W32 AGOBOT S WINDOWS
W32/Rbot-ARI - Rbot number six this week drops "up32.pif" in the Windows System folder. This one installs "mswi32.pif" in the Windows System folder. W32/Rbot-ARH - The fifth Rbot variant works in similar fashion to the other four we've covered today. It drops "expl0rer.pif" in the Windows System folder.
W32/Rbot-ARE - The fourth Rbot variant uses IRC to provide backdoor access to the infected host. It spreads through network shares with weak passwords or to machines infected with another virus or non-patched Windows flaws. W32/Rbot-ARD - Another Rbot variant that provides backdoor access via IRC. (Sophos)ģ2/Rbot-AQW - Yet another Rbot variant that exploits a number of known Windows flaws to infect a machine. W32/Rbot-AQQ - A new Rbot variant that drops "lsasss.exe" in the Windows System folder. Troj/Mirchack-A - This a hacked version of the mIRC32 client that allows a backdoor to the IRC network. The e-mail message uses a number of characteristics, but most of the potential subject lines are foreign. The infected files are "AntiVirus Update.exe" and "antivirus_update.exe" in the Windows System folder. W32/Erkez-G - An e-mail and peer-to-peer worm that seeks out directories that start with "musi", "shar", or "uploa" and drops files in there. The virus puts a Word file on the machine that has an Indonesian pop song embedded. When it finds one, it copies "kangen.exe" to that file. W32/Kangaroo-B - A virus that monitors the windows title bar, looking for drive letters. It drops "winlogoff.exe" in the Windows System folder. In addition, it modifies the Windows HOSTS file to limit access to security related Web sites. W32/Agobot-TR - This Agobot variant allows control over a number of malicious applications via IRC.
It drops "svchost32.exe" in the Windows System folder and can be used a SOCKS proxy, for port scanning and in denial-of-service attacks - all remotely controlled through IRC. W32/Agobot-TP - An Agobot variant that moves through network shares and exploits a number of known Windows vulnerabilities to infect a host. One could lead to files being overwritten in a symlink attack, the other to malicious files being executed on the affected machine. Two vulnerabilities have been found in the masqmail mailer application.
W32 AGOBOT S CODE
Ruby, a scripting language, does not properly enforce the "safe level" mechanism, allowing attackers to gain elevated privileges and potentially run arbitrary code on the affected machine. For more, go to:Ī flaw in the way the Shorewall firewall generates iptables could allow greater permissions than originally specified. For more, go to:Ī format string in xine-lib, a multimedia code library that handles audio CD information, could be exploited to run malicious code on the affected machine. An attacker could exploit this to tamper with the data being transmitted. For more, go to:Ī flaw in the way OpenSSL handles a newer version of the SSL protocol could result in a less secure version of SSL to be used. For more, go to:Īccording to an alert from Mandriva, " in Webmin 1.220, when 'full PAM conversations' is enabled, allows remote attackers to bypass authentication by spoofing session IDs via certain metacharacters (line feed or carriage return)." For more, go to:Ī format string vulnerability in weex, an FTP client for updating Web sites, could be exploited to run malicious code on the affected machine. A local attacker could exploit this to overwrite files on the affected machine.
The Hylafax fax server package does not create temporary files in a secure manner. A similar vulnerability affects Thunderbird.
W32 AGOBOT S UPDATE
Mandriva releases fixes for Mozilla Firefox, ThunderbirdĪ new update for Firefox fixes a bug that could impact cursor movement and patches a potential symlink vulnerability that could be exploited to overwrite files. MS05-044: Vulnerability in the Windows FTP Client Could Allow File Transfer Location TamperingĪ flaw in the way GSSAPI credentials are handled could allow the information to be exposed to unauthorized users. MS05-045: Vulnerability in Network Connection Manager Could Allow Denial of Service MS05-046: Vulnerability in the Client Service for NetWare Could Allow Remote Code Execution MS05-047: Vulnerability in Plug and Play Could Allow Remote Code Execution and Local Elevation of Privilege MS05-048: Vulnerability in the Microsoft Collaboration Data Objects Could Allow Remote Code Execution MS05-049: Vulnerabilities in Windows Shell Could Allow Remote Code Execution MS05-050: Vulnerability in DirectShow Could Allow Remote Code Execution MS05-051: Vulnerabilities in MSDTC and COM+ Could Allow Remote Code Execution
0 kommentar(er)
