* Patches from Debian, Gentoo, Mandriva, others * Beware Santa Claus worm that strikes IM clients * The NSA and domestic surveillance This is our last newsletter of 2005. We’ll be back in your inbox on January 3, 2006. Hope all of you have a happy holiday and great New Year!Today’s bug patches and security alerts:Recent updates from Debian:dropbear (buffer overflow, code execution): https://www.debian.org/security/2005/dsa-923nbd (buffer overflow, code execution): https://www.debian.org/security/2005/dsa-924**********Recent updates from Gentoo:Opera (arbitrary shell commands):https://security.gentoo.org/glsa/glsa-200512-10.xmlCenterICQ (Multiple vulnerabilities): https://security.gentoo.org/glsa/glsa-200512-11.xml**********Recent patches from Mandriva:apache2 (denial-of-service): https://wwwnew.mandriva.com/security/advisories?name=MDKSA-2005:233sudo (code execution):https://wwwnew.mandriva.com/security/advisories?name=MDKSA-2005:234**********Recent updates from Fedora:util-linux and mount (elevated privileges):http://www.networkworld.com/go2/1219bug2a.htmlopenssl (multiple flaws):http://www.networkworld.com/go2/1219bug2b.htmlgtk2 (multiple flaws):http://www.networkworld.com/go2/1219bug2c.htmlenscript (arbitrary code execution):http://www.networkworld.com/go2/1219bug2d.htmla2ps (arbitrary code execution):http://www.networkworld.com/go2/1219bug2e.htmllynx (code execution):http://www.networkworld.com/go2/1219bug2f.htmlredhat-config-nfs (incorrect permissions):http://www.networkworld.com/go2/1219bug2g.html**********Today’s roundup of virus alerts:Before I get to the roundup of viruses, a quick story:I nearly got hit with one of the IM bot viruses in circulation. A colleague sent me a message to look at photos on Photobucket (at least that’s what the link looked like). I clicked it because I thought it had to do with photos another colleague had sent around earlier in the day of their new baby, whose photos were really on Photobucket. When the Internet Explorer window opened and was trying to access a PIF on a strange IP address, I quickly shut things down – well before I got infected. A close call!Here’s more info on the virus:http://www.pcworld.com/news/article/0,aid,123854,00.aspSanta Claus worm strikes IM clientsThe Santa Claus worm doesn’t care whether you’ve been naughty or nice, but it’s making a list of PCs to infect this holiday season, according to a threat alert released by security firm IMlogic on Tuesday. IDG News Service, 12/21/05.http://www.networkworld.com/news/2005/122005-santa-claus-worm.htmlTroj/Agent-GG — A Trojan that communicates with remote servers via HTTP. It is installed as “vld5750.dll” in the Windows System folder. (Sophos)W32/Feebs-A — An e-mail worm that arrives from a “Protected E-mail Service”. The virus tries to harvest information from the infected host, sending the data back to the author. It drops “ms.exe” in the Windows System directory. (Sophos)Troj/Banload-BS — Another Trojan that tries to connect with remote servers via an HTTP connection. (Sophos)Troj/Banload-CL — A second variant of the Banload Trojan. It can be used to download additional malicious code, typically Internet banking Trojans. (Sophos)W32/Traxg-G — This virus spreads through e-mails and network shares. The messasge “Warning / This Folder Has Been Damage!” appears on the machine when the virus strikes. It tries to create an “admin” account on the host. (Sophos)Troj/BagleDl-AP — A new Trojan that spreads through network shares, dropping “anti_troj.exe” in the Windows System folder and communicating with remote sites via HTTP. (Sophos)Troj/BagleDl-AR — This variant spreads through an e-mail message that looks like a confirmation of a system payment and comes with an attachment. A randomly named file is dropped on the infected machine. (Sophos)Troj/BagleDl-V — A third BagleD1 variant that is used to download additional code from remote sites on the Internet. (Sophos)Troj/Feutel-BC — A virus that inserts its code in the explorer.exe process to hide itself from detection. It also drops “G_Server.exe” in the Windows System directory. It can be used to allow backdoor access to the infected host. (Sophos)Troj/Bancos-FV — An Internet banking Trojan (it targets username and password data) that installs itself as “kernels32.exe” in the Windows folder. (Sophos)W32/Rbot-AFV — This latest Rbot variant installs an IRC-accessible backdoor after spreading through a network share. Typically weak passwords and known Windows flaws are exploited. It drops a randomly named file in the Windows System folder. (Sophos)W32/Rbot-BCQ — Another Rbot that tries to exploit security weakness as it spreads through network shares. This variant drops “winupl.exe” in the Windows System folder. (Sophos)W32/Rbot-BFL — A third similar Rbot variant that allows IRC access and can be used for a number of malicious purposes. This variant installs “BIOSserv.exe” in the Windows System folder. (Sophos)W32/Bagle-AR — A Bagle variant that spreads through an e-mail message with a blank title and attached ZIP file. “re_file.exe” is dropped in the Windows System folder and certain system processes are killed. (Sophos)W32/Bloat-A — A “prepending” virus that tries to add its code to existing executable files. It drops “svchost.com” in the Windows System folder as well. (Sophos)Troj/Jupdrop-A — A Trojan “dropper” that tries to put additional malicious code on the already infected host. Jupdrop-A puts “mspostsp.exe” and “msupdate32.dll” in the Windows System or Application Data files. (Sophos)W32/Sunk-A — A virus that tries to spread through network shares, IM and peer-to-peer applications. It drops “skunk.exe” in a number of folder and tries to copy it to the A drive as well. (Sophos)Troj/Bancban-MV — Another Internet banking Trojan that tries to glean username and password information to send to a remote site. “system32.exe” is dropped in the Windows System folder. (Sophos)W32/Protorid-AG — A new worm that spreads through network shares and allows backdoor access through IRC. It drops “INTERNAT.EXE” in a number of shared application folders. (Sophos)**********From the interesting reading department:The NSA and domestic surveillanceThe New York Times’ revelatory articles on how President Bush authorized the National Security Agency to conduct domestic intelligence on U.S. soil to identity possible terrorists has ignited a firestorm of controversy. It’s certain to spread into hearings on Capitol Hill, a search for anyone who leaked the information and the type of tumult we endure as part of our political life. NetworkWorld.com, 12/21/05.http://www.networkworld.com/weblogs/security/010677.htmlYour thoughts on the issue?http://www.networkworld.com/community/?q=node/3969#comment Related content how-to Getting started with scripting on Linux, Part 1 Once a script is prepared and tested, you can get a significant task completed simply by typing the script's name followed by any required arguments. By Sandra Henry-Stocker Dec 11, 2023 5 mins Linux feature Starkey swaps out MPLS for managed SD-WAN Hearing aid manufacturer achieves performance boost, increased reliability and cost savings after a shift from MPLS to managed SD-WAN services from Aryaka. By Neal Weinberg Dec 11, 2023 6 mins SASE SD-WAN Network Security news Nvidia races to fulfill AI demand with its first Vietnam semiconductor hub Vietnam has been a growing tech manufacturing destination for the past few years, and Nvidia said it is open to a new manufacturing partner in Vietnam. By Sam Reynolds Dec 11, 2023 3 mins CPUs and Processors Technology Industry how-to Doing tricks on the Linux command line Linux tricks can make even the more complicated Linux commands easier, more fun and more rewarding. By Sandra Henry-Stocker Dec 08, 2023 5 mins Linux Podcasts Videos Resources Events NEWSLETTERS Newsletter Promo Module Test Description for newsletter promo module. Please enter a valid email address Subscribe