Message-ID: <28803563.1075856939487.JavaMail.evans@thyme> Date: Thu, 16 Mar 2000 09:37:00 -0800 (PST) From: vince.kaminski@enron.com To: vincek@leland.stanford.edu Subject: 'South Park' virus on the loose Mime-Version: 1.0 Content-Type: text/plain; charset=ANSI_X3.4-1968 Content-Transfer-Encoding: quoted-printable X-From: Vince J Kaminski X-To: vincek@leland.Stanford.edu X-cc: X-bcc: X-Folder: \Vincent_Kaminski_Jun2001_8\Notes Folders\Sent X-Origin: Kaminski-V X-FileName: vkamins.nsf ---------------------- Forwarded by Vince J Kaminski/HOU/ECT on 03/16/2000= =20 05:38 PM --------------------------- "NW Security and Bug Patch Alert" on=20 03/14/2000 02:50:13 AM Please respond to "Security and Bug Patch Alert Help" To: cc: =20 Subject: 'South Park' virus on the loose NETWORK WORLD FUSION FOCUS: JASON MESERVE on SECURITY AND BUG PATCH ALERT TODAY'S FOCUS: 'South Park' virus on the loose 03/13/00 Dear Wincenty Kaminski, Today's Focus: 'South Park' virus on the=20 loose --------------------------------------------------------------- By Jason Meserve It's been a year since the infamous "Melissa=018 virus downed e-mail systems nationwide and caused some panic in the general Internet populace. In the year since, we have a number of copycats and variants of Melissa invading our e-mail systems, though not to the same extent. Now, the e-mail virus du jour is the "South Park" virus, named after the animated series on Comedy Central. The South Park virus, known in security circles as W32/Pretty.worm.unp, attempts to send itself to all the addresses listed in an infected user's Outlook address book every thirty minutes. By doing so, the virus causes an "e-mail storm" that can bog down and crash network servers attempting to relay the flurry of mail. South Park appears to come from a known user and contains an icon featuring Kenny, one of the characters from the show. Security software maker Finjan Software has reported seven variants of the South Park virus, which itself is a variant of the PrettyPark virus that made the rounds a few weeks earlier. For more information on South Park and its variants: http://www.nwfusion.com/news/2000/0306southpark.html http://www.finjan.com/attack_release_detail.cfm?attack_release_id=3D32 Before we get to the latest alerts, two other resources to check out: 1. The Shmoo Group, a security consultancy, has written a paper entitled "How to Write Secure Code." It can be found at: http://www.shmoo.com/securecode/ 2. Eric Knight of Security Paradigm has written an online book entitled "Computer Vulnerabilities." The book looks into how hackers exploit vulnerabilities and what methods they use. Knight's book is available in PDF format at: http://www.securityparadigm.com/compvuln_draft.pdf Now on with the latest alerts and patches: W97M/Melissa.AO virus Computer Associates is reporting a new version of the Melissa macrovirus that could be making the rounds. This one disables the Tools/Macro command bar, Virus Protection, SaveNormalPrompt and ConfirmConversions options in Microsoft Word. It also makes a couple of changes to the Windows registry. Like the original Melissa, this version replicates itself to the first 25 users in the Outlook address book. http://www.ca.com/virusinfo/ *********** Microsoft had a busy week, releasing three patches covering a variety of problems: 1. Patch available for "Registry Permissions" vulnerability. It seems as if the security on a couple of registry settings in Windows NT 4.0 is not as secure as the Redmonians first thought. This patch fixes the problem, which could let a malicious user gain additional privileges on a system they are logged into. http://www.microsoft.com/technet/security/bulletin/fq00-008.asp 2. Patch available for "SQL Query Abuse" vulnerability. This patch for Microsoft SQL Server 7.0 and Microsoft Data Engine 1.0 plugs a hole that could enable a remote user to author malicious SQL queries that allow the user to take unauthorized actions against on the database or underlying operating system. http://www.microsoft.com/technet/security/bulletin/fq00-014.asp 3. Patch available for "Clip Art Buffer Overrun" vulnerability. A feature in Microsoft Office that lets users download and install clip art from the "Microsoft Clip Art Gallery" has a potential hole. Using a very long embedded field in the clip art files, a malicious user could crash or even execute code on the system where the clip art file is downloaded. http://www.microsoft.com/technet/security/bulletin/fq00-015.asp *********** Red Hat releases nmh packages Following up a vulnerability that was reported here last week, Red Hat has released new nmh packages. A vulnerability in the previous nmh releases allowed specially formed MIME headers to execute code using nmh's 'mhshow' utility. http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=3D9921 *********** Network file resource vulnerability Eric Hacker of Lucent=01,s NetworkCare division is reporting that applications running in Windows could provide remote access to user name and password information. Hacker warns that programs such as Internet Explorer, Eudora, Word and Outlook running on default configurations of Windows can be duped into sending a user name and password information to unsuspecting users. Though this information may be encrypted, it is easily crackable, Hacker reports. For more information: Windows 95: http://support.microsoft.com/support/kb/articles/Q165/4/03.ASP NT 4.0: http://support.microsoft.com/support/kb/articles/Q147/7/06.asp Win2000: http://support.microsoft.com/support/kb/articles/Q239/8/69.ASP *********** Password problem in SBC DSL routers A Kewlhair Security advisory reports that routers being used in SBC Communications' digital subscriber line service are being installed without a password. Kewlhair reports that engineers are failing to set the passwords during installation at customer sites. SBC is using Cayman DSL routers. For more information on how to set the password: http://cayman.com/security.html#passwordprotect *********** Astar application vulnerability TESO, "crew of coders and freaks who care mostly about network and Unix security," are reporting a hole in the astar application that ships with the Halloween 4 Linux distribution. Malicious users could use the application along with obscure command-line code to gain root access. Vendor Web site: http://www.halloween-linux.de/ *********** Vulnerability in StarScheduler S.A.F.E.R. is reporting a vulnerability in StarScheduler, the groupware server that comes with Sun=01,s StarOffice product. The underlying Web server used by StarScheduler is vulnerable to remote execution of code and root access, according to the S.A.F.E.R. advisory. Sun has yet to release a patch. http://www.safermag.com/advisories/0007.html *********** To contact Jason Meserve: ------------------------- Jason Meserve is a staff writer with Network World, covering search engines, portals, videoconferencing, IP Multicast and document management. He also oversees the "Security Alerts" page on Fusion (http://www2.nwfusion.com/security/bulletins.html). Jason can be reached at mailto:jmeserve@nww.com. ********************************************************* Subscription Services To subscribe or unsubscribe to any Network World e-mail newsletters, go to: http://www.nwwsubscribe.com/news/scripts/notprinteditnews.asp To change your email address, go to: http://www.nwwsubscribe.com/news/scripts/changeemail.asp Subscription questions? Contact Customer Service by replying to this message. Other Questions/Comments Have editorial comments? Write Jeff Caruso, Newsletter Editor, at: mailto:jcaruso@nww.com For advertising information, write Jamie Kalbach, Account Executive, at: mailto:jkalbach@nww.com Network World Fusion is part of IDG.net, the IDG Online Network. IT All Starts Here: http://www.idg.com Copyright Network World, Inc., 2000