• United States

File-trashing worm set to hit tomorrow

Feb 02, 20067 mins

* Patches from Trustix, FreeBSD, Mandriva, others * Beware e-mail infected with the Breplibot worm using forged F-Secure e-mail addresses * Security snafu at Boston Globe exposes subscriber data

If the predictions are right, tomorrow (Feb. 3) could be a nasty day for some users as a new worm is scheduled to start deleting files on infected machines.

Microsoft warns of file-trashing worm, 01/31/06

Microsoft has published a security advisory warning Windows users of a file-trashing worm that has been circulating via e-mail for several weeks. The worm, which is programmed to destroy a wide variety of files on the third day of every month, has been circulating since mid-January, and is estimated to have infected between 250,000 and 300,000 systems worldwide. IDG News Service, 01/31/06.

Microsoft advisory:

First reports of Nyxem damage

The destructive deadline of the Nyxem.E worm is based on the clock of the infected machine. So if you’re infected and your clock is not set right, things could start to happen at any time – even though the official activation time is the 3rd of the month. We’ve already received first reports from users who’ve had files on their system overwritten by the worm. F-Secure, 01/31/06.

Nymex (Blackworm) map:

Today’s bug patches and security alerts:

CERT warns of Winamp buffer overflow

A buffer overflow in the popular Winamp MP3 client could be exploited to run malicious code on an affected machine, according to an alert from CERT. AOL has released Winamp 5.13 to fix the problem. For more, go to:

Download the latest player from:


First bug found for Internet Explorer Beta 2

An independent researcher needed just 15 minutes to find the first bug in the Beta 2 preview release of Microsoft’s Internet Explorer 7 browser. IDG News Service, 02/01/06.

Read Tom Ferris’ post about the flaw:


Trustix releases new “multi” update

A new release from Trustix patches flaws in the kernel and openssh implementation. For more, go to:


FreeBSD patches sack

A flaw in sack, an extension to the TCP/IP stack, could be exploited to put the process in an infinite loop, resulting in a denial of service. For more, go to:


HP warns of BIND DNS flaw

According to an advisory from HP, “A potential vulnerability has been identified on the HP Tru64 UNIX operating system running DNS BIND. The vulnerability could be exploited remotely to gain unauthorized privileged access.” For more, go to:


New updates from Debian:

ImageMagick (poor input checking):

unalz (buffer overflow, code execution):

libmail-audit-perl (non-secure temp files):

pdfkit.framework (multiple buffer overflows):

pdftohtml (multiple buffer overflows):

mydns (denial of service):


Recent advisories from Gentoo:

LibAST (privilege escalation):

Paros (default admin password):

MyDNS (denial of service):

Xpdf, Poppler, GPdf, libextractor, pdftohtml (multiple heap overflows):


New patches from Mandriva:

bzip2 (file name process, code execution):

gzip (local code execution):

php (cross-scripting vulnerability):


Today’s roundup of virus alerts:

F-Secure warns of forged e-mails

Someone trying to make F-Secure look bad has sent out thousands of e-mail infected with the Breplibot worm using forged F-Secure e-mail addresses. For more, go to:

Troj/Stinx-Q — This version of Stinx spreads through an e-mail message titled “Photo and Article” and with an attachment called “”. It installs itself as “csrnvrt.exe” in the Windows System directory and allows access via IRC. (Sophos)

Troj/Stinx-R — A new version of the Stinx Trojan that allows backdoor access through IRC. It drops “csrnvrt.exe” and two randomly named BAT files on the infected host and can be used to bypass the Windows Firewall. (Sophos)

Troj/Stinx-S — This Stinx variant allows access to the infected host through TCP port 8080. It drops “lsadst.exe” in the Windows System folder and can be used to disable security-related applications running on the host. (Sophos)

Troj/Stinx-T — A third Stinx variant. This one drops “lsadst.exe” in the Windows System folder and uses IRC for backdoor access. (Sophos)

Troj/Stinx-U — A fourth Stinkx variant today and the second to allow backdoor access through TCP port 8080. This variant uses “svcsvh32.exe” in the Windows System folder as its infection point. (Sophos)

W32/Rbot-BWT — This Rbot variant spreads through network shares by exploiting known Windows vulnerabilities. It drops “initsvc.exe” in the Windows System directory and allows backdoor access through IRC. (Sophos)

W32/Rbot-BYA — Another Rbot variant that exploits known Windows flaws as it spreads through network shares. This one installs “sp2fix32.exe” in the Windows System folder. (Sophos)

Troj/QQRob-DG — A password stealing Trojan that communicates with remote sites via HTTP and can disable security related applications running on the infected host. It installs “NTdhcp.exe” in the Windows System folder. (Sophos)

Troj/Prosti-A — Another password stealing Trojan that e-mails its bounty to the virus’ author. (Sophos)

W32/Kookoo-A — This Trojan is installed as “oledsp32.dll” in the System folder and can turn the host into a proxy server. (Sophos)

Troj/Bckdr-QF — A backdoor program that allows access via an HTTP connection. The virus drops two files in the Windows System directory: “ctfmon.exe” and “userinit.exe”. (Sophos)

Troj/Bdoor-VK — Another backdoor Trojan that can send notifications and allow access through HTTP. It drops two files in the System folder: “FOTOSNuevas.BMP.exe” and “wrundll2.exe”. (Sophos)

Troj/Mircgirl-B — A virus that searches for mIRC scripts on the infected host and appends code to them that causes another script to load. (Sophos)

Troj/Haxdoor-AS –This virus targets username and password information, sending the captured data to a remote attacker. It is installed as “satdll.dll” in the System directory. (Sophos)

Troj/SmDldr-B — A virus that tries to download files from a remote Web site to “C:boot.old” and “C:ntdetect.exe”. (Sophos)

Troj/Bombka-D — This virus can watch a user’s Internet habits, make changes to the Internet Explorer settings, download additional code and harvest e-mail addresses from the infected host. Two files are installed: “game1.exe” and “kaboom.dll”. (Sophos)

Troj/Telemot-B — A virus that starts a shell on the infected host, allowing a remote attacker to modify registry settings, kill processes, take screen shots and reboot the host. It places “chkdsk64.exe” in the System folder. (Sophos)

W32/Sdbot-ALZ — A new Sdbot variant that allows an intruder to take control of the infected host via an IRC channel. It is installed as “svchosts.exe” in the System directory. (Sophos)

Troj/ByteVeri-Q — A virus that tries to exploit a known flaw in the Byte Code Verify component of the Microsoft VM. An attacker would have to place a malicious Java applet on a web server and the victim would have to visit that site, loading the applet. (Sophos)


From the interesting reading department:

Security snafu at Boston Globe exposes subscriber data

An apparent attempt to recycle discarded internal reports has ended up in the compromise of credit card and bank number information belonging to more than 240,000 subscribers of The Boston Globe and Worcester Telegram & Gazette. Computerworld, 02/01/06.