When Uncle Sam say's you might want to change browsers, it gets peoples attention. In recently updated United States Computer Emergency Response Team (US-CERT) vulnerability note #713878, one of the recommended workarounds for the rash of Internet Explorer flaws is to use a different browser. This recommendation may be preaching to the choir after months of IE flaw-preying Trojans and viruses. Shortly after Microsoft issued a configuration change last week to patch a database module flaw, eWeek reported that a Dutch security hacker announced yet another flaw in IE, this time in the Shell.Application component. No attacks have been documented, but as we've seen before, it is only a matter of time. One way to thwart such attacks is to turn off scripting and ActiveX. However, as Larry Seltzer in his eWeek column says, "Scriptless IE is not worth it".
A new Bagle variant is making the rounds. Discovered July 5th, this week's top threat, W32/Bagle.AD-mm has earned a medium threat severity level from several antivirus vendors for its high distribution and damage potential. Bagle.AD, similar to Symantec's Beagle.Z, spreads through e-mail as either an executable or a password protected zip file. Like previous variants, this Bagle attempts to remove Netsky infections, as well as stopping security and antivirus applications. See our top threat for more on this potentially prolific worm.
Spyware wins a round. Merijn Bellekom, the prolific programmer and spyware crusader is calling it quits for now. Announcing his last update on June 28th, of the popular program, CWShredder, the defacto standard for removing the porn site borne CoolWebSearch Trojan (CWS). CoolWebSearch is actually the name for a variety of browser hijackers, all of which redirect users to coolwebsearch.com and other sites affiliated with its operators.
Merijn, a graduate student at the University of Utrecht in the Netherlands, wrote and supported CWShredder in his spare time while attending school. Far from being a one trick pony, CWShredder was been updated for each new variety of CWS. In a farewell note and FAQ, Merijn wrote that while he has enjoyed keeping pace with CWS, he says, "I simply do not have the tools to remove the latest variants, they are too aggressive or complicated to allow automated removal by CWShredder." Current versions of CWS are known to inject their hijacking code in many areas, including default pages, registries and even hidden processes.
Even without updates, Merijn's web site, www.spywareinfo.com is a treasure-trove of information, from utilities for troubleshooting browser hijacks (HijackThis) to in-depth Windows processes analysis. The active SpywareInfo help forum, staffed by volunteers, will also continue to operate. We spoke with Nicholas Podrasky, Marketing Coordinator for Webroot software, publishers of anti-spyware Spy Sweeper. Podrasky contends that a Spy Sweeper is one of the best solutions for many varieties of CWS, though the some of the latest strains are beyond any known solution.
Tuesday July 13 is Patch Tuesday for Microsoft. While Microsoft won't allow sneak peeks at the latest Security Bulletins, check our Security Bulletins and Vulnerability section for links to get the latest. We'll take a closer look at the patches and how they affect you in next week's Security Watch Letter.
Voice Over IP (VoIP) may offer unbelievable low rates, and caller ID can help you sort out who you want to talk to. However, according to a story in eWeek and The Register, hackers are using VoIP as a playground for spoofing CallerIDs, as well as unmasking unlisted numbers. Unlike PSTN (Public Switched Telephone Network or Cellular callerID), if you block your number, the phone company knows it but doesn't tell because it's regulated heavily. However, according to the story, "At root, the issue is what happens to a nugget of authentication data when it leaves the tightly-regulated realm of traditional telephony, and passes into the unregulated domain of the Internet."
Top Threat W32/Bagle.AD-mm
Executive Summary
Name: W32/Bagle.AD-mm
Affects: Windows XP/2000/9x/Me/NT
What it does: Bagle.AD spreads through e-mail and p2p file sharing programs. When it infects, it installs a back door and alerts the virus author of a compromised system. Bagle.AD attempts to stop antivirus and security software from running by removing their startup entries from the registry. It harvests e-mail addresses from the victim's hard drives, and sends out infected e-mail using its own SMTP engine. Bagle.AD also uses multipurpose mutexes to block Netsky infections, and removes Netsky related files and registry entries.
How to prevent it: Use an updated antivirus product, with e-mail and on access scanning set to all files and archives. Do not open attachments from anyone you're not expecting. Use a personal firewall and block port 1234. If you use peer-to-peer file sharing services such as Kazaa, scan every file you receive before opening. Do not download files as listed below.
Infection removal: The easiest way to remove Bagle is using an online scanner, or installed antivirus. If you don't have an antivirus product, you can use these free scanners: Trend Micro's free online scanner, Housecall, McAfee's Stinger tool, Panda Software's ActiveScan, or use Symanec's removal tool
Fact file
Type of virus: Windows 32 executable
Aliases: W32/bagle.ad@mm[Mcafee], Worm.bagle.AD [Trendmicro], I-worm.Bagle.aa [Kaspersky]
Main Executable file: Loader_name.exe
Executable size: varies, 62k – 67k
Date Discovered: July 4 2004
Systems affected: Windows XP/2000/9x/Me/NT
Systems not affected: DOS, Windows 3.x, Linux, Mac, OS/2, Unix
Subject: varies
Message: varies
Attachment: varies, can be executable, or password protected zip file.
Details
The most common way to catch Bagle.AD is through an infected e-mail message. The worm uses randomly uses a subjects, message bodies , and attachment names selected from the lists below. The "from" address is spoofed from a pool of harvested e-mail addresses. Bagle.AD scans the victim's hard drive for files with specific extensions and collects e-mail addresses which are used as both Sender and Recipient on outgoing mail. Bagle uses its own SMTP engine to send copies of itself to the collected addresses. It avoids e-mail addresses with certain strings, such as "Messagelab", or "Microsoft".
TrendMicro reports that Bagle.AD may use password protected zip files, in which case the subject, and messages are different. The zip file contains a copy of the worm, and a random second file with one of several extensions. Trend also notes that the attachments may have a "Notepad" icon.
When Bagle starts, it displays an error message as shown in (Figure 1). When Bagle infects, it guards its territory jealously from arch rival, Netsky, as well as security and antivirus programs.
Bagle stores one of seven mutexes on the victim's system to prevent the worm from running more than one copy. However, the mutexes are also ones that some Netsky worm varieties use, so they also prevent a Netsky infection. Bagle.AD also removes the following security and antivirus startup values from the following Window Registry keys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
HKEY_CURRENT_USER\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
According to Trend Micro, Bagle.AD creates a series of files in the Windows System folder, including:
loader_name.exe
loader_name.exeopen
loader_name.exeopenopen
Symantec notes several more conditional files:
loader_name.exeopenopenopen (An image file, dropped if the e-mail attachment is a .zip file. This file contains an image of the password.)
loader_name.exeopenopenopenopen (A text file, dropped if the e-mail attachment is a .zip file. The file contains random text.)
Bagle.AD adds the following Registy key and value:
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
"reg_key" = "%System%\loader_name.exe"
This allows Bagle to start automatically when the victim's PC boots. Depending on the report, the worm then opens a backdoor on TCP Port 1234 to create an e-mail relay zombie. The worm reports system information back to the virus author. Trend Micro, however, claims that this feature is disabled and doesn't work.
In addition to spreading by e-mail, Bagle.AD seeds Peer to Peer file sharing folders with attractive, but infected files. Bagle.AD scans the users local drives looking for any folder with the string "Shar", such as "Kazaa Shared", and copies a number of bait files. Each is an executable copy of the worm. On some machines, this can add up to a lot of files which can make cleaning tedious.
Removing Bagle.AD manually
