Red Hat Linux has announced a fix for a vulnerability found in the Kerberos network authentication system that could allow a malicious ftp server to execute commands as the user running the ftp client.

When retrieving a file with a filename beginning with a pipe character, the ftp client will pass the filename to the command shell in a system() call. This could allow a malicious ftp server to write to files outside of the current directory or execute commands as the user running the ftp client.

The Kerberos ftp client runs as the default ftp client when the Kerberos package krb5-workstation is installed on a Red Hat Linux distribution.

All users of Kerberos are advised to upgrade to these errata packages which contain a backported patch and are not vulnerable to this issue.

For more details, check this Linux Today article.

Week in Review

Last weekend's attack launched by SQLSlammer is considered to have had the biggest impact on the Internet over the past 18 months. This worm exploits a vulnerability in Microsoft SQL Server to launch denial of service attacks (DoS) against corporate servers, blocking networks and communication services.

Another worm that wreaked havoc was Netspree, which can infect computers with any Windows operating system installed, although it only spreads through shared network drives running under Windows XP/2000/NT. This malicious code connects to an IRC server through port 6667 and discloses confidential information from the machine in which it is installed. Doing this also leaves the computer vulnerable, as any remote user could access it. Another effect of this virus is that it can use the affected computer to launch DoS attacks.

Netspree creates a file called WIN32LOAD.EXE in the Windows system directory, which contains the worm's code. This file goes memory resident and waits for an Internet connection to be established. When this happens, it downloads a file called LCP_NETBIOS.DLL, which incorporates the utility PSEXEC.EXE and a file with a BAT extension. The BAT file contains instructions for connecting to a remote system and the commands it uses to carry out infection. Netspree also inserts several entries in the Windows Registry to ensure it is run every time the computer is started.

The Trojan Winpao also appeared this week. It is programmed to steal confidential information from the computer and send it to the virus author. The data it steals includes: the server name, the e-mail password, mail received, message subjects, the passwords file, the SMTP ID, the user name and password, etc. It also ends processes that belong to antivirus programs or system monitors.

Files with random names appearing in all drives for no apparent reason, is an indication that Winpao is present in a computer. This malicious code also creates a file called ESPLORER.EXE in the Windows system directory and multiple copies of itself in the available disk drives.

Also noteworthy is that this Trojan also modifies several entries in the Windows Registry in order to ensure that it is loaded in memory before any file with an EXE, CHM, INI, REG, SCR or TXT extension is run. If the files created by the Trojan are deleted but the Windows Registry is not restored, the files with the extensions mentioned above will not be run.

For further information about these and other viruses, visit Panda Software's Virus Encyclopedia.

Lirva is Back

Lirva, which has been traveling under many aliases, including W32/Lirva.B, W32.Arvil.A, W32.Naith.A, Avril and Avron, is back on the radar of F-Secure.

It is a mass-mailing worm that uses several methods besides e-mail to spread. The worm uses ICQ, Kazaa, mIRC and tries to spread through open shares and Windows network drives.

Lirva also has functionality to disable several antivirus and security applications if it notices their presence. If the worm is active in the system it tries to steal passwords and send them to an external email address.

F-Secure is giving the worm a Level 2 alert, meaning it is causing a large number of infections. For technical details, visit this F-Secure page.

Top 10 Viruses of January

To view the top 10 viruses and hoaxes for January, visit Sophos.

Compiled by Esther Shein and Chris Nerney.