If your Internet Service does not provide you with all of this information and more for $9.99, why not sign up with us?
SIGN UP FOR INTERNET SERVICE - CLICK HERE!
NAME: Lebreat
ALIAS: Breatle, W32/Lebreat@mm, W32/Reatle@MM
W32/Lebreat.A@mm is a mass-mailer and a network worm. It was found on July 15th, 2005. Shortly after the initial version, there appeared 2 more variants. The worm also has a backdoor, a trojan downloader and DoS (Denial of Service) attack capabilities.
VARIANT: W32/Lebreat.A@mm
Please read more about this by clicking here
Affected:
On Windows:
RealPlayer 10.5 (6.0.12.1040-1069)
RealPlayer 8/10
RealOne Player v2/v1
RealPlayer Enterprise
Rhapsody 3 (build 0.815-0.1006)
On Mac OS:
Mac RealPlayer 10 (10.0.0.305-331)
Mac RealOne Player
On Linux:
Linux RealPlayer 10 (10.0.0-4)
Helix Player (10.0.0-4)
Description: RealNetworks' various media players contain the following
vulnerabilities that can be exploited by a malicious webpage or an HTML email
to compromise a client system.
(a) A specially crafted AVI movie file triggers a heap-based overflow that
can be exploited to execute arbitrary code. The problem arises when the
"stream format chunk (strf)" size in an AVI file is greater than 1064 bytes.
(b) A specially crafted RealMedia file with RealText also triggers a heap-based
overflow that can be exploited to execute arbitrary code. The problem arises
when the size of the RealText data exceeds 256 bytes.
(c) A specially crafted MP3 file can overwrite a local file or lead to execution
of an ActiveX control on the client system. This can be exploited to install
malware on client systems. The technical details required to leverage this flaw
have not been posted yet.
Note that systems with RealPlayer configured as the default media player are
at a greater risk as the malicious media files may be opened without any user
prompting.
Status: RealNetworks has released updates for all the vulnerabilities. Users
should be advised to upgrade their player by clicking "Tools" or "Help" menu
and then choosing "Check For Updates".
References:
RealNetworks Advisoryv
http://service.real.com/help/faq/security/050623_player/EN/
eEye Advisory
http://www.eeye.com/html/research/advisories/AD20050623.html
iDefense Advisory
http://archives.neohapsis.com/archives/vulnwatch/2005-q2/0077.html
AVI File Format
http://msdn.microsoft.com/library/en-us/wcemultimedia5/html/wce50conAVIMainHeader.asp
RealText Reference
http://service.real.com/help/library/guides/realtext/htmfiles/intro.htm
SecurityFocus BIDs
http://www.securityfocus.om/bid/13530
Affected:
Internet Explorer, Mozilla, Opera, Safari, Firefox
Description: This vulnerability in multiple browsers may allow an attacker
to steal sensitive information from users and conduct phishing attacks. The
problem arises because a dialogue box opened by using javascript code does not
display the original website it belongs to. As a result, an attacker can craft
a webpage that opens a trusted webpage and a dialogue box (posting content to
the attacker's site), and ask the user to enter his information in the dialogue
box. Secunia has posted proof of concept code.
Status: Users should be advised to enter information only in the forms supplied
by the original site and not any dialogue boxes.
Council Site Actions: All of the reporting council sites are waiting on
confirmation and patches from the vendors. They will most like deploy the patch during one of
their regularly scheduled system update processes.
References:
Secunia Advisory
http://secunia.com/secunia_research/2005-9/advisory/
SecurityFocus BIDs
http://www.securityfocus.com/bid/14007
http://www.securityfocus.com/bid/14008
http://www.securityfocus.com/bid/14009
http://www.securityfocus.com/bid/14010
http://www.securityfocus.com/bid/14011
http://www.securityfocus.com/bid/14012
MODERATE: Apple Mac OS X Security Update 2005-006
Affected:
Mac OS X Client and Server version 10.4.1
Description: Apple has released a security update 2005-006 for Mac OS X
client and server systems that fixes a number of vulnerabilities. The
major flaws that can be remotely exploited to compromise Mac OS systems
and have been fixed in this update are: (a) Multiple vulnerabilities in
PHP prior to version 4.3.11 that can be exploited to cause a DoS or
execute arbitrary code on a webserver running PHP. (b) A buffer overflow
in the implementation of the Apple File Server (AFP) protocol that can be
exploited to execute arbitrary code.
Status: Apply the Apple Security Update 2005-006.
References:
Apple Security Advisory
http://docs.info.apple.com/article.html?artnum=301742
PHP Vulnerabilities
http://www.sans.org/newsletters/risk/display.php?v=4&i=14#widely3
http://www.sans.org/newsletters/risk/display.php?v=4&i=16#05.16.21
MODERATE: Mozilla Browsers Frame Injection Vulnerability
Affected:
Firefox version 1.0.4
Mozilla version 1.7.8
Description: An old vulnerability has been rediscovered in the Mozilla and
Firefox browsers. This vulnerability permits a malicious website to inject
a "frame" into the browser window of another website. For example, the
content from http://www.malicious.com can be loaded into another window
displaying the content from http://www.mybank.com. The flaw can be
exploited by a malicious webpage to spoof its identity as a trusted site.
This may lead to stealing sensitive user information such as passwords, or
further compromise of the user system. Proof-of-concept browser test tools
have been publicly posted.
Status: Mozilla has not confirmed, no patches available.
References:
Secunia Advisory
http://secunia.com/advisories/15601/
RootKit Removal Tools - Click Here
Even if you do not/can not take the time to read through this page it is very important that you keep your system updated.
Please make sure that you download and install any security updates for your operating system as well as any security software you may have.
Affected: Mozilla Firefox 1.0.3 and prior
Description: Mozilla Firefox browser contains two vulnerabilities that can
be exploited in tandem to completely compromise a user's system. The problems
arise because Mozilla allows execution of javascript URLs in the context
of another website stored in its history list, and Mozilla allows its
software install function to display icons with javascript URLs. A
proof-of-concept exploit has been publicly posted. Since the Mozilla
software install function can be invoked in the default browser configuration
only from sites within the mozilla.org domain, once Mozilla patched its
servers the impact of the exploit was reduced.
Status: Mozilla has released Firefox version 1.0.4 that patches the code
execution flaws.
Council Site Actions: Most of the council sites still have limited use
of this application. However, they plan to deploy the new version. Some
sites are using the automatic update feature to get the updates installed.
References:
Mozilla Advisory
http://www.mozilla.org/security/announce/mfsa2005-42.html
http://www.mozilla.org/security/announce/mfsa2005-43.html
http://www.mozilla.org/security/announce/mfsa2005-44.html
Posting by Paul
http://www.securityfocus.com/archive/1/397817/2005-05-07/2005-05-13/0
PoC Exploit
http://greyhatsecurity.org/vulntests/ffrc.htm
CERT Advisories
http://www.kb.cert.org/vuls/id/534710
http://www.kb.cert.org/vuls/id/648758
SecurityFocus BIDs
http://www.securityfocus.com/bid/13544
Affected:
Windows 2000 SP3/SP4
Description: Microsoft has confirmed the remote script injection vulnerability
discussed in the @RISK newsletter posted on April 21, 2005, and released
patch MS05-024 to address the issue. Proof-of-concept exploit for this flaw
has already been published; hence, this patch should be applied to the
vulnerable Windows 2000 systems. Blocking ports 139/tcp and 445/tcp at the
network perimeter will block the most likely attack vector - an attacker
enticing users to browse the attackers malicious shared folder.
Council Site Actions: Most of the council sites plan to deploy the patch
during their next regularly scheduled system update process. A few council
sites have already installed the patch. Several sites commented that they
are blocking ports 139/TCP and 445/TCP at their external perimeter control
points.
References:
Microsoft Security Bulletin MS05-024
http://www.microsoft.com/technet/security/bulletin/MS05-024.mspx
Previous @RISK Newsletter Posting
http://www.sans.org/newsletters/risk/display.php?v=4&i=16#widely3
SecurityFocus BID
http://www.securityfocus.com/bid/13248
Affected:
Mac OS X version 10.3.9 and prior
Mac OS X Server version 10.3.9 and prior
Description: Apple released a cumulative security update on May 3, 2005.
This update fixes a number of remote and local vulnerabilities that may
be exploited to completely compromise a system running Mac OS. The critical
vulnerabilities that can be remotely exploited, and have been fixed are:
(a) The "x-man-page://" URL is designed for man page look-ups, and is
handled by the terminal program. Mac OS does not properly sanitize the URL;
Hence, it is possible to inject certain characters in the URL and execute
arbitrary commands on a users system. A proof-of-concept exploit has been
publicly posted. (b) Mac OS contains a heap-based overflow in handling TIFF images that can
be exploited to execute arbitrary code. The technical details for this flaw
have been posted since December 2004. (c) The "help://" URL associated with
the Help Viewer application can be used to execute arbitrary JavaScript code.
A proof-of-concept exploit has been publicly posted.
Status: Apply the patch referenced in the Apple Security Update 2005-005.
References:
Apple Security Advisory
http://docs.info.apple.com/article.html?artnum=301528
Posting by David Remahl
http://archives.neohapsis.com/archives/vulnwatch/2005-q2/0035.html
http://remahl.se/david/vuln/004 (Help URL Flaw)
http://remahl.se/david/vuln/004/demo.html (PoC Exploit)
http://remahl.se/david/vuln/011/ (x-man-page URL flaw)
http://remahl.se/david/vuln/011/demo.html (PoC Exploit)
Advisories Related to Local Privilege Escalation Vulnerabilities
http://archives.neohapsis.com/archives/fulldisclosure/2005-05/0060.html
http://archives.neohapsis.com/archives/fulldisclosure/2005-05/0037.html
http://archives.neohapsis.com/archives/fulldisclosure/2005-05/0058.html
http://archives.neohapsis.com/archives/bugtraq/2005-05/0056.html
libtiff Flaws Disclosed in 2004
http://www.idefense.com/application/poi/display?id=174&type=vulnerabilities&flashstatus=true
Secunia Advisory
http://archives.neohapsis.com/archives/secunia/2005-q2/0436.html
Affected:
Netscape versions 6.x and 7.x
Description: Netscape browser has been found vulnerable to some of the
remote code execution flaws reported in the Firefox browser last week.
Proof-of-concepts exploits are available for these vulnerabilities. Since
there are no patches available, Netscape users should migrate to
Mozilla/Firefox browsers.
Council Site Updates: Most of the council sites are no longer using
Netscape as a supported browser and thus are not taking any action.
One site is still actively trying to convince their support organization
to abandon Netscape as a supported browser and move to Firefox. A second
organization has a large number of Netscape users; however, they do not
plan any action at this time. They have been pushing Internet Explorer
as the preferred browser since late 2004.
References:
Secunia Advisories
http://archives.neohapsis.com/archives/secunia/2005-q2/0380.html
http://secunia.com/advisories/15103/
Previous @RISK Postings
http://www.sans.org/newsletters/risk/display.php?v=4&i=16#widely1
http://www.sans.org/newsletters/risk/display.php?v=4&i=12#widely3
Affected: Firefox version 1.0.2 and prior
Description: Mozilla Firefox has been steadily gaining market share among
browsers. The Firefox browser contains multiple flaws that can be exploited
to execute arbitrary code with the privileges of the logged-on user. The
following are three of the more severe flaws:
(a) The "< link >" tag can be used to load a custom image as a site's icon
in Firefox. However, Firefox does not sufficiently validate the source for
the custom image. Hence, by using "javascript:" URL as the image source,
it is possible to execute arbitrary commands on the client. A proof-of-concept
exploit has been posted. Note that visiting a malicious web page is sufficient
to leverage this flaw.
(b) The "< embed >" tag's "pluginspage" attribute is used to load the URL for
installing a plug-in. By using a "javascript:" URL, it is possible to execute
arbitrary commands on the client.
(c) A malicious webpage can open privileged pages such as about:config in
the sidebar, and then use javascript URLs to execute arbitrary code on a
users system.
Status: Mozilla confirmed. Firefox version 1.0.3 has been released. This
version fixes many other security vulnerabilities.
Council Site Actions: Just a handful of sites officially support or use Firefox.
One site has already patched, as they received notification over the weekend.
The other sites have advised their users to patch.
References: Mozilla Advisories
http://www.mozilla.org/security/announce/mfsa2005-34.html
http://www.mozilla.org/security/announce/mfsa2005-35.html
http://www.mozilla.org/security/announce/mfsa2005-36.html
http://www.mozilla.org/security/announce/mfsa2005-37.html
http://www.mozilla.org/security/announce/mfsa2005-38.html
http://www.mozilla.org/security/announce/mfsa2005-39.html
http://www.mozilla.org/security/announce/mfsa2005-40.html
http://www.mozilla.org/security/announce/mfsa2005-41.html
Posting by mikx
CRITICAL: Microsoft Internet Explorer Multiple Vulnerabilities
Affected:
Windows 2000 SP3 and SP4
Windows XP SP1 and SP2
Windows XP 64-bit SP1 and 2003
Windows 2003
Windows 98/ME/SE
Internet Explorer 5.01, 5.5 and 6.0
Description: Microsoft has released a cumulative security update for
Internet Explorer that patches the following vulnerabilities-
(a) A specially crafted webpage using certain Dynamic HTML functions
can force Internet Explorer to execute arbitrary code. The problem
occurs due to a race condition between IE threads that can be exploited
to overwrite a thread's memory with the attacker-supplied data. The
technical details and exploit code have been publicly posted.
(b) Internet Explorer contains a heap corruption vulnerability that
can be triggered by a link of the format '. A malicious webpage or an HTML email may exploit
this flaw to execute arbitrary code on a client system.
(c) Internet Explorer Content Advisor (can be reached by clicking
Tools->Options->Content on IE menu) can restrict IE users from accessing
certain sites. For example, parents can use the Content Advisor to limit
access to adult sites for their children. IE contains a buffer overflow
that can be triggered by a specially crafted Content Advisor file
(PICS format). Note that an attacker would need to convince a user to
accept the malicious PICS file in order to exploit the flaw.
Status: Apply the patch referenced in the Microsoft Security Bulletin
MS05-020. Note that Internet Explorer exploits are popularly used by
malicious sites to install spyware and Trojans on client systems.
Hence, this patch should be applied on an expedited basis.
HIGH: Microsoft Word Multiple Buffer Overflows
Affected:
Microsoft Word 2000/2002/2003
Microsoft Works Suite 2001/2002/2003/2004
Description: Microsoft has released patches for two buffer overflow
vulnerabilities in Microsoft Word. One of the buffer overflows that
has been patched was publicly reported in October 2004 along with
complete technical details. The technical details about the other
overflow have not been publicly disclosed. A webpage or a network
share serving a malicious Word document, or an email with a malicious
Word attachment, may leverage these flaws to compromise a client.
Note that Internet Explorer automatically opens a Word document,
which makes it easy to exploit the vulnerabilities via HTTP.
Status: Apply the patch referenced in the Microsoft Security Bulletin MS05-023.
Council Site Actions: Most of the reporting council sites plan to
respond to this item and install the patch during their next
regularly scheduled system update process. One site commented that
they don't distribute patches for applications such as MS Word,
but do inform their users about the need to download and install
MS Office updates.
References:
Microsoft Security Bulletin http://www.microsoft.com/technet/security/Bulletin/MS05-023.mspx
HIGH: Windows Shell Remote Code Execution
Affected:
Windows 2000 SP3 and SP4
Windows XP SP1 and SP2
Windows XP 64-bit SP1 and 2003
Windows 2003
Description: Microsoft Office (Word, Excel, PowerPoint) and some
WordPerfect and Adobe files are stored in "OLE2" format. This
format stores a program name (actually its CLSID) in the OLE2 document
that can open the OLE2 file even when the file is re-named with an
unknown extension. For instance, if a Word document is renamed with
a ".docy" extension, Windows will still open the file with the Word
program. A problem arises because Windows does not perform a proper
check on the program CLSID stored in an OLE2 document. An attacker
can craft a malicious OLE2 document with an unknown extension that
contains CLSID of an arbitrary executable. An attacker, for example,
can use the CLSID of Microsoft HTML Application Host (MSHTA) in an
OLE2 document, to execute arbitrary script code on a user's system.
Note that the user would need to double-click the attacker-supplied
OLE2 document with an unknown extension. The attacker may be able
to fool a user by using visually similar extensions such as ".d0c",
".pppt" etc. Exploit code to craft a malicious OLE2 document has
been posted.
Status: Apply the patch referenced in the Microsoft Security Bulletin
MS05-016. A workaround to block the email attack vector is to filter
file attachments with unknown extensions at the mail gateways. To
prevent the attack via HTTP, users should be advised not to open
documents with unknown extensions.
Council Site Actions: All of the reporting council sites plan to
respond to this item. They will patch during their next regularly
scheduled system update process.
References:
Microsoft Security Bulletin http://www.microsoft.com/technet/security/Bulletin/MS05-016.msp
MODERATE: MSN Messenger GIF Processing Overflow
Affected:
MSN Messenger version 6.2
Description: MSN messenger contains a buffer overflow that can be
triggered by malformed GIF image files. Specifically GIF files with
improper height and width cause this overflow that can be exploited
to execute arbitrary code with the privileges of the MSN messenger
user. A successful attack requires significant user interaction.
Prior to sending a specially crafted GIF file, the attacker has to
convince an MSN messenger user to add him to the user's contact list.
Status: Apply the patch referenced in the Microsoft Security Bulletin MS05-022.
Council Site Actions: Most of the council sites plan to respond
to this item and install the patches during their next regularly
scheduled system update process. A few sites commented that they
are blocking the affected traffic at their network perimeter points;
thus reducing the risk associated with this item.
Installation and use of MSN Messenger is not supported by their
central IT department, but neither is it blocked.
References:
Microsoft Security Bulletin http://www.microsoft.com/technet/security/Bulletin/MS05-022.mspx
We will not post the entire article here, only a small part of it.
You really should follow the link to read the entire article, it is very helpful
Long-Distance Fixes - Article by Fred Langa
The problem; My son managed to pick up some sort of virus that he's not able to get rid of.
He says that it connects to the internet by itself and he can't control what sites the system accesses.
He called home to ask me what to do. I'm not sure how to crash and reinstall XP, especially long distance.
I told him to try system restore.
He got the virus about 2 months ago and was shipped out and unable to fix it at that time.
Can you give me step by step instructions on what he needs to do?
Fred's answer;
The emergency, band-aid fix is to use a firewall such as Zone Alarm ( http://www.zonelabs.com/store/content/home.jsp );
you can "lock" the firewall to block all internet access when you're not using the PC.
This only takes a click on the system tray icon, but prevents all phone-home activity via the internet connection.
(Of course, you can do something similar by physically disconnecting the network cable or phone wire.)
When you want access, it only takes another click to turn the connection back on.
Click here to read the entire article
Malware disables Microsoft's application and tries to steal online banking passwords. To read more click here
Affected:
Trend Micro Client/Server/Messaging Suite for SMB for Windows
Trend Micro InterScan eManager
Trend Micro InterScan Messaging Security Suite Linux/Windows/Solaris
Trend Micro InterScan VirusWall for Linux/Windows/HP-UX/AIX/Solaris
Trend Micro InterScan VirusWall for SMB
Trend Micro InterScan Web Security Suite for Linux/Windows/Solaris
Trend Micro InterScan WebManager
Trend Micro InterScan WebProtect for ISA
Trend Micro OfficeScan Corporate Edition
Trend Micro PC-cillin Internet Security
Trend Micro PortalProtect for SharePoint
Trend Micro ScanMail eManager
Trend Micro ScanMail for Lotus Domino on Windows/AS400/S390/AIX/Solaris
Trend Micro ScanMail for Microsoft Exchange
Trend Micro ServerProtect for Linux
Trend Micro ServerProtect for Windows/Novell Netware
Description: A large number of Trend Micro anti-virus products contain a
heap-based buffer overflow vulnerability. The overflow can be triggered
by a malicious ARJ (a compression format) archive. An unauthenticated
attacker can compromise any client or server running the vulnerable Trend
Micro product by delivering a malicious ARJ archive via email or web. The
technical details regarding how to craft a malicious archive file can be
found in the vendor's advisory.
Status: Vendor confirmed, upgrade to scan engine VSAPI 7.510 or higher.
As an interim measure prior to patching, ARJ scanning can be disabled.
Council Site Actions: Due to the late breaking nature of the problem, we
were unable to solicit any council site input.
References:
Trend Micro Advisory
http://www.trendmicro.com/vinfo/secadvisories/default6.asp?VName=Vulnerability+in+VSAPI+ARJ+parsing+could+allow+Remote+Code+execution
ISS XForce Advisory
http://xforce.iss.net/xforce/alerts/id/189
SecurityFocus BID
http://www.securityfocus.com/bid/12643
Description: Yahoo! Messenger is a jabber tool.
It is vulnerable to a remote dialogue box spoofing issue due to a design error.
Yahoo! Messenger version 6.0.0.1750 is known to be vulnerable.
Ref:
http://secunia.com/secunia_research/2005-2/advisory/
Details:
(1) MODERATE: Multiple Browsers International Domain Name Spoofing
Affected:
Firefox version 1.0 and prior
Mozilla version 1.7.5 and prior
Safari version 1.2.5 and prior
Thunderbird version 1.0 and prior
Netscape version 7.x
Description: The Domain Name System (DNS) specification, as described in
the RFC 1034, does not permit the use of any non-ASCII characters for
constructing a domain name. International Domain Name (IDN) scheme was
specifically developed to support domain names in various languages.
Multiple browsers such as Mozilla, Firefox, and Safari have implemented
the IDN feature. This feature could be exploited by an attacker to conduct
phishing attacks. The problem occurs because a URL with a domain name
containing Unicode characters is displayed as an all-ASCII URL (by replacing
the Unicode characters with the closest resembling ASCII characters).
However, when such a URL is clicked, the content is rendered from the correct
international domain name possibly under the attacker's control. For instance,
the URL "p�al.com" is displayed as "www.paypal.com" in the browser.
Upon clicking this URL, the content is rendered from "www.xn--pypal-4ve.com"
domain name. Note that this trick can also be performed for sites that use
secure HTTP. The attacker can obtain a valid certificate for the international
domain name so that when a victim visits a spoofed secure site, the victim's
browser will still display the secure "lock" icon. Thus, a specially crafted
webpage or an HTML email may exploit the IDN feature to conduct phishing
attacks i.e. gather sensitive personal information from the users.
Status: Vendors have been contacted. Mozilla has provided the steps for
disabling the IDN support. An unofficial Safari plug-in has also been posted
that will alert the Safari user when an IDN URL is clicked. A general counter
measure is to train the users to not enter any personal information on a
webpage visited via clicking a link in an email or another webpage.
Council Site Actions: Only three of the reporting council sites are using the
affected software. One site has notified their system support group and will
allow them to decide the action. The second site does not plan any immediate
action. The third site only supports Mozilla on UNIX system and will update
the central version in late February.
References:
Homograph Attacks by Eric Johanson
http://www.shmoo.com/idn/homograph.txt
http://www.cs.technion.ac.il/~gabr/papers/homograph.html
http://www.shmoo.com/idn/ (Contains PoC exploit)
Disable IDN Support in Mozilla
http://forums.mozillazine.org/viewtopic.php?t=215178
Unofficial IDN Detection for Safari
http://bob.pythonmac.org/archives/2005/02/07/idn-spoofing-defense-for-safari/
IDNA RFC
http://www.faqs.org/rfcs/rfc3490.html
PunyCode Encoding for International Domain Names
http://www.faqs.org/rfcs/rfc3492.html
Secunia Advisory
http://secunia.com/advisories/14163/
Secunia monitors vulnerabilities in more than 4000 products Click Here for Secunia
Affected Software:
Firefox 1.0
Mozilla 1.7.5
Other versions may also be affected.
Severity:
Rating: Less critical
Impact: Spoofing
Where: From remote
Description of Vulnerability:
Secunia Research has discovered a vulnerability in Mozilla / Mozilla
Firefox, which can be exploited to spoof the source displayed in the
Download Dialog box.
The problem is that long sub-domains and paths aren't displayed
correctly, which therefore can be exploited to obfuscate what is
being displayed in the source field of the Download Dialog box.
The vulnerability has been confirmed in Mozilla 1.7.3 for Linux,
Mozilla 1.7.5 for Windows, and Mozilla Firefox 1.0.
Mozilla Bugzilla report:
https://bugzilla.mozilla.org/show_bug.cgi?id=275417
Solution:
Currently, no solution is available. However, the vendor reports
that this vulnerability will be fixed in upcoming versions of the
affected products.
To read the entire report please go to: http://secunia.com/secunia_research/2004-15/advisory/
01/25/05 We all receive images in our email from time to time and we have been told that image files are "ok" to open.
This is no longer the case!
We all must be careful opening those "harmless" image files not because they can now contain a virus
We have added some information and links here so you can check out some of the various warnings on this topic
PLEASE KEEP YOUR ANTI VIRUS DEFINITIONS UPDATED AND SCAN FOR SPYWARE AND TROJANS ON A REGUALR BASIS
Virus hidden in Tsunami disaster donation plea images
Click Here
Security researchers say JPEG virus imminent Click Here
Trojan horse exploits image flaw:
EasyNews, a provider of Usenet newsgroups, said it has identified two JPEG images that take advantage of a previously
identified flaw in the way Microsoft software handles graphics files.
Windows users could have their computers infected merely by opening one of those Trojan horse images.
Click Here
01/24/05
We want to make sure that everyone is aware of the "PHISHING SCAMS" that are going around in e mails now.
These scams are not new but they are becoming more of a problem now
Please do not open any email from banks, credit unions, mortgage companies and places like that unless you do business with that company.
More important:
DO NOT FOLLOW LINKS SENT TO YOU VIA EMAIL THAT ASK YOU TO LOG INTO A WEBSITE TO CHANGE YOUR PIN NUMBER OR PERSONAL INFORMATION!
If you think that a legitimate company you normally do business with is trying to contact you, play it safe and call them
or visit their website as you normally would but not through any link sent to you via email that asks for personal information updating!
Please report any of these you receive to us at:
support@connectto.net -we will need the full headers so you may forward them to us if you need to.
To find up to date virus information you can go to: Trend Micro
12/21/04 Massive phishing hole discovered in Internet ExplorerMicrosoft said Friday that it is looking into reports from security company Secunia and others that a vulnerability in Internet Explorer 6
enables scammers to launch a phishing attack against PCs loaded with the latest security updated version of Windows, Service Pack 2,
and older versions of the operating system, CNET reports.
The Web browser flaw allows fraudsters to create a hard-to-spot spoofed Web site, according to an advisory from Secunia,
even to the point of including a fake SSL signature padlock certificate.
Phishers can also hijack cookies from any Web site, the company said.
"The problem is that users can't trust what they see in their browsers, Thomas Kristensen, chief technology officer at Secunia, said.
This can be used to trick users to perform actions on what they believe is a trusted Web site,
but actually these actions are recorded and controlled by a malicious site.
Secunia is advising users to disable ActiveX support, until a patch is available.
Click here to read the full story on C-Net
Webopedia-Definition Of Phishing
FTC Consumer Alert-How Not to Get Hooked by a Phishing Scam
Online Identity Theft-Spoof Email Phishing Scams and Fake Web Pages or Sites
As of December 14, 2004 8:13 AM PST, TrendLabs has declared a Medium Risk
Virus Alert to control the spread of WORM_ZAFI.D. TrendLabs has received
several infection reports indicating that this malware is spreading in
Germany, France and Spain.
The following is a brief overview of the worm process:
This worm spreads via email or peer-to-peer (P2P) file-sharing networks.
Here is a sample of the email:
Subject:
Re: Merry Chrsitmas!
Message body:
Happy Hollydays!
:) Pamela M.
Attachment:
postcard.index.php1111.pif
Note that the language of the email may change depending on the domain of
the recipients.
TrendLabs will be releasing the following EPS deliverables:
TMCM Outbreak Prevention Policy 137
Official Pattern Release 2.297.00
Damage Cleanup Template 467
For more information on WORM_ZAFI.D, you can visit our Web site at:
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_ZAFI.D
Norton has a scan/remove tool for W32.Sobig.F@mm worm at
http://securityresponse.symantec.com/avcenter/venc/data/w32.sobig.f@mm.removal.tool.html
Sasser Worm Info
Systems Affected: Windows 2000, Windows Server 2003, Windows XP
Details: W32.Sasser.B.Worm is a variant of W32.Sasser.Worm.
It attempts to exploit the LSASS vulnerability described in Microsoft Security Bulletin
MS04-011, and spreads by scanning randomly-chosen IP addresses for vulnerable systems.
Notes:
The MD5 hash value for this worm is 0x1A2C0E6130850F8FD9B9B5309413CD00.
Symantec Security Response has developed a removal tool to clean the infections of W32.Sasser.B.Worm.
Block TCP ports 5554, 9996 and 445 at the perimeter firewall and install the appropriate
Microsoft patch (MS04-011) to prevent remote exploitation of the vulnerability.
Security Response is upgrading W32.Sasser.B.Worm to a Category 4 from a Category 3 based on increased rate of submissions.
Also Known As: WORM_SASSER.B [Trend], W32/Sasser.worm.b [McAfee]
Variants: W32.Sasser.Worm
Type: Worm
Infection Length: 15872 bytes
REMOVAL TOOLS:
SYMANTEC: http://securityresponse.symantec.com/avcenter/venc/data/w32.sasser.removal.tool.html
MCAFEE: http://vil.nai.com/vil/stinger/
FROM MICROSOFT:
Windows XP Users: What to Do If Your Computer Has Been Infected by Sasser
This link goes to the MICROSOFT INSTRUCTIONS: MICROSOFT INSTRUCTIONS
Time to update your anti virus and get a firewall if you do not have one
Old Worm
We found this information on a message board and thought it might be helpful.(http://www.mcse.ms/message779106.html)
COMPLAINT--Computer keeps on on crashing after a few minutes on,with message NT AUTHORITY\system "c:\windows\system32\lsass.exe" 1073741819,this computer will close down in 30 seconds.
Greetings --
You've apparently contracted the latest worm, W32.Sasser.Worm,
specifically designed to attack people who do not update their
computers promptly and who do not practice "safe hex." In other
words, like Blaster, this worm was developed and distributed _after_ a
patch for the vulnerability was announced and made publicly available.
Further, and also like Blaster, this worm could not affect any
computer whose user had taken the basic precaution of using a properly
configured firewall.
To stay on-line long enough to get the necessary updates, patches,
and removal tools, click Start > Run, and enter "shutdown -a" when the
next Shutdown countdown begins. This will abort the shut down. Also,
make sure you've enabled a firewall before starting, to preclude any
more intrusions while getting the updates/patches/tools.
What You should Know about the Sasser Worm and its Variants
http://www.microsoft.com/security/incident/sasser.asp
Microsoft Security Bulletin MS04-011
http://www.microsoft.com/technet/se..n/MS04-011.mspx
W32.Sasser.Worm
http://www.symantec.com/avcenter/ve..asser.worm.html
A tool is available to remove the Sasser worm variants
http://support.microsoft.com/defaul..kb;EN-US;841720
W32.Sasser.Worm Removal Tool
http://securityresponse.symantec.co..ol.html
McAfee AVert Stinger Virus Removal Tool
http://vil.nai.com/vil/stinger/