Message-ID: <10780914.1075856553608.JavaMail.evans@thyme> Date: Mon, 21 Aug 2000 10:23:00 -0700 (PDT) From: vince.kaminski@enron.com To: vkaminski@aol.com Subject: New Love Letter variant Mime-Version: 1.0 Content-Type: text/plain; charset=ANSI_X3.4-1968 Content-Transfer-Encoding: quoted-printable X-From: Vince J Kaminski X-To: vkaminski@aol.com X-cc: X-bcc: X-Folder: \Vincent_Kaminski_Jun2001_4\Notes Folders\'sent mail X-Origin: Kaminski-V X-FileName: vkamins.nsf ---------------------- Forwarded by Vince J Kaminski/HOU/ECT on 08/21/2000= =20 05:28 PM --------------------------- "NW Security and Bug Patch Alert" on=20 08/21/2000 05:12:07 PM Please respond to "Security and Bug Patch Alert Help" To: cc: =20 Subject: New Love Letter variant NETWORK WORLD FUSION FOCUS: JASON MESERVE on SECURITY AND BUG PATCH ALERT TODAY'S FOCUS: New Love Letter variant 08/21/00 Dear Wincenty Kaminski, ~~~~~~~~~~~~~ This newsletter sponsored by=20 Finjan Software ~~~~~~~~~~~~ YES, THERE ARE ALTERNATIVES TO REACTIVE ANTI-VIRUS TECHNOLOGY Finjan Software offers proactive security solutions using real-time behavior monitoring technology to block malicious code WITHOUT relying on database updates. Get proactive protection for VB Script,.exe Trojans and worms like ILOVEYOU, ExploreZip and LifeStages. Why rely on security products that offer updates AFTER you've been hit when you can block first-strike attacks before damage occurs? Find out more, and download Finjan's personal security freeware, at: http://nww1.com/go/1643930a.html ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 11 FREE Newsletter Additions from Network World! Sign up Today at http://www.nwwsubscribe.com/foc35 Wireless in the Enterprise, Servers, Optical Networking, The Network Channel, The Edge, Net Worker, Convergence, Free Stuff, Mobile Computing, The Network World 200, and Technology Executive ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Today's Focus: New Love Letter variant --------------------------------------------------------------- By Jason Meserve Here we go yet again. The antivirus vendors are all sending out alerts warning their customers of a new strain of the infamous Love Letter virus that struck last May. This version comes with the subject line of "resume" and contains an attachment called "resume.txt.vbs". The file contains a fake resume, though reports vary on whether it is a German or a Swiss engineer that is profiled. Makes no difference - the file infects the host computer and then attempts to send itself to everyone in the local Outlook address book. It seems as if the virus is targeted at customers of the United Bank of Switzerland. The new strain attempts to steal UBS account information off the infected computer. UBS claims that the virus threatens few people and that most customer data is secure. For U.S. users, the problem could be more clogged e-mail pipes. But hopefully, the general user population is now trained to be wary of any attachment, especially those ending in .vbs. Most of the antivirus vendors are updating their virus definition files, and protection should be available shortly, if not already. For more: http://www.nwfusion.com/news/2000/0817swissbug.html Before we get on to today's alerts and patches, I'd like to mention some upcoming coverage in Network World. A few weeks back I mentioned a company in London offering "hacker insurance." A couple of you wrote in looking for more information. Unfortunately, I do not have the space to cover such issues here. Not to fret. Mich Kabay, author of Network World's Security newsletter, plans to take up the topic in an upcoming edition. Mich has some great tips for keeping your company network equipment secure, so check out his newsletter at: http://www.nwfusion.com/newsletters/sec/ Also, the features department here at Network World is working on a feature on the subject of hacker insurance, and they are looking for help. If you've got something to share, check out our forum: http://www.nwfusion.com/cgi-bin/WebX.cgi?230@@.ee6f1b5 If you're looking for more information, stay tuned to Network World and Mich's newsletter. Now on with the latest patches and alerts: Guninski finds another IE and Windows problem Famed Microsoft bug hunter Georgi Guninski has found problems in Internet Explorer 5.5 and Windows 98 that could allow outside users to take control of the affected system. Both problems revolve around the Shell DefView ActiveX control. The issue has been confirmed by independent sources, according to news reports. For more information: http://www.nat.bg/~joro/ieshelldefview.html ********** SGI fixes problem with Linux kernel SGI has released a patch for its ProPack for Linux, which ships with a modified Linux kernel. A problem in the kernel could allow a local user on an affected machine to gain root access. For fix information: http://www.linux.org.uk/VERSION/relnotes.2216.html ********** Microsoft releases patch for "Specialized Header" vulnerability A problem in the Windows 2000 version of Microsoft's Internet Information Server could allow a remote user to view sensitive file information. The problem can be exploited using a specially formatted request header. For more information on the problem and to download the patch: http://www.microsoft.com/technet/security/bulletin/fq00-058.asp ********** OS/2 Warp 4.5 FTP vulnerability For those still running the OS/2 Warp operating system, security consultancy Vigilante has discovered a vulnerability in the system=01,s FTP server. The vulnerability could be used to crash the server. IBM has released a patch for the problem: ftp://ftp.software.ibm.com/ps/products/tcpip/fixes/v4.3os2/ic27721/ ********** FreeBSD fixes range of problems: Zope: The open-source Web application server contains a vulnerability that could allow DHTML files to be changed remotely. Patches are available from: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/www/zope-2.2= .0. tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/www/zope-2.2= .0. tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/www/zope-2.= 2.0 .tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/www/zope-2.= 2.0 .tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/www/zope-2= .2. 0.tgz Dhclient: The DHCP client for Linux can be tricked by a rogue DHCP server into executing arbitrary commands. For patches: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/net/isc-dhcp= 3-3 .0.b1.17.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/net/isc-dhcp= 3-3 .0.b1.17.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/net/isc-dhc= p3- 3.0.b1.17.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/net/isc-dhc= p3- 3.0.b1.17.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/net/isc-dh= cp3 -3.0.b1.17.tgz Proftpd: The FTP server could allow both named and anonymous FTP users to execute arbitrary commands on the server as root. For patches: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/ftp/proftpd-= 1.2 .0rc2.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/ftp/proftpd-= 1.2 .0rc2.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/ftp/proftpd= -1. 2.0rc2.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/ftp/proftpd= -1. 2.0rc2.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/ftp/proftp= d-1 .2.0rc2.tgz Ntop: This program is used for monitoring network usage. However, it can be susceptible to buffer overflow attacks, which can be used to execute arbitrary commands on the affected server. For patches: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/net/ntop-1.1= .tg z ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/net/ntop-1.1= .tg z ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/net/ntop-1.= 1.t gz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/net/ntop-1.= 1.t gz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/net/ntop-1= .1. tgz ********** Red Hat fixes gpm module problems Red Hat Linux last week announced it has fixed two potential problems in the gpm module that ships with Version 5.2 and 6.x of the open-source operating system. The problems could let a local user launch a denial-of-service attack or execute arbitrary commands using elevated privilege. For more information: http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=3D11607 ********** Trustix urges users to upgrade Linux mail and perl packages Two vulnerabilities in mail and perl packages that can be exploited together to give a user root access have been patched in Trustix's Secure Linux. The company is urging customers to upgrade as soon as possible. For source files: ftp://ftp.trustix.com/pub/Trustix/updates/1.1/SRPMS/mailx-8.1.1-16.src.rpm ftp://ftp.trustix.com/pub/Trustix/updates/1.1/SRPMS/perl-5.00503-10tr.src.r= pm ********** Today's list of virus alerts: W32/Sysid - This e-mail worm comes with no subject and could have up to 99 different filenames. The virus infects a number of system files and attempts to e-mail itself to users listed in an Outlook address book. (Sophos, Computer Associates) WM97/Doeii-A - The Word macro virus displays a message, changes a document's content and adds a password to the document. (Sophos) W32/Bugfix and VBS/Bugfix - This virus shows up in an inbox claiming to be a Windows bugfix with an attachment called "bugfix.exe." When the file is opened it infects all files in the Windows directory and attempts to send itself to all users listed in an Outlook address book. (Sophos, Computer Associates) WM97/Vmpck1-DV - Word macro virus attempts to change the label of the infected computer's C: drive to "suca." It also tries to replace all references to "il" in a Word document to "il cazzo duro." (Sophos) WM97/Marker-FF - Another Word macro virus that tries to change a document's author information to "Ethan Frome." (Sophos) WM97/Marker-C - This Word macro virus takes the infected file's summary information and transmits it to the Codebreaker's Web site. (Sophos) WM97/Tpro-A - A lame Word macro virus that comes without a payload. (Sophos) ********** Miss an issue? Just point your browser at the following link and you'll be caught up on all your summer reading in no time: http://www.nwfusion.com/newsletters/bug/ To contact Jason Meserve: ------------------------- Jason Meserve is a staff writer with Network World, covering search engines, portals, videoconferencing, IP Multicast and document management. He also oversees the "Security Alerts" page on Fusion (http://www2.nwfusion.com/security/bulletins.html). Jason can be reached at mailto:jmeserve@nww.com. ------------------------- Got a security alert or bug patch question related to your corporate network? Post it at Experts Exchange on Fusion at http://nwfusion.experts-exchange.com/. Another network professional may have the solution to your problem. May We Send You a Free Print Subscription? You've got the technology snapshot of your choice delivered at your fingertips each day. Now, extend your knowledge by receiving 51 FREE issues to our print publication. Apply today at http://www.nwwsubscribe.com/nl ********************************************************* Subscription Services To subscribe or unsubscribe to any Network World e-mail newsletters, go to: http://www.nwwsubscribe.com/news/scripts/notprinteditnews.asp To change your email address, go to: http://www.nwwsubscribe.com/news/scripts/changeemail.asp Subscription questions? Contact Customer Service by replying to this message. Other Questions/Comments Have editorial comments? Write Jeff Caruso, Newsletter Editor, at: mailto:jcaruso@nww.com For advertising information, write Jamie Kalbach, Account Executive, at: mailto:jkalbach@nww.com Network World Fusion is part of IDG.net, the IDG Online Network. IT All Starts Here: http://www.idg.com Copyright Network World, Inc., 2000