* Patches from Trustix, FreeBSD, Mandriva, others * Beware e-mail infected with the Breplibot worm using forged F-Secure e-mail addresses * Security snafu at Boston Globe exposes subscriber data If the predictions are right, tomorrow (Feb. 3) could be a nasty day for some users as a new worm is scheduled to start deleting files on infected machines.Microsoft warns of file-trashing worm, 01/31/06Microsoft has published a security advisory warning Windows users of a file-trashing worm that has been circulating via e-mail for several weeks. The worm, which is programmed to destroy a wide variety of files on the third day of every month, has been circulating since mid-January, and is estimated to have infected between 250,000 and 300,000 systems worldwide. IDG News Service, 01/31/06.http://www.networkworld.com/news/2006/013106-microsoft-worm.html Microsoft advisory:https://www.microsoft.com/technet/security/advisory/904420.mspx First reports of Nyxem damageThe destructive deadline of the Nyxem.E worm is based on the clock of the infected machine. So if you’re infected and your clock is not set right, things could start to happen at any time – even though the official activation time is the 3rd of the month. We’ve already received first reports from users who’ve had files on their system overwritten by the worm. F-Secure, 01/31/06.http://www.networkworld.com/go2/2006/0130bug2a.htmlNymex (Blackworm) map:http://www.networkworld.com/go2/2006/0130bug2b.htmlToday’s bug patches and security alerts: CERT warns of Winamp buffer overflowA buffer overflow in the popular Winamp MP3 client could be exploited to run malicious code on an affected machine, according to an alert from CERT. AOL has released Winamp 5.13 to fix the problem. For more, go to:https://www.us-cert.gov/cas/techalerts/TA06-032A.htmlDownload the latest player from: https://www.winamp.com/player/index.php**********First bug found for Internet Explorer Beta 2An independent researcher needed just 15 minutes to find the first bug in the Beta 2 preview release of Microsoft’s Internet Explorer 7 browser. IDG News Service, 02/01/06.http://www.networkworld.com/news/2006/020106-ie-bug.htmlRead Tom Ferris’ post about the flaw:https://www.security-protocols.com/advisory/sp-x23-advisory.txt**********Trustix releases new “multi” updateA new release from Trustix patches flaws in the kernel and openssh implementation. For more, go to:https://www.trustix.org/errata/2006/0004/**********FreeBSD patches sackA flaw in sack, an extension to the TCP/IP stack, could be exploited to put the process in an infinite loop, resulting in a denial of service. For more, go to:http://www.networkworld.com/go2/2006/0130bug2c.html**********HP warns of BIND DNS flawAccording to an advisory from HP, “A potential vulnerability has been identified on the HP Tru64 UNIX operating system running DNS BIND. The vulnerability could be exploited remotely to gain unauthorized privileged access.” For more, go to:https://www.securityfocus.com/archive/1/423664/30/0/threaded**********New updates from Debian:ImageMagick (poor input checking):https://www.debian.org/security/2006/dsa-957unalz (buffer overflow, code execution):https://www.debian.org/security/2006/dsa-959libmail-audit-perl (non-secure temp files):https://www.debian.org/security/2006/dsa-960pdfkit.framework (multiple buffer overflows):https://www.debian.org/security/2006/dsa-961pdftohtml (multiple buffer overflows):https://www.debian.org/security/2006/dsa-962mydns (denial of service):https://www.debian.org/security/2006/dsa-963**********Recent advisories from Gentoo:LibAST (privilege escalation):https://security.gentoo.org/glsa/glsa-200601-14.xmlParos (default admin password):https://security.gentoo.org/glsa/glsa-200601-15.xmlMyDNS (denial of service):https://security.gentoo.org/glsa/glsa-200601-16.xmlXpdf, Poppler, GPdf, libextractor, pdftohtml (multiple heap overflows):https://security.gentoo.org/glsa/glsa-200601-17.xml**********New patches from Mandriva:bzip2 (file name process, code execution):https://wwwnew.mandriva.com/security/advisories?name=MDKSA-2006:026gzip (local code execution):https://wwwnew.mandriva.com/security/advisories?name=MDKSA-2006:027php (cross-scripting vulnerability):https://wwwnew.mandriva.com/security/advisories?name=MDKSA-2006:028**********Today’s roundup of virus alerts:F-Secure warns of forged e-mailsSomeone trying to make F-Secure look bad has sent out thousands of e-mail infected with the Breplibot worm using forged F-Secure e-mail addresses. For more, go to:http://www.networkworld.com/go2/2006/0130bug2d.htmlTroj/Stinx-Q — This version of Stinx spreads through an e-mail message titled “Photo and Article” and with an attachment called “Photo+Article.zip”. It installs itself as “csrnvrt.exe” in the Windows System directory and allows access via IRC. (Sophos)Troj/Stinx-R — A new version of the Stinx Trojan that allows backdoor access through IRC. It drops “csrnvrt.exe” and two randomly named BAT files on the infected host and can be used to bypass the Windows Firewall. (Sophos)Troj/Stinx-S — This Stinx variant allows access to the infected host through TCP port 8080. It drops “lsadst.exe” in the Windows System folder and can be used to disable security-related applications running on the host. (Sophos)Troj/Stinx-T — A third Stinx variant. This one drops “lsadst.exe” in the Windows System folder and uses IRC for backdoor access. (Sophos)Troj/Stinx-U — A fourth Stinkx variant today and the second to allow backdoor access through TCP port 8080. This variant uses “svcsvh32.exe” in the Windows System folder as its infection point. (Sophos)W32/Rbot-BWT — This Rbot variant spreads through network shares by exploiting known Windows vulnerabilities. It drops “initsvc.exe” in the Windows System directory and allows backdoor access through IRC. (Sophos)W32/Rbot-BYA — Another Rbot variant that exploits known Windows flaws as it spreads through network shares. This one installs “sp2fix32.exe” in the Windows System folder. (Sophos)Troj/QQRob-DG — A password stealing Trojan that communicates with remote sites via HTTP and can disable security related applications running on the infected host. It installs “NTdhcp.exe” in the Windows System folder. (Sophos)Troj/Prosti-A — Another password stealing Trojan that e-mails its bounty to the virus’ author. (Sophos)W32/Kookoo-A — This Trojan is installed as “oledsp32.dll” in the System folder and can turn the host into a proxy server. (Sophos)Troj/Bckdr-QF — A backdoor program that allows access via an HTTP connection. The virus drops two files in the Windows System directory: “ctfmon.exe” and “userinit.exe”. (Sophos)Troj/Bdoor-VK — Another backdoor Trojan that can send notifications and allow access through HTTP. It drops two files in the System folder: “FOTOSNuevas.BMP.exe” and “wrundll2.exe”. (Sophos)Troj/Mircgirl-B — A virus that searches for mIRC scripts on the infected host and appends code to them that causes another script to load. (Sophos)Troj/Haxdoor-AS –This virus targets username and password information, sending the captured data to a remote attacker. It is installed as “satdll.dll” in the System directory. (Sophos)Troj/SmDldr-B — A virus that tries to download files from a remote Web site to “C:boot.old” and “C:ntdetect.exe”. (Sophos)Troj/Bombka-D — This virus can watch a user’s Internet habits, make changes to the Internet Explorer settings, download additional code and harvest e-mail addresses from the infected host. Two files are installed: “game1.exe” and “kaboom.dll”. (Sophos)Troj/Telemot-B — A virus that starts a shell on the infected host, allowing a remote attacker to modify registry settings, kill processes, take screen shots and reboot the host. It places “chkdsk64.exe” in the System folder. (Sophos)W32/Sdbot-ALZ — A new Sdbot variant that allows an intruder to take control of the infected host via an IRC channel. It is installed as “svchosts.exe” in the System directory. (Sophos)Troj/ByteVeri-Q — A virus that tries to exploit a known flaw in the Byte Code Verify component of the Microsoft VM. An attacker would have to place a malicious Java applet on a web server and the victim would have to visit that site, loading the applet. (Sophos)**********From the interesting reading department:Security snafu at Boston Globe exposes subscriber dataAn apparent attempt to recycle discarded internal reports has ended up in the compromise of credit card and bank number information belonging to more than 240,000 subscribers of The Boston Globe and Worcester Telegram & Gazette. Computerworld, 02/01/06.http://www.networkworld.com/go2/2006/0130bug2e.html Related content news Fortinet brings AI help to enterprise security teams manage threats Fortinet Advisor aims to help customers respond to threats more quickly By Michael Cooney Dec 11, 2023 3 mins Network Security Security how-to Getting started with scripting on Linux, Part 1 Once a script is prepared and tested, you can get a significant task completed simply by typing the script's name followed by any required arguments. By Sandra Henry-Stocker Dec 11, 2023 5 mins Linux feature Starkey swaps out MPLS for managed SD-WAN Hearing aid manufacturer achieves performance boost, increased reliability and cost savings after a shift from MPLS to managed SD-WAN services from Aryaka. By Neal Weinberg Dec 11, 2023 6 mins SASE SD-WAN Network Security news Nvidia races to fulfill AI demand with its first Vietnam semiconductor hub Vietnam has been a growing tech manufacturing destination for the past few years, and Nvidia said it is open to a new manufacturing partner in Vietnam. By Sam Reynolds Dec 11, 2023 3 mins CPUs and Processors Technology Industry Podcasts Videos Resources Events NEWSLETTERS Newsletter Promo Module Test Description for newsletter promo module. Please enter a valid email address Subscribe