 |
|
|
| News archive about antivirus software, virus threats, trojans |
|
August 2003
Beware! Viruses Now Attack Cartographic Programs -- Posted by Igor_Donchenko on Thursday, August 28 2003
Kaspersky Labs, an information security expert, reports the detection of the very first virus to infect MapInfo (one of the most popular programs for cartographic and geographic analysis) tables.
The MBA.First virus is activated when infected MapInfo tables are opened. Once launched, the virus spreads to all other detected MapInfo tables. Depending on an infected computer's system date the virus poses a threat of varying probabilities to delete MapInfo table files.
The MapInfo program, developed by the MapInfo Corporation (www.mapinfo.com) enjoys worldwide popularity. One of the most unique aspects of the program is the use of its own programming language called MapBasic, which makes it possible to create user applications.
The MBA.First virus, the first known virus targeting MapInfo cartographic programs, is a binary file written in the MapBasic language.
Source: http://www.avp.ru
|
Sobig.F to access AOL Time Warner server for information -- Posted by Igor_Donchenko on Monday, August 25 2003
BitDefender specialists today reveal hidden, encrypted information from the Sobig.F virus body, claiming that the virus looks for information on a server in USA. The information encloses an Internet address, from which the virus downloads and executes a file on the infected system.
"Apart the twenty servers from which the worm tries to download its Trojan executable, Sobig.F also includes encrypted information about 7 (seven) URLs, all of them belonging to a US-based ISP - Time Warner Telecom", says
Mihai Chiriac, BitDefender Virus Researcher. "The code is quite straight-forward and accurately indicates that the virus asks for information at this address, waits for the answer and than runs the downloaded file on the infected host. As for the moment, there is no information at any of these addresses, we can't predict the code's effects", Mihai concluded.
The virus contains the following Internet addresses, currently in possession of Time Warner Telecom - an independently owned and operated company:
mx1.mail.twtelecom.net
mx2.mail.twtelecom.net
ns1.orng.twtelecom.net
ns1.snan.twtelecom.net
ns1.iplt.twtelecom.net
ns1.milw.twtelecom.net
ns1.nycl.twtelecom.net
The addresses found on the ISP's servers could lead to the download and execution of a Trojan on the infected systems, the specialists affirm.
AOL Time Warner owns approximately 43.9 percent of Time Warner Telecom's outstanding stock.
|
Good Viruses Simply Don't Exist -- Posted by Igor_Donchenko on Saturday, August 23 2003
The appearance of the "Welchia" network worm has provoked lively debate over the legitimacy of malware programs that battle other malware. Unfortunately many users have failed to properly weigh the relative benefits and disadvantages of "Welchia". Kaspersky Labs feels it is important to shed light on the situation.
There is no such thing as a good virus. The side effects caused by "Welchia" in deleting "Lovesan" and its attempts to update Windows are just the tip of the iceberg. Users need to be aware of the vital issues lying hidden just beneath the water line.
Firstly, "Welchia" is guilty of breaking into computers, an unambiguously criminal act. The worm makes every effort to hide itself and even attacks IIS servers, leaving them vulnerable. Moreover, the worm only installs the Windows patch, but does not reboot computers. Until a reboot is done a system is still vulnerable, and in the case of servers and machines which are rarely rebooted, the "beneficial" effect of the worm is nil.
Secondly, the network worm modifies infected systems and downloads potentially dangerous objects (an FTP server module and a carrier-file containing the malicious program). These objects can lead to operating system malfunctions and open breaches that can be exploited by evildoers. For example, using an FTP server makes it easy to steal sensitive information from infected systems.
Thirdly, "Welchia" creates malicious data streams that compromise the owners of infected machines and which require additional payments for network traffic. These data streams clog up Internet channels and can potentially provoke a global Internet catastrophe. If the number of infected systems passes a certain threshold, the volume of virus traffic could overload data transmission channels and lead to an Internet-wide slowdown.
Finally, the worm gives users a false sense of security and promotes passivity with regard to self-security. Such user apathy and inaction can lead to unpredictable consequences. The Internet could turn into a virus battlefield where network traffic is soaked up by a pack of malicious programs battling each other for supremacy.
Kaspersky Labs stresses that there is no such thing as a good virus. There are destructive viruses and seemingly harmless viruses. Nevertheless, all viruses commit cyber crimes in that they conduct unauthorized activities and have negative side effects. Additionally, rather than hope for an "anti-virus virus", it is far better for users to actively protect their own machines. This is the only way to significantly prevent malicious programs from penetrating computer security systems and to avert increasing Internet chaos.
Source: http://www.avp.ru
|
Received wicked attachments? Beware! -- Posted by Igor_Donchenko on Tuesday, August 19 2003
Sobig.F (Win32.Sobig.F) is a worm that spreads very fast via email and network shares.
"We keep receiving HUNDREDS of infected e-mails at every send-receive", said Sorin Dudea, Head of Virus Research at BitDefender. "The virus seems to have been release somewhere in Asia, but now spreads on all continents
at an amazing speed. It has to be related with its ability to use EVERY e-mail address in the computer - found in files like html, wab, mht, hlp, txt, eml, htm, dbx (all enclosing e-mail addresses). I have never seen such fast spreading in such short time: I have colleagues in the commercial team that have already received thousands of infected e-mails and they just keep receiving them", Sorin concluded.
The worm fakes the sender's e-mail address, often succeeding in deceiving inexperienced computer users and making it very hard to recognize the infected systems. The virus uses subject lines like:
"Re: That movie"
"Re: Wicked screensaver"
"Re: Your application"
"Re: Approved"
"Re: Re: My details"
"Re: Details"
"Your details"
"Thank you! "
In the virus body, the author cleverly refrained himself from writing anything else, but
"Please see the attached file for details." or "See the attached file for details".
The names of the files attached are chosen from a rather short list:
movie0045.pif
wicked_scr.scr
application.pif
document_9446.pif
details.pif
your_details.pif
thank_you.pif
document_all.pif
your_document.pif
Sobig.F also attempts to spread by copying itself to the network shares and it stops spreading after September 10 2003.
|
Welchia - The Anti-Virus Virus? -- Posted by Igor_Donchenko on Tuesday, August 19 2003
Kaspersky Labs warns users about a new Internet worm Welchia. Welchia seeks out computers infected by Lovesan (Blaster), disinfects them and installs the Windows patch. Experts at Kaspersky Labs have registered multiple instances of infections by this malware.
Welchia belongs to the family of viruses that attack other malware, fighting for contorl of the system. The most famous worm of this group appeared in September 2001: the CodeBlue worm which scanned the Internet for machines infected by CodeRed worm and disinfected them.
Welchia breaches computers using the same DCOM RPC vulnerability that Lovesan used. However, Welchia also uses the WebDAV vulnerability in the IIS 5.0 (a Windows web-server component). The worm scans for active machines and attacks via ports 135 (DCOM vulnerability) and 80 (WebDAV vulnerability). Once victim machines have been identified, the worm proceeds to download the carrier-file and register itself as DLLHOST.EXE in the WINS subfolder in the Windows system folder (%System%\WINS\Dllhost.exe), creating an automatic service - WINS Client.
After installation, the worm sets out to remove Lovesan. Welchia scans for the MSBLAST.EXE process, ends the process and deletes the MSBLAST.EXE file. Welchia then scans the Windows system registry and looks for installed patches. If the patch for the DCOM RPC vulnerability has not been installed, Welchia will initiate the downloading process. Once the patch is successfully downloaded and executed, the worm re-boots the computer to complete installation.
Welchia has already spread around the world and should probably decrease Lovesan infections in about a week's time. Nevertheless, it is important to stress that there are no good viruses. "Even seemingly useful and harmless viruses will never replace anti-virus software", said Denis Zenkin, Head of Corporate Communications at Kaspersky Labs, "The passivity displayed by many users during the Lovesan epidemic caused the Internet to overload and seems to have inspired someone to create Welchia. It would be a shame if such user passivity turns the Internet into a battleground for competing viruses".
Source: http://www.avp.ru
|
Important! Antidotes for Lovesan -- Posted by Igor_Donchenko on Thursday, August 14 2003
Free tools deleting Lovesan (Blaster): from Kaspersky Labs, from Symantec.
Don't forget to apply MS03-026 patch for Windows
Manual removal instructions from Trend Micro:
Terminating the Malware Program
This procedure terminates the running malware process from memory. - Open Windows Task Manager, press CTRL+SHIFT+ESC, and click the Processes tab.
- In the list of running programs, locate the process: MSBLAST.EXE
- Select the malware process, then press the End Process button.
- To check if the malware process has been terminated, close Task Manager, and then open it again.
- Close Task Manager.
Removing Autostart Entries from the Registry
Removing autostart entries from the registry prevents the malware from executing during startup.
- Open Registry Editor. To do this, click Start>Run, type Regedit, then press Enter.
- In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>Software>Microsoft>
Windows>CurrentVersion>Run
- In the right panel, locate and delete the entry:
"windows auto update" = MSBLAST.EXE
- Close Registry Editor.
NOTE: If you were not able to terminate the malware process from memory as described in the previous procedure, restart your system.
|
VX Community vs. Microsoft - the first battle -- Posted by Igor_Donchenko on Thursday, August 14 2003
BitDefender Labs warns against a possible massive attack against the Microsoft Windows Update website, scheduled for tomorrow, August 15, 2003. This attack might be due to recent virus Msblast (also known as Blaster or Lovesan), which infected already hundreds of thousands of computers. Its three versions enclose instructions to launch a Denial of Service (DoS) attack against windowsupdate.com, beginning from tomorrow.
"Is that the response to Microsoft recent efforts to secure its software by all means, even by "shopping" small antivirus producers? Or maybe the first combat from a long war? Probably, it's not for us to say it... Anyway, this could be the beginning of a "campaign" - initiated by VX-ers (virus writers groups) and taken further by script-kiddies freaks", Bogdan
Irina, Marketing and Sales Director at BitDefender noted. "The authors of the last two versions have just changed the enclosed strings (probably lacking the virus source and documentation), so they just agreed with the first idea and thought to add AV producers to the list (see the injurious
line for the Antivirus Makers in the virus body). We believe that other versions of the same threat could outbreak, at least as long as the users don't promptly update their systems", Bogdan concluded.
While most users were affected by the last virus versions, requiring new antivirus updates, BitDefender users had no need to ask for new virus definitions. Unlike other antivirus products, BitDefender new scanning engines ensure the scanning of the code (not of the full data), avoiding the need for update at every slight modification of the virus.
BitDefender warned against the possibility to exploit the RPC
vulnerability in its monthly "Evil Top Ten" (published on 30.07.2003), after the release, by a Chinese X Focus security group, of the source code designed to allow remote intrusions on Windows computers. "As security researchers warn, there is probably much to be heard from this new breach..."
|
A New Version of The "Lovesan" Worm Is On The Loose -- Posted by Igor_Donchenko on Thursday, August 14 2003
Kaspersky Labs reports the detection of a new modification of the notorious "Lovesan" worm (also know as "Blaster").
Kaspersky Labs' experts anticipate that in the short run a repeated outbreak of the global scale may occur. This is because the two versions of "Lovesan" exploit the same vulnerability in Windows and may co-exist on the same computer. "In other words, all computers infected by the original "Lovesan" will soon be attacked by its revamped versio," commented Eugene Kaspersky, Head of Anti-Virus Research for Kaspersky Labs, "Taking into consideration that the amount of infected systems is now reaching 300,000 the return of the worm will imply a doubling of this number and lead to unpredictable results." In the worst case scenario the world community might face a global Internet slow-down and regional disruption of access to the World Wide Web: just as it happened in January 2003 due to the "Slammer" worm.
Technologically, the new modification of "Lovesan" is a copycat of the original. Slight changes were made only to the appearance of the worm: a new name of the main worm-carrier file (TEEKIDS.EXE instead of MSBLAST.EXE), a different method of code compression (FSG instead of UPX), and new "copyright" strings in the body of the worm abusing Microsoft and anti-virus developers.
Source: http://www.avp.ru
|
Virus outbreak! A worm using the DCOM RPC vulnerability is quickly spreading throughout the Internet -- Posted by Igor_Donchenko on Thursday, August 14 2003
Virus Alert Service of DialogueScience, Inc. reports on a new internet worm appearance and its very fast spreading in the web. For its dissemination the worm utilizes the so-called DCOM RPC vulnerability of MS Windows 2000/XP revealed last month (see our news on this vulnerability).The worm is detected by Dr.Web anti-virus software as Win32.HLLW.LoveSan.11296, it is also known in other anti-virus companies as W32/Lovsan.worm, W32.Blaster.Worm, WORM_MSBLAST.A.
The worm hits unpatched computers running under Windows 2000/XP. This malware exists in the form of a file named msblast.exe of 6,176 bytes in length, packed by UPX compression utility. The presence of the worm can be detected by a substantial increase of the net traffic on port 135 (DCOM RPC) and spontaneous shutdown of computers running under Windows XP (under Windows 2000 there will be a message on svchost.exe program error).
Having hit the computer the worm scans random IP- addresses via port 135 (starting in the local subnetwork first and then getting outside) in search of new victims, i.e. computers vulnerable to DCOM RPC flaw. If such a computer found, the worm sends to its port 135 a specially crafted request, which is aimed to give the "attacking" computer complete access to the "attacked" one and if succeeded opens port 4444 and listens for remote commands. Simultaneously, the original attacker creates several threads listening to port 69 and when an TFTP-request from its newly affected victim is received it sends a command to download its source code (which is the file msblast.exe), places it to Windows\System folder and runs it. To get the worm automatically started at every Windows session it introduces the reference to itself to the system registry. From that point the new victim starts acting as independent source of infection.
To prevent users from downloading MS03-026 patch from the site of Microsoft the worm may start DoS-attacks (Denial of Service attacks) against windowsupdate.com since August 16, 2003.
Source: http://www.antivir.ru
|
Windows Is Attacked Again -- Posted by Igor_Donchenko on Wednesday, August 13 2003
Kaspersky Labs warns users of a large-scale attack by a new Internet worm. Lovesan has become one of the top three malware programs worldwide in a matter of hours.
Lovesan exploits the DCOM RPC vulnerability in Windows which was identified about a month ago. In theory, Lovesan can infect computers without the users knowledge and proceed to wreak havoc in their system. In practice, the worm focuses on infecting new machines.
Lovesan is the second malware program 'in the wild' that exploits this vulnerability. Autorooter, a worm identified only a week ago was the first contender to utilize this breach. However, since Autorooter did not have a functioning self-replication module it did not cause any large-scale damage.
Last week Kaspersky Labs predicted that virus writers might perceive the potential capabilities of Autorooter and create a fully functional version. Unfortunately, it took only a week for Lovesan to surface.
"Virus writers have focused on the DCOM RPC vulnerability for two reasons: the intense interest evinced by the media in Autorooter and the easy to use instructions for building a complete version that are available on many second-rate websites today," comments Eugene Kaspersky, Head of Anti-Virus Reasearch at Kaspersky Labs.
Lovesan scans the Internet searching for vulnerable computers. It checks TCP port 135 and if the Microsoft patch has not been downloaded the worm initiates its' attack. The worm proceeds to download the main carrier - Msblast.exe which is then registered in the Windows system autorun key.
Lovesan is potentially dangerous for individual users if their computers have already been breached. Today, however, the danger lies in the massive increase in excess Internet traffic caused by the worm's self-replication rate. Eugene Kaspersky warns "The Internet is still in danger. Even though the 1.8 second pause built into Lovesan has prevented a repeat of the Slammer scenario, when the Internet was significantly slowed and even fragmented, Lovesan continues to be a real threat."
As a matter of fact, we have not seen the last of Lovesan: the worm has a built-in DDoS attack on the Windowsupdate.com server scheduled for August 16, 2003. The server, which is the definitive source for all Microsoft patches, will be flooded with data from infected computers and may become dysfunctional or even crash.
Source: http://www.avp.ru
|
Top Ten viruses most frequently detected by Panda ActiveScan in July -- Posted by Igor_Donchenko on Friday, August 8 2003
In July, the 'B' variant of Bugbear was once again recorded as the virus affecting most computers according to the data gathered by Panda ActiveScan. For the second month running, this malicious code heads the Top Ten ranking of viruses detected by Panda Software's free online virus scanner, which has also seen the increasing prevalence of Mapson, and two variants of the Fortnight virus in the top five.
The data compiled by Panda ActiveScan shows that Bugbear.B was responsible for a total of just under nine percent of total recorded incidents followed by Mapson (7.36%), Trj/PSW.Bugbear.B (5.08%), Fonight.E (4.81%) and Fonight.D (4.02%). The bottom half of the list includes: Klez.I, Parite.B, Bugbear.B.Dam, Bugbear and Enerkaz.
The most notable development in this month's rankings include:
- The dominance of the Bugbear family: four of the ten most virulent malicious code belong to this family, including the leader in the ranking.
- The increasing prevalence of Mapson, which has moved from third to second spot.
- The presence of Fortnight.E and Fortnight.D in fourth and fifth place. The 'E' variant only appeared at the end of June, which is why it wasn't in last month's list, while the 'D' variant has risen from seventh place.
- The impact of Klez.I continues to decrease, dropping from fourth place last month to sixth place in the latest list.
| Ranking | Virus Name | Percentage, % | | 1 | W32/Bugbear.B | 8.56 | | 2 | W32/Mapson | 7.36 | | 3 | Trj/PSW.Bugbear.B | 5.08 | | 4 | JS/Fortnight.E | 4.81 | | 5 | JS/Fortnight.D | 4.02 | | 6 | W32/Klez.I | 3.86 | | 7 | W32/Parite.B | 3.07 | | 8 | W32/Bugbear.B.Dam | 2.31 | | 9 | W32/Bugbear | 2.16 | | 10 | W32/Enerkaz | 2.14 |
Source: http://www.pandasoftware
|
Autorooter - One More Reason To Patch Your Computer -- Posted by Igor_Donchenko on Friday, August 8 2003
Kaspersky Labs has detected a new Internet worm - Autorooter. Autorooter has already been sent as spam to many email recipients. Fortunately, the self-replication segment of the worm is not activated so it has not spread widely yet.
However, Autorooter attacks a breach in Windows NT, 2000 and XP that was discovered only 2 weeks ago. Kaspersky Labs experts predict that the author of Autorooter may still activate the self-replication functions of the worm. Therefore, Kaspersky Labs urges all users to download the necessary patch from Microsoft.
The Autorooter is a hybrid - part Internet worm and part backdoor Trojan. The packet consists of three components - the worm carrier, a module for file exchange by FTP and the attack module (via the Microsoft breach).
The attack module first causes an OS buffer overrun and then loads the remaining components. This breach was identified a few weeks ago and Microsoft has released a patch.
Once the worm itself is loaded it initiates the spread and installation of further components. Since the self-replication function of Autorooter is currently not operational, the worm does not continue spreading via the Internet. However, the built in FTP server module loads the trojan IRCbot. This in turn, allows for the hacker controlling the trojan to manipulate the infected computer.
"We believe that this version of Autorooter is only the experimental one. A more viable version is likely to appear and cause serious damage to the Internet", comments Eugene Kaspersky, Head of Anti-Virus Research and founder of Kaspersky Labs, "it is possible that the author of Autorooter wanted to create a network of infected computers before launching a major virus epidemic or hacker attack".
Source: http://www.avp.ru
|
Mimail - A New Attack Via an Old Breach -- Posted by Igor_Donchenko on Friday, August 8 2003
Kaspersky Labs would like to inform you about Mimail, a new Internet worm. Our round-the-clock technical support has already heard of numerous computers infected with this new worm.
Mimail is a typical Internet worm that is spread via email. Infected mail contains a false sender address making it difficult to identify the sender and contains the following text:
Subject: your account 'number' (this is a random number)
Body: Hello there,
I would like to inform you about important information regarding your email address. This email address will be expiring.
Please read attachment for details.
Best regards, Administrator
Attached file: message.zip
Mimail is similar to other worms such as Klez and Lentin (Yaha) in that it enters using security breaches in Internet Explorer. The attachment, MESSAGE.ZIP contains another file - MESSAGE.HTML.
If the user opens MESSAGE.HTML, the built in Java script enters via Exploit.SelfExecHTML and copies itself onto disk files. It then releases a carrier-file named VIDEODRV.EXE and registers this file in the Windows autorun register. Thus, VIDEODRV.EXE is launched every time the computer is re-booted.
Mimail also creates several other files in the Windows directory: EXE.TMP - an HTML worm, ZIP.TMP an archive worm and EML.TMP - the email part.
Microsoft discovered the Exploit.SelfExecHTML problem in March 2002 and has released a special patch for the Internet Explorer. Kaspersky Labs strongly recommends downloading this patch in order to prevent further security isssues via this breach.
The rapid spread of Mimail is a good reminder that dangerous programs are not only found in EXE files. "It is always a good idea to check all files for viruses before booting up", comments Eugene Kaspersky, founder of Kaspersky Labs and head of anti-virus research.
Mimail continues to spread by scanning separate directories on the local hard drive and. It extracts email like text strings on record and records them into EML.TEMP in the Windows directory. Mimail then uses the direct connection to the mail server to send copies of itself to these recipients.
Mimail is likely to be the work of Russian virus writers. The hackers used technology practically identical to the Trojan StartPage, which was also written in Russia.
"We were lucky this time", notes Eugene Kaspersky, "Mimail is a relatively harmless worm with no serious side effects. The danger is that Mimail takes advantage of a vulnerability in the Internet Explorer, which provides a dangerous precedent for other virus writers and hackers.".
Source: http://www.avp.ru
|
The July Virus Top Twenty from Kaspersky Labs -- Posted by Igor_Donchenko on Friday, August 8 2003
Kaspersky Labs presents the Virus Top 20 for the month of July 2003.
The percentage shown represents the percentage of registered incidences.
| Position | Virus | Percentage by Occurrence |
|---|
| 1 | I-Worm.Tanatos | 8,60% | | 2 | I-Worm.Sobig | 6,56% | | 3 | I-Worm.Lentin | 4,15% | | 4 | I-Worm.Klez | 3,59% | | 5 | Macro.Word97.Saver | 2,37% | | 6 | TrojanDropper.JS.Mimail | 1,50% | | 7 | Macro.Word97.Thus | 1,48% | | 8 | VBS.Redlof | 0,97% | | 9 | I-Worm.Ganda | 0,89% | | 10 | Backdoor.SdBot | 0,58% | | 11 | Macro.Word97.Flop | 0,48% | | 12 | Win32.Parite | 0,46% | | 13 | Backdoor.Optix.Pro | 0,43% | | 14 | Backdoor.Beastdoor | 0,42% | | 15 | I-Worm.Avron | 0,41% | | 16 | Worm.P2P.SpyBot | 0,38% | | 17 | I-Worm.Gibe | 0,37% | | 18 | I-Worm.Hybris | 0,37% | | 19 | Backdoor.Death | 0,32% | | 20 | Macro.Word97.Marker | 0,26% | | Other Malicious Programs | 65,39% |
|
July virus top 10 from Bitdefender -- Posted by Igor_Donchenko on Wednesday, August 6 2003
BitDefender, a provider of security related software and services today released its monthly listing of the top ten viruses reported for July 2003. The report, denominated the "Evil Top Ten", is based on the number of virus occurrences confirmed through BitDefender Response Team tracking.
July apparently did not rise to the level of expectations virus analysts had foreseen. No new entry, no uproar, no malware waves...
Virus positioning, as one can see below, has suffered limited changes since last month ranking. BugBear.B has already overtaken Klez, but still many sceptics concur in
some sort of brand faithfulness for the number one longevity virus so far:
| Ranking | Virus Name | Percentage, % | | 1 | Win32.BugBear.B@mm | 26.12 | | 2 | Win32.Klez.H@mm | 17.85 | | 3 | Win32.Parite.B | 15.15 | | 4 | Win32.HLLP.Hanta.A | 10.16 | | 5 | Win32.P2P.Lorrin.A@mm | 7.64 | | 6 | Trojan.KeyLogger.BugBear.B | 6.14 | | 7 | Trojan.HideWindows.A | 5.70 | | 8 | Win32.Sobig.A@mm | 5.62 | | 9 | Win32.Worm.Opaserv.A | 4.89 | | 10 | Win32.FunLove | 0.73 |
Source: http://www.bitdefender.com
|
Panda Software warns of a Windows vulnerability that could lead to a virus epidemic -- Posted by Igor_Donchenko on Friday, August 1 2003
A recent Microsoft security bulletin has warned of a serious vulnerability affecting Windows NT 4.0, 2000, XP and Windows Server 2003.
Generally speaking, the vulnerability could allow an attacker to gain remote control of a computer and take any action on it, including stealing confidential information or deleting all information stored on the system.
Microsoft has classified the situation as "critical". Given that the problem affects both servers and desktops, hundreds of thousands of computers could be affected.
The situation has been aggravated by the publication on the Internet, by groups of hackers, of the code needed to exploit the vulnerability. This makes it possible to create special tools for taking remote control of computers, or viruses that could cause serious epidemics.
According to Luis Corrons, head of Panda Software’s Virus Lab, "This is an extremely dangerous situation. Users should apply the patch as soon as possible, as we are beginning to see the appearance of the first tools for exploiting the vulnerability, which could lead to a wide-scale attack that would make CodeRed or SQLSlammer look like mere anecdotes. In addition to applying the patches, users should also restrict traffic in ports 135, 139, 445 and 593, by blocking them where they are not absolutely necessary".
Spurce: http://www.pandasoftware.com
|
|
