Unidentified E-mail Worm


Update: AV Vendors are now getting signatures out that identify this as Bagel.AF (TL)

Handler Tom Liston captured what appears to be a new hybrid network/email worm that is not currently detected with any of 12 popular anti-virus tools. The worm included a Control Panel Applet (.cpl) attachment that, when executed, drops an EXE file and scans other systems on the local network for Windows networking service including TCP/1033, TCP/1034, UDP/1027, UDP/137 and UDP/138.


Early analysis indicates the malware may try to avoid detection by stopping popular anti-virus and personal firewall tools, and may try to spread over peer-to-peer networks by posing as key generation and crack software for Microsoft Office, Windows XP and other popular software. Strings in the executable code include the filenames "sysxp.exe" and "re_file.exe" in the C:\WINDOWS\System32 folder, as well as several website URL's that include the filename "o.php" in the root directory. One potentially telling string is "DesignedAsTheFollowerOfSkynet".


While this worm resembles a variant of the NetSky worm, the alleged author of NetStky Sven Jaschan was arrested 10 weeks ago today as reported by F-Secure. This may be the work of a copycat author. Yay.


Potential subject lines for this worm include:

Re: Msg reply

Re: Hello

Re: Yahoo!

Re: Thank you!

Re: Thanks

RE: Text message

Re: Document

Incoming message

Re: Incoming Message

RE: Incoming Msg

RE: Message Notify

Notification

Changes..

Update

Fax Message

Protected message

RE: Protected message

Forum notify

Site changes

Re: Hi

Encrypted document




More information will be posted as warranted.

http://www.f-secure.com/weblog/



PHP Server Vulnerabilities


Two vulnerabilities have been reported that affect PHP servers versions 4.3.7 and earlier, and 5.0.0RC3 and earlier. The first vulnerability allows a remote attacker to overwrite portions of memory by exceeding the memory_limit directive in the PHP configuration, allowing them to execute arbitrary code on vulnerable systems. The second vulnerability is a weakness in the PHP strip_tags() function, commonly used to sanitize input fields in a web form to eliminate HTML tags. A weakness in the filtering mechanisms allows an attacker to bypass this check by embedding a NULL byte in the HTML tags.


While an exploit for the first vulnerability has not been released to the public, the second vulnerability was announced with sufficient detail such that it can be abused by an attacker to exploit Opera and Internet Explorer browsers in cross-site scripting attacks in conjunction with sites that run PHP. Administrators with PHP websites (which is included by default in many Apache installations) are encouraged to upgrade their version of PHP to the 4.3.8 or the released 5.0.0 version.

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0594
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0595



Microsoft SMS Client DoS Vulnerability


A post on the BUGTRAQ mailing list indicates that the Microsoft Systems Management Server client software is vulnerable to a denial of service attack from an attacker who can reach the client software on TCP port 2702. Sufficient details have been posted to reproduce this attack - Microsoft was not notified of this flaw before the public release of this vulnerability.


We have not had the opportunity to confirm this vulnerability at this time. If anyone can confirm or deny this issue, please send the details of your analysis to http://isc.sans.org/contact.php.




--Joshua Wright/Handler du jour