• United States

A potpourri of updates to close out the year

Dec 22, 20056 mins

* Patches from Debian, Gentoo, Mandriva, others * Beware Santa Claus worm that strikes IM clients * The NSA and domestic surveillance

This is our last newsletter of 2005.  We’ll be back in your inbox on January 3, 2006. Hope all of you have a happy holiday and great New Year!

Today’s bug patches and security alerts:

Recent updates from Debian:

dropbear (buffer overflow, code execution):

nbd (buffer overflow, code execution):


Recent updates from Gentoo:

Opera (arbitrary shell commands):

CenterICQ (Multiple vulnerabilities):


Recent patches from Mandriva:

apache2 (denial-of-service):

sudo (code execution):


Recent updates from Fedora:

util-linux and mount (elevated privileges):

openssl (multiple flaws):

gtk2 (multiple flaws):

enscript (arbitrary code execution):

a2ps (arbitrary code execution):

lynx (code execution):

redhat-config-nfs (incorrect permissions):


Today’s roundup of virus alerts:

Before I get to the roundup of viruses, a quick story:

I nearly got hit with one of the IM bot viruses in circulation. A colleague sent me a message to look at photos on Photobucket (at least that’s what the link looked like). I clicked it because I thought it had to do with photos another colleague had sent around earlier in the day of their new baby, whose photos were really on Photobucket. When the Internet Explorer window opened and was trying to access a PIF on a strange IP address, I quickly shut things down – well before I got infected. A close call!

Here’s more info on the virus:,aid,123854,00.asp

Santa Claus worm strikes IM clients

The Santa Claus worm doesn’t care whether you’ve been naughty or nice, but it’s making a list of PCs to infect this holiday season, according to a threat alert released by security firm IMlogic on Tuesday. IDG News Service, 12/21/05.

Troj/Agent-GG — A Trojan that communicates with remote servers via HTTP. It is installed as “vld5750.dll” in the Windows System folder. (Sophos)

W32/Feebs-A — An e-mail worm that arrives from a “Protected E-mail Service”. The virus tries to harvest information from the infected host, sending the data back to the author. It drops “ms.exe” in the Windows System directory. (Sophos)

Troj/Banload-BS — Another Trojan that tries to connect with remote servers via an HTTP connection. (Sophos)

Troj/Banload-CL — A second variant of the Banload Trojan. It can be used to download additional malicious code, typically Internet banking Trojans. (Sophos)

W32/Traxg-G — This virus spreads through e-mails and network shares. The messasge “Warning / This Folder Has Been Damage!” appears on the machine when the virus strikes. It tries to create an “admin” account on the host. (Sophos)

Troj/BagleDl-AP — A new Trojan that spreads through network shares, dropping “anti_troj.exe” in the Windows System folder and communicating with remote sites via HTTP. (Sophos)

Troj/BagleDl-AR — This variant spreads through an e-mail message that looks like a confirmation of a system payment and comes with an attachment. A randomly named file is dropped on the infected machine. (Sophos)

Troj/BagleDl-V — A third BagleD1 variant that is used to download additional code from remote sites on the Internet. (Sophos)

Troj/Feutel-BC — A virus that inserts its code in the explorer.exe process to hide itself from detection. It also drops “G_Server.exe” in the Windows System directory.  It can be used to allow backdoor access to the infected host. (Sophos)

Troj/Bancos-FV — An Internet banking Trojan (it targets username and password data) that installs itself as “kernels32.exe” in the Windows folder. (Sophos)

W32/Rbot-AFV — This latest Rbot variant installs an IRC-accessible backdoor after spreading through a network share. Typically weak passwords and known Windows flaws are exploited. It drops a randomly named file in the Windows System folder. (Sophos)

W32/Rbot-BCQ — Another Rbot that tries to exploit security weakness as it spreads through network shares. This variant drops “winupl.exe” in the Windows System folder. (Sophos)

W32/Rbot-BFL — A third similar Rbot variant that allows IRC access and can be used for a number of malicious purposes. This variant installs “BIOSserv.exe” in the Windows System folder. (Sophos)

W32/Bagle-AR — A Bagle variant that spreads through an e-mail message with a blank title and attached ZIP file. “re_file.exe” is dropped in the Windows System folder and certain system processes are killed. (Sophos)

W32/Bloat-A — A “prepending” virus that tries to add its code to existing executable files. It drops “” in the Windows System folder as well. (Sophos)

Troj/Jupdrop-A — A Trojan “dropper” that tries to put additional malicious code on the already infected host. Jupdrop-A puts “mspostsp.exe” and “msupdate32.dll” in the Windows System or Application Data files. (Sophos)

W32/Sunk-A — A virus that tries to spread through network shares, IM and peer-to-peer applications. It drops “skunk.exe” in a number of folder and tries to copy it to the A drive as well. (Sophos)

Troj/Bancban-MV — Another Internet banking Trojan that tries to glean username and password information to send to a remote site. “system32.exe” is dropped in the Windows System folder. (Sophos)

W32/Protorid-AG — A new worm that spreads through network shares and allows backdoor access through IRC. It drops “INTERNAT.EXE” in a number of shared application folders. (Sophos)


From the interesting reading department:

The NSA and domestic surveillance

The New York Times’ revelatory articles on how President Bush authorized the National Security Agency to conduct domestic intelligence on U.S. soil to identity possible terrorists has ignited a firestorm of controversy. It’s certain to spread into hearings on Capitol Hill, a search for anyone who leaked the information and the type of tumult we endure as part of our political life., 12/21/05.

Your thoughts on the issue?