Serious Bug in Winamp Player, Blackworm Virus > Forums

Unanswered

Active Topics

Forums

Forums > Viruswarning Forum > Viruswarning archive

Subject: Serious Bug in Winamp Player, Blackworm Virus

Email me when someone replies to this thread.

You are not authorized to post a reply.

Author

Messages

David Gray
Posts:22

02/02/2006 5:23 PM
What Is It? Today, we have two items to bring to your attention. The most important matter is that AOL has updated the Winamp MP3 player to fix a buffer overflow in the code that displays playlist files that could allow remote code execution. This means that an attacker can use a specially formatted playlist file to take over your computer. Several of the sources that I consulted, most of which are cited below, noted that this vulnerability is being actively exploited. If you follow our recommendations for virus scanner signature updates, as we are confident that you do, you have little to fear from the "Blackworm" worm that is circulating via email and unprotected file shares. The payload of this worm is intended to overwrite files with the following extensions: DOC, XLS, MDE, MDB, PPT, PPS, RAR, PDF, PSD, DMP, ZIP. According to the SANS Institute's Internet Storm Center, eWeek, The Times of London, and other sources,the worm spreads through e-mail messages, often claiming to include pornography. Subject lines reportedly used in the malicious e-mails include: "The Best Videoclip Ever", "Fw: SeX.mpg", "Miss Lebanon 2006" and "Kama Sutra pics". In addition to the scheduled file destruction, this worm is designed to disarm your anti-virus program, by closing windows whose captions are associated with common anti-virus programs. What Should You Do? If you use the Winamp MP3 player, you should upgrade to version 5.13, available at http://www.winamp.com/player/. Today would be a good day to verify that your anti-virus program, including its virus signature files, are up to date. The fact that Blackworm overwrites virtually all your working documents if your computer becomes infected calls attention to the importance of a good backup strategy. The next two sections explain how to quickly check the status of your virus signatures for the two most widely deployed anti-virus programs. McAfee VirusScan In the task bar, near the clock, you should find a purple shield icon. If you hover the mouse pointer over it, a balloon that says "Vshield" should appear just above it. If the shield icon is missing, click on the icon at the far left of the group of small icons, whose balloon says, "Show hidden icons." Right click the icon, which should display a small context menu. Choose the "About" option to display a small dialog that lists the virus signature version and date. The date shown in the About box should be yesterday's or today's date. Norton Anti-Virus In the task bar, near the clock, you should find a small yellow box. If you hover the mouse pointer over it, a balloon that says "Norton Anti-Virus" should appear just above it. If the yellow box icon is missing, click on the icon at the far left of the group of small icons, whose balloon says, "Show hidden icons." Double-click the icon to open the main Norton Anti-Virus console. After a moment, the display should show the current status of your signatures. If necessary, use the LiveUpdate button, located on the top of the window, to download and install the latest signatures. If the initial display indicates that your signatures are out of date, now is a good time to check the software settings, and ensure that they are updated on a regular schedule. If you have a broadband Internet connection, we recommend that you schedule updates daily, at a time that your computer is usually turned on. General Precautions The best way to prevent an infection of Blackworm, or any other malicious code, is to be very wary of unexpected attachment, and of links in email messages, even if the message appears to be from a friend. Because worms usually forge the return address, you cannot take such addresses at face value. Use clues in the body of the message to satisfy yourself that it really came from the alleged sender. In this regard, one of the best ways to assure your correspondents that your message is authentic, without going to the extra trouble of digitally signing it, is to create and use an automatic signature. So far as I know, these are never inserted into new messages, unless you use the Compose, New Message, Reply, or Forward option of your mail program to create it. Neither the Zip and Mail feature of WinZip, nor the Send To option of the Windows Explorer inserts your signature, so you must manually add it if you use either feature to create your cover message. References http://www.winamp.com/player/ is the download page where you can obtain version 5.13 of the Winamp MP3 player. http://www.us-cert.gov/cas/alerts/SA06-032A.html is US-CERT (formerly CERT/CC) Cyber Security Alert SA06-032A, "Winamp Playlist Vulnerability." http://www.us-cert.gov/cas/techalerts/TA06-032A.html is the US-CERT (formerly CERT/CC) Technical Cyber Security Alert TA06-032A, titled "Winamp Playlist Buffer Overflow." This is the technical version of US-CERT bulletin SA06-032A. http://secunia.com/advisories/18649/, "Winamp Three Playlist Parsing Buffer Overflow Vulnerabilities," on the Web site of Swedish security company Securia, documents the vulnerability and the required corrective action. http://xforce.iss.net/xforce/xfdb/24361 is an article titled "Winamp .m3u and .pls playlist file name buffer overflow" in the Internet Security Systems (ISS) X-Force Web site. http://www.internetnews.com/security/article.php/3582251 gives a brief, and enlightening, history of Winamp. http://isc.sans.org/diary.php?storyid=1067 is the SANS Institute article about Blackworm. http://www.eweek.com/article2/0,1895,1915070,00.asp is an article in the electronic edition of eWeek titled "Urgent Alert Raised for 'Blackworm' D-Day," reports that Blackworm uses the allure of sexually explicit photographs to entice its victims. http://www.timesonline.co.uk/article/0,,3-2016761,00.html is an article titled "Clock ticks on Blackworm internet virus," in the online edition of The Times of London. Acknowledgements Thanks to my wife, Janet, and her friend, Carol Pankratz, for calling my attention to the Blackworm worm. Though we don't usually write about specific worms, the nature of the payload in this one made it worth adding to a message that I planned to publish about the Winamp update.

You are not authorized to post a reply.

Forums > Viruswarning Forum > Viruswarning archive > Serious Bug in Winamp Player, Blackworm Virus

ActiveForums 3.6