Famus-B uses Iraq war message to spread
The Famus-B worm uses a message protesting the Iraq war to spread, according to Glendale, Calif.-based Panda Software. An e-mail with an English and Spanish message tries to trick users into believing the file contains photographs of the war. The subject line is "Iraq and the crime" and the message reads: "What is really happening in Iraq? The pictures of the soldiers and prisoners in Iraq -- forward this message -- everybody should know the truth." The attached file, which contains the worm's code, is called Iraq.scr and includes the following message in Spanish: "Esta computadora ha sido infectada -- por el virus LIBERTAD. Como protesta por la violaciÓn del derecho a la libertad de expresiÓn en Cuba. En estos momentos toda la informaciÓn de su disco duro esta siendo borrada -- El Hobbit." If the user runs this file, Famus.B displays a false error message with the text "file corrupted" or "bad format," the Panda advisory said. "The worm also sends itself out to all the addresses it finds in the files with a .doc, .eml, .htm and .htt extension on the affected computer," according to the advisory. "To do this, it uses an SMTP engine that it creates on the affected computer in the form of an .ocx library file. Finally, Famus.B creates an entry in the Windows registry to ensure it is run whenever the affected computer is started up."
Mydoom-AB on the prowl
Russian-based Kaspersky Labs said it is seeing a "significant" number of samples for Mydoom-AB, prompting it to issue a "moderate risk" alert. The lab first detected the latest member of the prolific Mydoom family Oct. 24. It spreads as an attachment in an infected e-mail and sends copies of itself to all addresses in the local address book. "Mydoom-AB is a Windows PE .exe file and is about 32 KB -- packed by UPX," the lab said on its Web site. "Upon installation, Mydoom-AB creates a file named 'lsasrv.exe' in the Windows system registry and creates the following registry key: [HKLMSoftwareMicrosoftWindowsCurrentVersionRun] "lsass" = "%System%lsasrv.exe." The worm also creates a file named 'version.ini' in the Windows system folder [and] attempts to block the work of a number of firewalls."
Myfip virus claims it came from eBay
New York-based MessageLabs has detected a virus that claims it came from eBay.com. The company said W32.Myfip uses a packer previously unseen in e-mail virus distribution. "The use of the uncommon packer in the W32.Myfip virus could make it more difficult for antivirus software vendors to identify and protect against the malicious code within, signaling the start of a worrying trend," MessageLabs warned on its Web site. "The e-mail containing the virus purports to have been sent by the Webmaster at eBay.com, and suggests eBay is conducting market research among its customers. Computer users are told that they could win valuable prizes if they take part in the research." The e-mail subject line reads, "hi, [recipient], I'm webmaster of eBay.com, and we raise a research in our website." The body text, riddled with typographical errors, reads: "I'm the webmaster of www.ebay.com, our company raise a research in our customers - Multiple Item Auctions - and this one unlike a regular eBay auction, Multiple Item Auctions can have many winners. If you're the winner of Multiple Item Auctions, you can get the follow thing: 1. a notebook that's worth 18000$ 2. a cameras [sic] worth 1000$ Learn about Multiple Item Auctions, you can click the URL under: [url removed]." The virus is attached in a 51,712-byte attachment called "login.exe."
IBM launches monthly security index
IBM has launched a new monthly security report, saying it'll help organizations assess security needs and vulnerabilities from a business perspective. The IBM Global Business Security Index collects threat information from 2,700 IBM security watchers and half a million monitored devices, and the data is analyzed by IBM security intelligence and consulting experts who rate the potential severity of the threats. IBM is selling the report to businesses starting at $10,000 to $15,000 a year and can customize it by industry, the company said. Part of the report will be available for free on the company's Web site each month. The company said the new service comes on the heels of a significant spike in network attacks in recent months. Attacks against critical infrastructure providers -- telecommunications companies, utilities and government agencies -- increased 55% from July to August, IBM said. Meanwhile, overall attacks against enterprises and businesses have increased 27% since July. The company said the rise in attacks has been lead by worms like Sasser and Korgo and attackers seeking to exploit vulnerabilities in Web server software.
SuSE fixes vulnerabilities
SuSE has issued updates for xpdf, gpdf, kdegraphics3-pdf, pdftohtml and cups, fixing security holes an attacker could use to crash systems or launch malicious code. Danish security firm Secunia said in an advisory that the problems are "highly critical" and affect SuSE Linux 8.x, 9.0 and 9.1; Linux Desktop 1.x; and Linux Enterprise Server 8 and 9. According to the SuSE advisory, researcher Chris Evans found several integer overflows and arithmetic errors, and researcher Sebastian Krahmer from the SuSE Security Team found similar bugs in xpdf 3. SuSE and Secunia recommend users apply the updates as soon as possible.
Gentoo fixes socat vulnerability
Gentoo recommends users upgrade to the latest version of socat to fix a format string vulnerability attackers could use to launch malicious code. The Linux vendor said socat -- a "multipurpose bidirectional relay" similar to netcat -- contains a syslog()-based format string vulnerability in the "_msg()" function of "error.c" Exploiting the bug is only possible when socat is run with the "-ly" option, causing it to log messages to syslog, Gentoo said. "Remote exploitation is possible when socat is used as an http proxy client and connects to a malicious server," the advisory said. "Local privilege escalation can be achieved when socat listens on a Unix domain socket. Potential execution of arbitrary code with the privileges of the socat process is possible with both local and remote exploitations." As a workaround, the vendor recommends users disable logging to syslog by not using the "-ly" option when starting socat.
Sun recommends workaround for Solaris 9 glitch
Sun Microsystems of Santa Clara, Calif., recommends users configure their servers to use the "hash2" mangling method to get around a buffer overflow vulnerability in Samba for Solaris 9, which attackers could exploit to gain unauthorized root privileges and launch malicious code. No patches are currently available. Sun noted that Solaris 7 and 8 do not include the Samba software and are not affected. However, "Sun does include Samba on the Solaris Companion CD for Solaris 8 as an unsupported package which installs to '/opt/sfw' and is vulnerable to this issue. Sites using the freeware version of Samba from the Solaris Companion CD will need to upgrade to a later version from Samba.org."