Be on your guard against these, particularly the 3 (yes, count 'em, there are 3 now!) unpatched remote code execution vulnerabilities in Microsoft Word. Public exploits are available and are circulating in the wild which, even by Microsoft's definition (see note), makes these issues critical.
Note: Microsoft define a vulnerability as being critical only if it may result in remote code execution and is being actively exploited.
Careful with Christmas.exe Posted by Mikko @ 14:10 GMT
We've just received a sample of something that's called CHRISTMAS.EXE.
When run, this IRCBot variant will try to download various malicious executables from web servers at waiguadown.008.net and user.free.77169.net.
As a decoy, it shows this Christmas-themed image:
Obviously, a gift that keeps on giving. To be avoided.
Published: 2006-12-27,
Last Updated: 2006-12-27 06:52:00 UTC by George Bakos (Version: 1)
A number of readers submitted reports of Internet slowness to/from Asia. We now know that this is a direct result of up to six submarine cables being severed during a series of temblors off the coast of Taiwan. From Bloomberg:
"Taiwan was jolted by three earthquakes yesterday, killing two people
and injuring 42 others, the island's National Fire Agency said. The
tremors damaged undersea cables, causing a disruption to Internet
traffic and some telephone calls in the region for customers including
Singapore Telecom, PCCW, Chunghwa Telecom Co., Taiwan's biggest
telephone operator, and KDDI Corp., Japan's second-largest telephone
carrier."
There is a potential issue with OpenOffice WMF buffer overflow allowing remote code execution. Details at this time are unavailable, although Red Hat released the following update notice relating to version 1.x currently shipping with their products:
Several integer overflow bugs were found in the OpenOffice.org WMF file
processor. An attacker could create a carefully crafted WMF file that could
cause OpenOffice.org to execute arbitrary code when the file was opened by
a victim. (CVE-2006-5870)
The original CVE report provides no details at this time.
It is unclear whether other versions (and/or platforms) are affected at present - we'll post more info when we have it.
There is a potential issue with OpenOffice WMF buffer overflow allowing remote code execution. Details at this time are unavailable, although Red Hat released the following update notice relating to version 1.x currently shipping with their products:
Yesterday, we tested a library taken from a Acer notebook. It's very common that vendors sell machines with preloaded applications and system components of their own. The library, named LunchApp.ocx, is probably supposed to help with browsing the vendor's website, enable easy updates and such – it turns out… it also makes all those machines vulnerable to a specially crafted html file that could instantly download malicious file(s) onto the user's machine and then execute them. It gets even better… Acer enabled "safe for scripting" on that ActiveX library so you wouldn't even see when it's used.
It would be nice if Acer (and other vendors) thought twice before providing a "feature" like this in the future.
Breaking news: We're currently investigating early reports that Nero may have inadvertently posted an infected download yesterday. Here are the details of the affected file as posted on Nero's website:
We are looking at reports that the download contained a virus (IM-Worm.Win32.Licat.f) and a piece of adware (MyWebSearch).
If you downloaded this file yesterday, please scan the file and your system. If you have yet to install it, please hold off until we can establish whether it is a real infection or a false positive.
Complete scanning result of "24A3D0FE.cab", received in VirusTotal at 01.19.2007, 09:46:36 (CET).
Antivirus Version Update Result
AntiVir 7.3.0.26 01.18.2007 no virus found
Authentium 4.93.8 01.19.2007 no virus found
Avast 4.7.936.0 01.18.2007 no virus found
AVG 386 01.18.2007 no virus found
BitDefender 7.2 01.19.2007 Win32.Worm.IM.Licat.J
CAT-QuickHeal 9.00 01.19.2007 no virus found
ClamAV devel-20060426 01.19.2007 no virus found
DrWeb 4.33 01.19.2007 no virus found
eSafe 7.0.14.0 01.19.2007 Win32.Licat.f
eTrust-InoculateIT 23.73.117 01.19.2007 no virus found
eTrust-Vet 30.3.3336 01.19.2007 no virus found
Ewido 4.0 01.18.2007 no virus found
Fortinet 2.82.0.0 01.19.2007 no virus found
F-Prot 3.16f 01.19.2007 no virus found
F-Prot4 4.2.1.29 01.19.2007 no virus found
Ikarus T3.1.0.27 01.09.2007 no virus found
Kaspersky 4.0.2.24 01.19.2007 no virus found
McAfee 4942 01.18.2007 no virus found
Microsoft 1.1904 01.19.2007 no virus found
NOD32v2 1990 01.19.2007 no virus found
Norman 5.80.02 01.18.2007 no virus found
Panda 9.0.0.4 01.19.2007 no virus found
Prevx1 V2 01.19.2007 no virus found
Sophos 4.13.0 01.19.2007 no virus found
Sunbelt 2.2.907.0 01.12.2007 no virus found
TheHacker 6.0.3.151 01.19.2007 no virus found
UNA 1.83 01.18.2007 no virus found
VBA32 3.11.2 01.18.2007 no virus found
VirusBuster 4.3.19:9 01.19.2007 no virus found
It looks like a new incarnation of a spambot that's been around for a while... turns your PC into a spam spewing zombie
The initial attachment installs a service (wincom32.sys) that acts as a P2P network and then downloads the spambot together with an email address harvester.
Filtering .EXE email attachments and blocking traffic to or from it's control port (UDP/4000) should provide good defense against this particular nasty. Monitoring for traffic on port UDP/4000 will also allow identification of infected hosts until the AV companies get definitions out for all the different variants, although even then they won't necessarily find infected hosts as the spambot is protected by a rootkit too.
Processors
Motherboards
Chipsets
Memory
Graphics Cards
Storage
Cases and Cooling
Mobile
Systems
Displays
Shows and Expos
Linear Mode
