__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN New Worms and Helpful Computer Users September 18, 2003 22:00 GMT Number N-153 ______________________________________________________________________________ PROBLEM: A new worm named Swen appeared this morning masquerading as a patch for a Microsoft Windows patch. The spread of the worm is being helped along by computer users who dutifully install the patch (worm) and pass it on. PLATFORM: Windows DAMAGE: Helpful users install and pass on the worm. SOLUTION: 1. Keep your antivirus software up to date. 2. Do not execute attachments that you are not expecting. 3. Do not install patches received as e-mail attachments. ______________________________________________________________________________ VULNERABILITY The risk is HIGH. Current viruses and worms install backdoors ASSESSMENT: in systems that allow remote intruders to take over and use those systems. Usage includes spying, industrial espionage, e-mail spamming, creation of porno sites, proxy servers, etc. ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/n-153.shtml BACKGROUND: http://www.computerworld.com/securitytopics/ security/story/0,10801,84214,00.html http://office.microsoft.com/assistance/Preview.aspx? AssetID=HA010550011033&CTT=6&Origin=EC010553071033 ______________________________________________________________________________ A new worm named W32.Swen.A@mm appeared this morning masquerading as a patch for a Microsoft vulnerability. The e-mail appears to come from security at Microsoft and has an attached executable file that is supposed to be a patch for the vulnerability. In fact, the patch is the virus and double clicking on the patch installs the virus on your system. A few copies managed to get into at least one site before e-mail virus scanners were updated. While this in itself is not noteworthy (we see new worms appearing almost daily) we would like to reiterate to DOE computer users three security items. 1. Keep your antivirus scanners up to date. 2. Do not execute attachments you are not expecting especially if those attachments are executables. 3. Do not install patches or updates sent as attachments to e-mail messages. Keep Your Antivirus Scanners Up To Date ======================================= Anitvirus scanners must be kept up to date. You should update your scanners on a weekly basis to insure that you have the most up-to-date virus definitions. If you hear of a new virus making the rounds, update your antivirus definitions immediately before reading mail or downloading any files. Most scanners can be set to automatically update themselves on a regular schedule. Don’t depend on corporate antivirus scanners to protect you as new malicious code can sneak by them before new scan signatures are available. Do Not Execute Attachments You Don’t Expect =========================================== One of the most common methods for the current viruses and worms to spread is as e-mail attachments. If you get an attachment from someone, even someone you know, don’t simply double click on it to see what it is. Virus scanners can miss things or be out of date for a while such as the when a new worm hits so you must be on the alert for malicious code that gets past them. Before opening an attachment, determine if it is a document or picture, or if it is an executable file, batch file, or script file. On Windows systems the file type is determined by the file extension. The extensions for files that can execute code are: .ade, .adp, .bas, .bat, .chm, .cmd, .com, .cpl, .crt, .exe, .hlp, .hta, .inf, .ins, .isp, .js, .jse, .lnk, .mdb, .mde, .msc, .msi, .msp, .mst, .pcd, .pif, .reg, .scr, .sct, .shs, .url, .vb, .vbe, .vbs, .wsc, .wsf, .wsh (See the following article for more information on these types: http://office.microsoft.com/assistance/preview.aspx? AssetID=HA010550011033&CTT=6&Origin=EC010553071033 To see file extensions, you must turn off the explorer option “Hide extensions for known file types.” To turn it off, 1. Open a file explorer window. 2. Choose Tools, Folder Options, View tab. 3. Uncheck Hide file extensions for known file types. 4. Click OK. Some malicious code tries to hide the file type by using a double extension. For example, mypictures.jpg.exe appears to be a picture file (.jpg). This is especially true if “Hide file extensions for known file types” is checked, in which case you will only see the .jpg extension. Be sure you can see extensions and look at the right-most extension as that is the one that is the true file type. Look also at the icon as it is determined by the file type and the application used to open that file. The .lnk file type is always hidden, even when you uncheck “Hide file extensions for known file types.” Look at the icon displayed for the file. If it is a .lnk file the icon has a square box containing a bent arrow superimposed on the lower-left corner of the icon. For example, the following icon is a link to a spreadsheet. <> You can also right click on the file and select properties. On the General tab the Type of File is Shortcut. Normally, .lnk files are links to other files but if they are executable code instead of a link, they run when double clicked. Do Not Install Patches and Updates Received Via E-mail Attachments ================================================================== Software vendors, antivirus vendors, and incident response teams (such as CIAC) do not send patches as attachments to e-mail messages. All will send messages describing the problem and then provide an online link where you can go to get and verify a patch or update. Be sure you check the link to be sure it is really the company you want to get the patch from. Better yet, type the url for the company yourself instead of clicking on the link. We have seen links in fraudulent messages that look like the following: http://www.paypal.com@az.ru You might think that this is a link to www.paypal.com but it is not. In this case, www.paypal.com is the username at the az.ru site. Conclusions =========== As we stated in the beginning, a new worm has been seen that is entering sites via an e-mail attachment. While this is not a unique event, it is a good time to review what you should do when you receive a file with an attachment. Remember: 1. Keep your antivirus up to date. 2. Don’t run attachments you are not expecting. 3. Don’t install patches and updates that are e-mail attachments. ______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) N-144: Microsoft Visual Basic Buffer Overrun Vulnerability N-145: Microsoft Access Snapshot View Buffer Overrun Vulnerability N-146: Apache 2.0.47 Release Fixes Security Vulnerabilities N-147: Hewlett Packard Potential Security Vulnerability B.11.11 DCE N-148: Sun Security Issue Involving the Solaris sadmind(1M) Daemon N-149: Sendmail 8.12.9 Prescan Bug N-150: Red Hat Updated KDE packages fix security issues N-151: OpenSSH Buffer Management Error N-152: Real Networks Streaming Server Vulnerability