iDefense warns of flaws in Qualcomm Worldmail 3.0

Editor’s note: With the Thanksgiving holiday upon us, this will be our only newsletter this week. Happy Thanksgiving!

This week’s bug patches and security alerts:

iDefense warns of flaws in Qualcomm Worldmail server 3.0

Security researches at iDefense have found a directory traversal vulnerability in the Qualcomm Worldmail server 3.0 that could be exploited to read any message for any user on the affected machine. Qualcomm has not released a patch for the problem. More info and a potential workaround can be found here:

http://www.networkworld.com/go2/1121bug1c.html

**********

Gentoo patches Smb4k

A flaw in smb4k, a share browser for KDE, could be exploited by an attacker to gain elevated privileges on the affected machine. For more, go to:

https://security.gentoo.org/glsa/glsa-200511-15.xml

**********

Debian patches phpgroupware

According to Debian, several vulnerabilities have been discovered in phpsysinfo, a PHP based host information application. The most serious could be exploited to run arbitrary files on the infected machine. For more, go to:

https://www.debian.org/security/2005/dsa-898

Debian issues fix for egroupware

Several flaws have been found in the egroupware open source groupware suite. The most serious of the vulnerabilities could be exploited to run malicious code on the affected machine. For more, go to:

https://www.debian.org/security/2005/dsa-899

Debian patches fetchmail

A flaw in the fetchmail configuration could lead to user passwords being leaked to an attacker. For more, go to:

https://www.debian.org/security/2005/dsa-900

Debian releases patch for gnump3d

A number of vulnerabilities, the most serious of which could be exploited in a symlink attack, have been found in gnump3d, a streaming media server. For more, go to:

https://www.debian.org/security/2005/dsa-901

**********

Mandriva releases PHP update

Several flaws have been found in previous versions of the popular PHP scripting engine. The most serious of the bugs could be exploited in DoS attacks and to run malicious code. For more, go to:

http://www.networkworld.com/go2/1121bug1b.html

Mandriva patches gdk-pixbuf

A number of vulnerabilities have been found in the gdk-pixbuf XPM image rendering library, the most serious of which could be exploited to run arbitrary code on the affected system. For more, go to:

http://www.networkworld.com/go2/1121bug1a.html

**********

This week’s roundup of virus alerts:

W32/Codbot-L — A network worm that spreads through shared drives and exploits the Windows RPC-DCOM vulnerability. It allows backdoor access via IRC and can be used to steal local information. “rpcclient.exe” is dropped in to the Windows System folder. (Sophos)

Troj/Bancban-IA — Another password stealing Trojan that targets Brazilian banking sites. It drops “wscntfy.exe” in the Windows System folder. (Sophos)

Troj/Bancban-IL — A second password stealing Trojan targeting Brazilian banking sites. This one installs “csrs.scr” in the Windows System folder. (Sophos)

Troj/Bancban-KA — A third Trojan that targets the customers of Brazilian banks. This one installs itself as a randomly named executable in the Windows System folder. (Sophos)

W32/Rbot-AXG — An Rbot variant that exploits a number of well known Windows vulnerabilities as it spreads through network shares, dropping “shost.exe” in the Windows folder. It allows backdoor access through IRC and can be used for a number of malicious purposes. (Sophos)

W32/Rbot-AAC — A second Rbot variant that exploits Windows vulnerabilities to spread between machines. It drops “msnmsgs.exe” in the Windows System folder, allows backdoor access through IRC and disables access to security related Web sites by modifying the Windows HOSTS file. (Sophos)

W32/Rbot-AUF — Our third Rbot worm of the week drops “msconfig32.exe” in the Windows System folder. (Sophos)

W32/Spybot-EF — A Windows worm that spreads through network shares and peer-to-peer networks such as Kazaa. It drops “crack.exe” and “tsasi.exe” on the infected machine and allows IRC-based backdoor access. (Sophos)

W32/Brontok-G — An e-mail worm that drops a number of files on the target host, including “eksplorasi.exe” in the Windows directory. No word on what the infected message looks like or what kind of permanent damage Brontok-G might cause. (Sophos)

W32/Brontok-D –Another Brontok variant. This one spreads through a message with a blank subject line and attachment called “Kangen.exe”. It acts in a similar fashion to Brontok-G above. (Sophos)

W32/Mario-C — A virus that seems to be used to display a message on the infected machine on the 12th of any given month. It installs “rund11.exe” in the System32 directory. (Sophos)

Troj/Delf-PE — A Windows worm that drops “divxenc.exe” and “msld1.dll” in the Windows System folder and can be used to steal information from the infected host. (Sophos)

Troj/Zlob-BC — This downloader Trojan attempts to grab additional malicious code from pre-configured Web sites. Initially, it drops a number of files on the infected machine including “mssearch.exe” in the Windows System directory. It also displays a number of fake error messages. (Sophos)

W32/Tilebot-BG — Another Windows worm that spreads through network shares by exploiting known Windows flaws. It drops “rdiv.sys” in the System folder and allows backdoor access through an HTTP connection. (Sophos)

W32/Tilebot-BJ — Our second Tilebot variant of the day acts much the same as the variant above, except drops “msinit.exe” in the Windows System directory. (Sophos)

OF97/Toraja-I — A rare macro virus that targets the Office 97 platform. No word on what damage it could cause. It does drops “start25.xls” in the Excel startup folder. (Sophos)

Troj/Cosiam-E — A backdoor Trojan that can act as a proxy server and carry out DoS attacks against third party sites. It is installed as “multiran.exe” in the Windows System folder. (Sophos)

W32/Mytob-FM — A new mass-mailing variant that allows backdoor access through IRC. It drops “wID32.exe” in the Windows System folder. No word on what that attributes are for the infected e-mail message. (Sophos)

W32/Mytob-FN — This Mytob variant spreads through a message that looks like an account or administrator warning and has a double-extension attachment. It drops “dd.exe” in the Windows System directory, allows backdoor access through IRC, disables security applications and modifies the Windows HOSTS file to prevent access to certain Web sites. (Sophos)

W32/Mytob-FO — A third Mytob e-mail worm. This one is very similar to Mytob-FO above, except it drops “Fdd.exe” in the Windows System folder. (Sophos)

W32/Mytob-FP — Mytob number four this week. Another copycat with some minor changes, such as dropping “wID32.exe” in the Windows System folder. (Sophos)

Troj/Banload-H — A Trojan that is used to download and execute code from remote Web sites. (Sophos)

Troj/Keylog-AR — A keylogging Trojan that installs “IMEvtMgr.exe” in the Windows System folder. No word on how its bounty is collected. (Sophos)

Troj/Lecna-F — A backdoor Trojan that allows access via HTTP. It installs itself as “winword.exe” in the Windows System directory. (Sophos)

Troj/PWSYahoo-A — This password stealing Trojan targets the Yahoo Messenger service. It is installed as “NDDENB.exe” in the Windows folder. (Sophos)

Troj/QQRob-Y — A password stealing, keylogging Trojan that also disables security related applications. It drops “NTdhcp.exe” in the Windows System folder, allows backdoor access through HTTP and tries to download additional code from remote sites. (Sophos)

Troj/Feutel-AI — Yet another backdoor worm that allows access via HTTP. It drops “G_Server.exe” in the Windows System folder and adds itself to the registry as “GrayPigeonServer”. (Sophos)

Troj/RemLoad-A — A new Trojan that drops many files in the Windows System folder, including “checkreg.exe”. It can be used to download additional code from remote sites. (Sophos)

**********

From the interesting reading department:

Gartner: Buyouts highlight what’s hot in net security

One analyst says the security acquisitions that went down last week – Juniper buying Funk Software, Citrix’s purchase of Teros and Force10’s MetaNetworks buy – highlight some of the most intriguing areas in network security technology. Network World, 11/21/05.

http://www.networkworld.com/news/2005/112105-security-side.html?nl

Today’s security officers wear many hats

Effective chief information security officers are trusted advisers to their companies, respected leaders of their technical teams and risk experts all at once – which is no small task, according to a panel of CISOs who spoke last week at the Computer Security Institute’s conference. Network World, 11/21/05.

http://www.networkworld.com/news/2005/112105-ciso.html?nl