• United States

August is Internet Worm Month

Aug 21, 20036 mins

* Patches from Microsoft, Macromedia, others * Beware latest variant of the Blaster worm * Navy Marine Corps Intranet hit by Welchia worm, and other interesting reading

What is going on this month? Did I miss the memo proclaiming August “Worm Month”? Last week it was Blaster and this week we’ve got the Nachi/Wechia virus (the anti-Blaster) and the return of Sobig, both causing headaches for network administrators and home users. Sobig is a pain because it’s not only infecting machines at a high rate, it’s also generating a lot of rejected e-mail messages from virus scanners. I’ve deleted a couple dozen this morning from virus scanners thinking I was sending infected messages, when really it’s just my address being spoofed. What a pain!

Here are some stories and information related to this week’s outbreaks:

MessageLabs: Sobig.F breaks speed records, IDG News Service, 08/21/03

New strain of Sobig virus circulating, IDG News Service, 08/19/03

Worm aims to eradicate Blaster, Network World Fusion, 08/18/03

Sophos Sobig information:

Sophos Nachi/Welchia information:

Disinfectant/protection tools:

Sophos Sobig-f disinfection tool:

Panda Software Sobig-f disinfection tools:

Free version of GFI MailSecurity for Exchange/SMTP 8:

Today’s bug patches and security alerts:

Microsoft warns of critical flaws in Internet Explorer; patches MDAC

Microsoft Wednesday released a patch for a number of flaws in its Internet Explorer Web browser, including two it rated critical for some versions of the browser, which could enable an attacker to take control of a user’s computer.  The company also released a patch for a flaw, rated important, in the MDAC – Microsoft Data Access Components – element of its Windows operating systems. IDG News Service, 08/21/03.

Microsoft’s IE cumulative patch advisory:

Unchecked MDAC buffer advisory:


Macromedia patches Dreamweaver, UltraDev

A cross-scripting vulnerability has been found and fixed in Macromedia’s Dreamweaver and Ultradev product lines. The flaw could be exploited by an attacker to access site-specific cookies and session information. An attacker cannot run arbitrary code on the affected machine when exploiting this vulnerability. For more, go to:


Red Hat releases kernel 2.4 update

A new update of the Red Hat Linux 2.4 kernel fixes a number of obscure bugs and vulnerabilities that were discovered in previous versions of the code. For more, go to:


Debian patches autorespond

A buffer overflow in autorespond, an automatic e-mail response tool for qmail, could be exploited by a malicious user to run arbitrary code with the privileges of the user that setup autorespond. For more, go to:

Debian issues fix for netris game package

A buffer overflow flaw in the netris game package could be exploited by an attacker to run arbitrary code on the affected machine with the privileges of the netris user. To exploit the flaw, a netris client would have to connect to a hostile server. For more, go to:


Updated unzip packages available from Red Hat, Mandrake Linux

A flaw in unzip that could allow arbitrary files to be overwritten has been patched by Red Hat and Mandrake Linux. For more, go to:

Red Hat:

Mandrake Linux:


Mandrake Linux patches eRoaster

A flaw in the way eRoaster, a CD burning application, uses temporary files could be exploited by a malicious user to run arbitrary code with the privileges of the eRoaster user. For more, go to:


Today’s roundup of virus alerts:

W32/Dumaru-A – This virus spreads via an e-mail purporting to be a patch from Microsoft for Internet Explorer. The virus will overwrite certain file types on the infected machine. (Sophos)

W32/Blaster-D – Another variant of last week’s Blaster worm. This version is packed a bit differently and uses the filename “mspatch.exe”. (Sophos)

Troj/Bdoor-RQ – A backdoor Trojan that uses a modified version of the netcat utility to listen to a specific port for instructions from an attacker. (Sophos)


From the interesting reading department:

Microsoft Weighs Automatic Security Updates as a Default

Microsoft executives, digging out from the aftermath of an unwelcome Internet worm that wriggled into 500,000 of its customers’ computers last week, say that it is time to consider making software updates automatic for home users of the Windows operating system. Washington Post, 08/19/03.

Navy Marine Corps Intranet hit by Welchia worm

About three-quarters of the Navy Marine Corps Intranet has lost network capacity due to an infestation by the Welchia worm(also called Nachi), according to Navy sources. First seen Monday, the Welchia worm attempts to eradicate the Blaster worm, which spread to millions of Windows-based machines last week. Network World Fusion, 08/19/03.

Microsoft users want company to beef up security

As the threat of a malicious electronic “worm” unleashed over the Internet appears to subside, technology experts are turning their attention to the responsibility of Microsoft Corp. in averting such crises in the future. Portsmouth Herald, 08/19/03.

Bluetooth users beware

The security dangers of Bluetooth have been discovered by a piece of sniffing software created by U.K. researcher Ollie Whitehouse, who works for security firm @Stake., 08/18/03.

Sygate beefs up its security software

Sygate has beefed up its security software making it possible to secure all endpoints on a network – servers, desktops, via remote access or on the LAN – by making sure they are compliant with corporate security policies. Network World Fusion, 08/18/03.

Citibank warns of e-mail scam

Citibank, a division of New York Citigroup, is warning customers to immediately delete a scam e-mail asking them to provide their user names and the first four digits of their bank cards. IDG News Service, 08/19/03.