Ein neuer Wurm mit angeschlossenem Trojaner |
||
---|---|---|
#0
| ||
30.09.2002, 20:05
Ehrenmitglied
Beiträge: 2283 |
||
|
||
01.10.2002, 13:20
Ehrenmitglied
Themenstarter Beiträge: 2283 |
#2
Bei Symantec und Heise lautet der Name: W32.Bugbear@mm
genauere Beschreibung hier: http://www.heise.de/newsticker/data/pab-01.10.02-000/ http://securityresponse.symantec.com/avcenter/venc/data/w32.bugbear@mm.html SChutz: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS01-020.asp Weitere Infos: Tanatos is a Windows attachment about 50 KB in size (it is packed by the UPX compression utility) and written in Microsoft Visual C++. The worm is spreading via email attachment files with differing headings, body texts, file attachment names and even formats, all of which make it harder to identify infected email messages from their external properties. Infected messages consistently have plain text or HTML format. With the plain text version users must actively open the attached file, thereby letting the worm loose. With the HTML version, after the worm arrives in the inbox of potential victims, Tanatos waits for its email message to be read (for example, in the preview window), once this occurs, by exploiting the "IFRAME" vulnerability in the Windows Explorer's security system, it secretly launches itself and infects the machine. To spread over local area networks, the Tanatos worm goes through all network access resources and searches for the Windows system auto-run directory where it copies itself so that it will execute the next time the infected computer is booted. This function can only work if there is a general write permission enabled in the directory. After activation, "Tanatos" registers itself in the system registry auto-run key so that its malicious code will activate each time Windows is booted. Tanatos also contains a Trojan horse function that makes it an exceptionally dangerous program by creating a system breach and exposing confidential data. In part, Tanatos sets a keyboard "bug" that records all keyboard actions, including system passwords, to a specified file (KEYLOGGER.DLL) in the Windows system directory. Another interesting particularity of this worm is its attempts to close active processes, especially anti-virus programs and personal firewalls. Full control over infected computers: On infected machines those who control the Tanatos worm can dictate file downloading, transferring, copying, deleting, executing and can also force processes to abort etc. To carry out these operations Tanatos secretly opens the HTTP server and presents its "master(s)" a Web interface with which to control an infected system. Potential victims of Tanatos are computers hosting the Klez worm, as both worms exploit the "IFRAME" vulnerability in the Windows Explorer security system. "When taking into account the fact that Klez, to this day, still maintains first place in the list of most widespread virus programs, it is possible to expect Tanatos to do its share of damage as well", commented Dennis Zenkin, Head of Corporate Communications for Kaspersky Labs. The defense against Tanatos has already been added to the Kaspersky Anti-Virus databases. Please update your anti-virus software. To download the patch for the Internet Explorer IFRAME Security System vulnerability please visit this site: http://www.microsoft.com/windows/ie/downloads/critical/q290108/default.asp. More details covering the Tanatos Internet worm are now available in the Kaspersky Virus Encyclopedia at: http://www.viruslist.com/eng/viruslist.html?id=52245. Robert __________ powered by http://different-thinking.de - Netze, Protokolle, Sicherheit, ... Dieser Beitrag wurde am 01.10.2002 um 19:55 Uhr von Robert editiert.
|
|
|
||
02.10.2002, 09:12
Ehrenmitglied
Themenstarter Beiträge: 2283 |
#3
BSI meint dazu:
Name: W32.Bugbear@mm Alias: W32/Bugbear-A [Sophos],WORM_BUGBEAR.A [Trend], Win32.Bugbear [CA], W32/Bugbear@MM [McAfee], I-Worm.Tanatos [AVP], W32/Bugbear [Panda], Tanatos [F-Secure] Art: Massenmailer-Wurm Betriebssystem:Microsoft Windows Verbreitung: hoch (englisch sprachiger Raum) Schadensfunktion: Massenmail, Beenden von verschiedenen Viren-Schutz- und Firewall-Programmen, Installation eines Trojanischen Pferdes bekannt seit: 30. September 2002 W32.Bugbear@mm verbreitet sich über Massenmail und Netzwerkfreigaben. Der Wurm besitzt Eigenschaften eines Trojanischen Pferdes, indem er den TCP Port 36794 öffnet. Er versucht außerdem Antiviren- und Firewall-Software zu beenden. Weitere Informationen unter: http://www.bsi.bund.de/av/vb/bugbear.htm __________ powered by http://different-thinking.de - Netze, Protokolle, Sicherheit, ... |
|
|
||
04.10.2002, 14:46
Member
Beiträge: 147 |
#4
Ich hab den Wurm heute per eMail erhalten, aber Norton AV mit aktueller Virendefinition hat ihn sofort erkannt und gelöscht.
Auch ein anschliessender manueller Virenscan fiel negativ aus. Gruß mrMR __________ Es irrt der Mensch, solang' er strebt. (Goethe) |
|
|
||
06.10.2002, 11:47
Ehrenmitglied
Themenstarter Beiträge: 2283 |
#5
Weitere Infos:
Bugbear Hybrid Threat Propagation Synopsis: ISS X-Force has been monitoring the spread of the "Bugbear" Internet worm. Bugbear propagates through email and through open NetBIOS file shares. Bugbear attempts to disable all security and antivirus software on each host and installs a backdoor program. X-Force has detected a large increase in NetBIOS scanning traffic from several thousand unique addresses. Impact: As with most mass-emailing worms, Bugbear's propagation can cause resource starvation problems on email servers, and network congestion on heavily loaded network segments. Information about the nature of the backdoor program that Bugbear installs has been made public. Therefore, this backdoor can be accessed not only by the author, but also by any third-party attacker. Description: The Bugbear worm reportedly originated in Malaysia on September 30, 2002. Bugbear has the following capabilities: -Mass emailing component -NetBIOS file share scanning component -Disables antivirus and personal firewall software -Executes upon reboot of infected host -Backdoor component Mass Emailing Component Bugbear scans each computer for a list of email addresses and sends a copy of itself to each with a forged "From:" field. Bugbear creates a random subject line based from information found on each infected host, or it selects one of several hard-coded strings that resemble unsolicited email spam. The worm takes advantage of well-known vulnerability in Internet Explorer that will execute the incoming Bugbear attachment file when it is previewed in Outlook and Outlook Express. This vulnerability was first exploited by the "Nimda" worm. For more information about this vulnerability, please refer to Microsoft Security Bulletin MS01-20, titled "Incorrect MIME Header Can Cause IE to Execute E-mail Attachment vulnerability." NetBIOS File Share Scanning Component Once a target computer is infected, Bugbear will begin to scan for insecure NetBIOS file shares on the open Internet. The scanning engine will scan each IP address in a randomly selected Class-C network (x.x.x.1-255). Bugbear will attempt to connect to \\ComputerName\c$ on any computer that responds to a NetBIOS query request on UDP port 137. In most cases, these types of NetBIOS requests will fail due to firewalls, intrusion protection systems, and the lack of proper authentication to the file share. However, if successful, the worm will attempt to copy itself to the following location: \Documents and Settings\[username]\Start Menu\Programs\Startup\***.exe The "***" characters represent a random three character filename. Disables Antivirus and Personal Firewall Software Bugbear is one of many new Internet worms and computer viruses that attempt to disable security software upon infection. The following is a list of processes that Bugbear attempts to "kill" upon execution: ACKWIN32.exe F-AGNT95.exe ANTI-TROJAN.exe APVXDWIN.exe AUTODOWN.exe AVCONSOL.exe AVE32.exe AVGCTRL.exe AVKSERV.exe AVNT.exe AVP32.exe AVP32.exe AVPCC.exe AVPCC.exe AVPDOS32.exe AVPM.exe AVPM.exe AVPTC32.exe AVPUPD.exe AVSCHED32.exe AVWIN95.exe AVWUPD32.exe BLACKD.exe BLACKICE.exe CFIADMIN.exe CFIAUDIT.exe CFINET.exe CFINET32.exe CLAW95.exe CLAW95CF.exe CLEANER.exe CLEANER3.exe DVP95_0.exe ECENGINE.exe ESAFE.exe ESPWATCH.exe FINDVIRU.exe FPROT.exe IAMAPP.exe IAMSERV.exe IBMASN.exe IBMAVSP.exe ICLOAD95.exe ICLOADNT.exe ICMON.exe ICSUPP95.exe ICSUPPNT.exe IFACE.exe IOMON98.exe JEDI.exe LOCKDOWN2000.exe LOOKOUT.exe LUALL.exe MOOLIVE.exe MPFTRAY.exe N32SCANW.exe NAVAPW32.exe NAVLU32.exe NAVNT.exe NAVW32.exe NAVWNT.exe NISUM.exe NMAIN.exe NORMIST.exe NUPGRADE.exe NVC95.exe OUTPOST.exe PADMIN.exe PAVCL.exe PAVSCHED.exe PAVW.exe PCCWIN98.exe PCFWALLICON.exe PERSFW.exe F-PROT.exe F-PROT95.exe RAV7.exe RAV7WIN.exe RESCUE.exe SAFEWEB.exe SCAN32.exe SCAN95.exe SCANPM.exe SCRSCAN.exe SERV95.exe SPHINX.exe F-STOPW.exe SWEEP95.exe TBSCAN.exe TDS2-98.exe TDS2-NT.exe VET95.exe VETTRAY.exe VSCAN40.exe VSECOMR.exe VSHWIN32.exe VSSTAT.exe WEBSCANX.exe WFINDV32.exe ZONEALARM.exe The list contains the majority of all popular antivirus and personal firewall software available. Bugbear will succeed in disabling any of the software listed above that does not include specific protection from this type of attack. Executed Upon Reboot Bugbear creates a registry key to execute itself again immediately upon reboot. The following key is created: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion RunOnce "%xxx%" = xxx.exe ("xxx" represents three random letters) Backdoor Component The Bugbear backdoor component allows the author or third-party attackers to connect to infected hosts via TCP port 36794. The backdoor process can be used to copy files, delete files, relay system information, execute commands, relay keystrokes, kill processes, and enumerate file shares. Recommendations: ISS X-Force recommends that individuals whose computers are infected with the Bugbear worm should download the McAfee AVERT "Stinger" tool to remove Bugbear. ISS Internet Scanner customers should enable the IeMimeExecuteCode check to assess exposure to the Incorrect MIME Header execution vulnerability. RealSecure Network Sensor 6.5 customers should monitor the Netbios_Session_Request, and Nebios_Session_Granted events to detect NetBIOS scanning activity associated with this worm. RealSecure Network Sensor 7.0 and BlackICE customers should monitor the previously mentioned events as well as the SMB_Startup_File_Access and SMB_Filename events, which were designed to detect access to Windows startup directories over NetBIOS. ISS RealSecure Desktop Protector version 3.5 with Application Protection enabled will block the execution of this worm automatically. Extended assessment and protection support for the Bugbear worm will be made available in future X-Press Updates for Internet Scanner and RealSecure Network Sensor. Additional Information: X-Force Database http://www.iss.net/security_center/static/10265 Microsoft Security Bulletin MS01-20 http://www.microsoft.com/technet/security/bulletin/MS01-020.asp McAfee Virus Information Library W32/Bugbear@MM http://vil.nai.com/vil/content/v_99728.htm McAfee AVERT Stinger http://vil.nai.com/vil/stinger/ __________ powered by http://different-thinking.de - Netze, Protokolle, Sicherheit, ... |
|
|
||
Bei Tanatos handelt es sich um ein Windows-Attachment mit einer Größe von 50 kb. Es ist mit dem UPX-Kompressions-Tool gepackt und in MS Visual C++ geschrieben. Der Wurm verbreitet sich mit verschiedenen Betreffs, Inhalten und Attachmentbezeichnungen via eMail. Zur Verbreitung wird eine IFrame Lücke im Sicherheitssystem des Windows-Explorers genutzt. Durch das Öffnen der eMail wird das System infiziert. Dabei trägt sich der Schädling in der Registry ein und wird so bei jedem Start mit geöffnet.
Tanatos zeichnet alle Tastatureingaben in eine spezielle Datei auf.
Näher Informationen sollten bald unter http://www.viruslist.com/ zu finden sein!
Robert
__________
powered by http://different-thinking.de - Netze, Protokolle, Sicherheit, ...