McAfee issued an alert for Exploit-MS03-007.Crpt, an attack tool that exploits a Windows 2000 NTDLL.DLL vulnerability via the WebDAV (Web Distributed Authoring and Versioning) extension of IIS 5. The source code for this exploit was published on the Internet. The exploit attempts to provide a shell to a remote attacker.
For information on this vulnerability and a patch, visit this McAfee page.
Rolark Also Exploits Some Win2k Systems
Rolark is a tool that is designed to access remote computers by exploiting a vulnerability in some computers running Windows 2000. Through this utility, an attacker could gain total control over the affected computer. This vulnerability is a Buffer overflow vulnerability that affects the NTDLL.DLL library used by several Windows components. It affects the WebDAV component associated with version 5 of Internet Information Server (IIS).
Rolark is difficult to recognize because it does not display any messages or warnings that indicate it has reached a computer. It is being given a very low risk rating by antivirus software vendor Panda Software. For technical details visit this Panda Software page.
Backdoor.Fluxay Uses Pipes For Unauthorized Access
Backdoor.Fluxay is a Backdoor Trojan horse that uses pipes to allow an unauthorized command shell on an infected computer. It adds itself to the Service list as "PipeCmdSrv."
For technical details, visit this Symantec page.
Ganda Worm Uses Swedish Email Addresses
The Ganda e-mail worm uses its own SMTP engine to send e-mails to addresses collected from Windows Address Book. The e-mails include an attachment which is a screen saver file around 45kb in size (62kB mime-encoded). The filename is always short, such as RG.SCR or PW.SCR.
The worm originated in Sweden and some of the messages sent by the worm have a fake sender address, replacing the "From" field with addresses belonging to Swedish journalists or school officials. These people have nothing to do with the worm and they are not spreading it.
These fake addresses include: skolverket@skolverket.se, red@fna.se, debatt@svt.se and several personal addresses from tidningen.to and aftonbladet.se (Swedish magazines). The worm will send massive amounts of rant e-mails to these addresses as well. The messages sent by the worm are in Swedish or in English, depending on the language settings of the infected computer.
In addition to the email spreading, Ganda also parasitically appends a small piece of code to PE executable files. The purpose of this code is to patch the locations of API calls so the worm code will be executed.
For technical information, check this F-Secure page.
Compiled by Esther Shein.
Loading Comments...