|
 |
|
 |
| Sunday, September 05, 2010
|
| Register Login |
 |
|
|
|
|
Users currently online
|
 |
|
|
|
 |
Membership: |
 |
Latest:
SullyC |
 |
New Today:
0 |
 |
New Yesterday:
0 |
 |
Overall:
53 |
 |
People Online: |
 |
Visitors:
3 |
 |
Members:
0 |
 |
Total:
3 |
Online Now:
|
|
|
|
|
|
|
|
|
|
Welcome to the Viruswarning forums. All your original content has been ported to the new forums as well as new content and additional opportunities to interact with the authors of Viruswarn.com. You can always access old content at www.leedrake.com/forum . You may find some formatting was lost in the conversion and the older versions of the posts to be more readable....
But at least it's all here.
Enjoy!
|
|
|
|
|
|
Viruswarn Forums
|
|
|
|
|
| You are not authorized to post a reply.
|
|
| Author |
Messages |
|
Lee Drake
Posts:238
 |
| 09/13/2004 8:39 PM |
|
| What it is
Two new worms have hit the wild - one uses the Microsoft Speech Engine to talk to you (The AMUS virus), and the other installs a network traffic sniffer (SD Bot.UH). The first is a curiosity really - it installs and then says something in English, then again in Turkish. If your computer never talked to you before - and it suddenly starts - you might have an infection. The second one is highly dangerous however. In many home networks there are more and less secure machines (typically mom and dad's machine is more secure - the kids less secure, but I've seen it where the opposite is true). In corporate environments laptops are typically the least secure machine. A new virus is out which incorporates a network "sniffer". Sniffer's aren't new - they allow a computer to examine the raw traffic that is out on the network - even items not necessarily destined for the internet, or that particular machine. What is new is the incorporation of a sniffer in a virus. Once this virus is installed - ANY traffic on your network is at risk, including login names and passwords to websites, banking information, accounting info, etc. - Even if it's not destined for the machine that is infected.
This greatly enhances the chances that an infected machine may reveal valuable information that a hacker could use to defraud or impersonate you. While in the past such "sniffers" could be installed by a remote user using a trojan application - the new virus has it built in and ready to report back to the viruse's authors information about your computer networks internal workings.
SDBOT spreads without any email attachment through the following vulnerabilities (and will be stopped by a firewall - both internal and external):
RPC Vulnerability (MS03-026)
SQL Server 2000 buffer overflow (MS02-061)
IIS/WEBDav vulnerability (MS03-007)
LSASS vulnerability (MS04-011)
Note that all of these updates were released months or years ago - a properly protected system has nothing to fear in terms of infection.
It also spreads through network shares, and attempts to log in to systems using a set of weak passwords (things like password, admin, 1234).
It will also slow your network down by committing a denial of service attach that shuts down the following services (HTTP, ICMP, SYN, UDP).
It also installs a backdoor trojan on your machine to allow a remote user to take over your system and perform functions or collect data.
Finally it attempts to steal CD keys for popular games.
All in all a nasty little worm that might easily cause you problems or compromise your security. Take appropriate precautions.
What to do
To prevent the (SDBOT.UH) virus in the first place be sure you have up to date virus signatures on ALL computers in your network and they are set to check for updates daily and automatically apply them. Be sure that you've applied the latest security patches, or Windows XP SP2 and a number of patches for various server vulnerabilities. (see list below)The same is true of corporate antivirus products such as NAVCE which should be set to scan for new signatures at least twice per day and automatically update the serer and clients. In addition, updating to Windows XP SP2 will present you with a message that you must "UNBLOCK" the application before it can send any packets out. Be sure to use complex passwords on your machine and on any shared servers or workstations attached to your network.
Be sure that you have the latest patches installed on your Windows based machine - if you have SP2 - you are protected from all of these vulnerabilities. In addition, the virus won't run without triggering the firewall's warning that an application is attempting to access the network. If you do not have SP2, run windows update and be sure that none of the listed vulnerabilities exists on your machine.
If you are infected with SDBOT.UH you have a LOT of work to do - you void any credit cards you may have used, change all passwords for all users on the network and on external financial and sensitive websites, and be sure that all financial transactions are properly accounted for. Remember that the fraud typically occurs weeks or months after the intrusion incident, but could also occur the same day.
Additional Info:
SDBOT:
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_SDBOT.UH&VSect=T
http://news.netcraft.com/archives/2004/09/13/new_worm_installs_network_traffic_sniffer.html
http://securityresponse.symantec.com/avcenter/venc/data/w32.spybot.dnc.html
http://securityresponse.symantec.com/avcenter/venc/data/w32.spybot.dnb.html
No McAfee notes on this particular item.
AMUS virus:
http://vil.mcafeesecurity.com/vil/content/v_128352.htm
http://news.zdnet.co.uk/internet/security/0,39020375,39166409,00.htm
This concludes this viruswarning notice.
Lee Drake
Aztek Computer Solutions, Inc.
274 N. Goodman St Suite B269
Rochester, NY 14607
the human side of computing
Email: ldrake@azcomputer.net
Web: www.azcomputer.net Office Phone: 585-242-2060
Fax number: 585-242-9441
|
|
|
|
|
|
| You are not authorized to post a reply. |
|
|
|
ActiveForums 3.6
|
|
|
|
|
|
|
|
|
|
|
|