Ein neuer Wurm mit angeschlossenem Trojaner

#1 Wie Kaspersky Labs soeben berichtet, wurde ein neuer Internetwurm namens Tanatos kürzlich entdeckt. Dieser Wurm verteilt sich momentan sehr stark via eMail und gibt vertrauliche Daten der Opfer preis. Mindestens eine Infizierung wurde aus GB gemeldet.

Bei Tanatos handelt es sich um ein Windows-Attachment mit einer Größe von 50 kb. Es ist mit dem UPX-Kompressions-Tool gepackt und in MS Visual C++ geschrieben. Der Wurm verbreitet sich mit verschiedenen Betreffs, Inhalten und Attachmentbezeichnungen via eMail. Zur Verbreitung wird eine IFrame Lücke im Sicherheitssystem des Windows-Explorers genutzt. Durch das Öffnen der eMail wird das System infiziert. Dabei trägt sich der Schädling in der Registry ein und wird so bei jedem Start mit geöffnet.

Tanatos zeichnet alle Tastatureingaben in eine spezielle Datei auf.

Näher Informationen sollten bald unter http://www.viruslist.com/ zu finden sein!

Robert
__________
powered by http://different-thinking.de - Netze, Protokolle, Sicherheit, ...

#2 Bei Symantec und Heise lautet der Name: W32.Bugbear@mm

genauere Beschreibung hier:
http://www.heise.de/newsticker/data/pab-01.10.02-000/
http://securityresponse.symantec.com/avcenter/venc/data/w32.bugbear@mm.html

SChutz: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS01-020.asp


Weitere Infos:

Tanatos is a Windows attachment about 50 KB in size (it is packed by the
UPX compression utility) and written in Microsoft Visual C++. The worm
is spreading via email attachment files with differing headings, body
texts, file attachment names and even formats, all of which make it
harder to identify infected email messages from their external
properties. Infected messages consistently have plain text or HTML
format. With the plain text version users must actively open the
attached file, thereby letting the worm loose. With the HTML version,
after the worm arrives in the inbox of potential victims, Tanatos waits
for its email message to be read (for example, in the preview window),
once this occurs, by exploiting the "IFRAME" vulnerability in the
Windows Explorer's security system, it secretly launches itself and
infects the machine.

To spread over local area networks, the Tanatos worm goes through all
network access resources and searches for the Windows system auto-run
directory where it copies itself so that it will execute the next time
the infected computer is booted. This function can only work if there is
a general write permission enabled in the directory.

After activation, "Tanatos" registers itself in the system registry
auto-run key so that its malicious code will activate each time Windows
is booted. Tanatos also contains a Trojan horse function that makes it
an exceptionally dangerous program by creating a system breach and
exposing confidential data. In part, Tanatos sets a keyboard "bug" that
records all keyboard actions, including system passwords, to a specified
file (KEYLOGGER.DLL) in the Windows system directory. Another
interesting particularity of this worm is its attempts to close active
processes, especially anti-virus programs and personal firewalls.

Full control over infected computers: On infected machines those who
control the Tanatos worm can dictate file downloading, transferring,
copying, deleting, executing and can also force processes to abort etc.
To carry out these operations Tanatos secretly opens the HTTP server and
presents its "master(s)" a Web interface with which to control an
infected system.

Potential victims of Tanatos are computers hosting the Klez worm, as
both worms exploit the "IFRAME" vulnerability in the Windows Explorer
security system. "When taking into account the fact that Klez, to this
day, still maintains first place in the list of most widespread virus
programs, it is possible to expect Tanatos to do its share of damage as
well", commented Dennis Zenkin, Head of Corporate Communications for
Kaspersky Labs.

The defense against Tanatos has already been added to the Kaspersky
Anti-Virus databases. Please update your anti-virus software.

To download the patch for the Internet Explorer IFRAME Security System
vulnerability please visit this site:
http://www.microsoft.com/windows/ie/downloads/critical/q290108/default.asp.

More details covering the Tanatos Internet worm are now available in the
Kaspersky Virus Encyclopedia at:
http://www.viruslist.com/eng/viruslist.html?id=52245.



Robert
__________
powered by http://different-thinking.de - Netze, Protokolle, Sicherheit, ...

#3 BSI meint dazu:

Name: W32.Bugbear@mm
Alias: W32/Bugbear-A [Sophos],WORM_BUGBEAR.A [Trend],
Win32.Bugbear [CA], W32/Bugbear@MM [McAfee], I-Worm.Tanatos [AVP],
W32/Bugbear [Panda], Tanatos [F-Secure]
Art: Massenmailer-Wurm
Betriebssystem:Microsoft Windows
Verbreitung: hoch (englisch sprachiger Raum)
Schadensfunktion: Massenmail,
Beenden von verschiedenen Viren-Schutz- und Firewall-Programmen,
Installation eines Trojanischen Pferdes
bekannt seit: 30. September 2002



W32.Bugbear@mm verbreitet sich über Massenmail und Netzwerkfreigaben. Der
Wurm besitzt Eigenschaften eines Trojanischen Pferdes, indem er den TCP Port
36794 öffnet.
Er versucht außerdem Antiviren- und Firewall-Software zu beenden.

Weitere Informationen unter: http://www.bsi.bund.de/av/vb/bugbear.htm
__________
powered by http://different-thinking.de - Netze, Protokolle, Sicherheit, ...

#4 Ich hab den Wurm heute per eMail erhalten, aber Norton AV mit aktueller Virendefinition hat ihn sofort erkannt und gelöscht.
Auch ein anschliessender manueller Virenscan fiel negativ aus.

Gruß
mrMR
__________
Es irrt der Mensch, solang' er strebt. (Goethe)

#5 Weitere Infos:

Bugbear Hybrid Threat Propagation

Synopsis:

ISS X-Force has been monitoring the spread of the "Bugbear" Internet worm.
Bugbear propagates through email and through open NetBIOS file shares.
Bugbear attempts to disable all security and antivirus software on each host
and installs a backdoor program. X-Force has detected a large increase in
NetBIOS scanning traffic from several thousand unique addresses.

Impact:

As with most mass-emailing worms, Bugbear's propagation can cause resource
starvation problems on email servers, and network congestion on heavily
loaded network segments. Information about the nature of the backdoor program
that Bugbear installs has been made public. Therefore, this backdoor can be
accessed not only by the author, but also by any third-party attacker.

Description:

The Bugbear worm reportedly originated in Malaysia on September 30, 2002.
Bugbear has the following capabilities:

-Mass emailing component
-NetBIOS file share scanning component
-Disables antivirus and personal firewall software
-Executes upon reboot of infected host
-Backdoor component

Mass Emailing Component

Bugbear scans each computer for a list of email addresses and sends a copy of
itself to each with a forged "From:" field. Bugbear creates a random subject
line based from information found on each infected host, or it selects one
of several hard-coded strings that resemble unsolicited email spam. The worm
takes advantage of well-known vulnerability in Internet Explorer that will
execute the incoming Bugbear attachment file when it is previewed in Outlook
and Outlook Express. This vulnerability was first exploited by the "Nimda"
worm. For more information about this vulnerability, please refer to
Microsoft Security Bulletin MS01-20, titled "Incorrect MIME Header Can Cause
IE to Execute E-mail Attachment vulnerability."

NetBIOS File Share Scanning Component

Once a target computer is infected, Bugbear will begin to scan for insecure
NetBIOS file shares on the open Internet. The scanning engine will scan each
IP address in a randomly selected Class-C network (x.x.x.1-255). Bugbear will
attempt to connect to \\ComputerName\c$ on any computer that responds to a
NetBIOS query request on UDP port 137. In most cases, these types of NetBIOS
requests will fail due to firewalls, intrusion protection systems, and the
lack of proper authentication to the file share. However, if successful, the
worm will attempt to copy itself to the following location:

\Documents and Settings\[username]\Start Menu\Programs\Startup\***.exe

The "***" characters represent a random three character filename.

Disables Antivirus and Personal Firewall Software

Bugbear is one of many new Internet worms and computer viruses that attempt to
disable security software upon infection. The following is a list of
processes that Bugbear attempts to "kill" upon execution:

ACKWIN32.exe
F-AGNT95.exe
ANTI-TROJAN.exe
APVXDWIN.exe
AUTODOWN.exe
AVCONSOL.exe
AVE32.exe
AVGCTRL.exe
AVKSERV.exe
AVNT.exe
AVP32.exe
AVP32.exe
AVPCC.exe
AVPCC.exe
AVPDOS32.exe
AVPM.exe
AVPM.exe
AVPTC32.exe
AVPUPD.exe
AVSCHED32.exe
AVWIN95.exe
AVWUPD32.exe
BLACKD.exe
BLACKICE.exe
CFIADMIN.exe
CFIAUDIT.exe
CFINET.exe
CFINET32.exe
CLAW95.exe
CLAW95CF.exe
CLEANER.exe
CLEANER3.exe
DVP95_0.exe
ECENGINE.exe
ESAFE.exe
ESPWATCH.exe
FINDVIRU.exe
FPROT.exe
IAMAPP.exe
IAMSERV.exe
IBMASN.exe
IBMAVSP.exe
ICLOAD95.exe
ICLOADNT.exe
ICMON.exe
ICSUPP95.exe
ICSUPPNT.exe
IFACE.exe
IOMON98.exe
JEDI.exe
LOCKDOWN2000.exe
LOOKOUT.exe
LUALL.exe
MOOLIVE.exe
MPFTRAY.exe
N32SCANW.exe
NAVAPW32.exe
NAVLU32.exe
NAVNT.exe
NAVW32.exe
NAVWNT.exe
NISUM.exe
NMAIN.exe
NORMIST.exe
NUPGRADE.exe
NVC95.exe
OUTPOST.exe
PADMIN.exe
PAVCL.exe
PAVSCHED.exe
PAVW.exe
PCCWIN98.exe
PCFWALLICON.exe
PERSFW.exe
F-PROT.exe
F-PROT95.exe
RAV7.exe
RAV7WIN.exe
RESCUE.exe
SAFEWEB.exe
SCAN32.exe
SCAN95.exe
SCANPM.exe
SCRSCAN.exe
SERV95.exe
SPHINX.exe
F-STOPW.exe
SWEEP95.exe
TBSCAN.exe
TDS2-98.exe
TDS2-NT.exe
VET95.exe
VETTRAY.exe
VSCAN40.exe
VSECOMR.exe
VSHWIN32.exe
VSSTAT.exe
WEBSCANX.exe
WFINDV32.exe
ZONEALARM.exe

The list contains the majority of all popular antivirus and personal firewall
software available. Bugbear will succeed in disabling any of the software
listed above that does not include specific protection from this type of
attack.

Executed Upon Reboot

Bugbear creates a registry key to execute itself again immediately upon
reboot. The following key is created:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
RunOnce "%xxx%" = xxx.exe ("xxx" represents three random letters)

Backdoor Component

The Bugbear backdoor component allows the author or third-party attackers to
connect to infected hosts via TCP port 36794. The backdoor process can be used
to copy files, delete files, relay system information, execute commands, relay
keystrokes, kill processes, and enumerate file shares.

Recommendations:

ISS X-Force recommends that individuals whose computers are infected with the
Bugbear worm should download the McAfee AVERT "Stinger" tool to remove
Bugbear.

ISS Internet Scanner customers should enable the IeMimeExecuteCode check to
assess exposure to the Incorrect MIME Header execution vulnerability.
RealSecure Network Sensor 6.5 customers should monitor the Netbios_Session_Request,
and Nebios_Session_Granted events to detect NetBIOS scanning activity associated
with this worm. RealSecure Network Sensor 7.0 and BlackICE customers should monitor
the previously mentioned events as well as the SMB_Startup_File_Access and
SMB_Filename events, which were designed to detect access to Windows startup
directories over NetBIOS. ISS RealSecure Desktop Protector version 3.5 with
Application Protection enabled will block the execution of this worm automatically.

Extended assessment and protection support for the Bugbear worm will be made
available in future X-Press Updates for Internet Scanner and RealSecure
Network Sensor.

Additional Information:

X-Force Database
http://www.iss.net/security_center/static/10265

Microsoft Security Bulletin MS01-20
http://www.microsoft.com/technet/security/bulletin/MS01-020.asp

McAfee Virus Information Library W32/Bugbear@MM
http://vil.nai.com/vil/content/v_99728.htm

McAfee AVERT Stinger
http://vil.nai.com/vil/stinger/
__________
powered by http://different-thinking.de - Netze, Protokolle, Sicherheit, ...