says "Skynet AntiVirus - Bagle - you are a looser!!!!"

Perhaps then, here is something they'll understand:

char msg[] = {0x47, 0x72, 0x6F, 0x77, 0x20, 0x75, 0x70, 0x21, 0};


Port 3389 Spike

We've noticed a recent spike in port 3389 (terminal services) activity.

Because the number of sources remains low and consistent while the numbers for targets and records spike, we are currently assuming that this is simply a reporting anomaly (caused when a scan hits a large, well-monitored netblock and is therefore "over-reported" when compared with other days). If, however, you see any indication to the contrary, please let us know.


WinZip Issues

Because of issues involved with the decoding of MIME parameters within certain archive types (files with .mim, .uue, .uu, .b64, .bhx, .hqx and .xxe extensions), WinZip versions prior to the current, released Version 9.0 are vulnerable to a buffer overflow which can lead to the execution of arbitrary code simply by opening a specifically crafted archive. If you use WinZip, the ISC recommends that you either upgrade to version 9.0 or disable WinZip's association with .mim, .uue, .uu, .b64, .bhx, .hqx and .xxe file extensions.


Handler on duty: Tom Liston - ( )
0 comment(s)
Diary Archives