[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Advisory] OnTheFly (Anna Kournikova) VBS Wurm - CA-2001-03



-----BEGIN PGP SIGNED MESSAGE-----

Liebe Kolleginnen und Kollegen,

soeben erreichte uns das nachfolgende Advisory des CERT Coordination
Centers. Wir geben diese Informationen unveraendert an Sie weiter.

Es wird vor einem Visual Basic Script (VBS) Wurms namens 
	"OnTheFly (Anna Kournikova)" 
gewarnt.

Die Opfer erhalten eine Mail mit dem Subject (Betreff) "Here you have
;0)" oder "Here you are". Der gefaehrliche Inhalt verbirgt sich (wie
ueblich) in der angehaengten Datei, deren voller Name
"AnnaKournikova.jpg.vbs" lautet, wobei der ".vbs" Suffix jedoch nicht
angezeigt wird, falls die Option "Hide file extensions for known file
types" im Windows Explorer aktiviert ist.

Wie schon seine Vorgaenger (LOVELETTER, Melissa), installiert sich der
Wurm im System (unter dem Registry Key: HKEY_CURRENT_USER\Software
\OnTheFly="Worm made with Vbswg1.50b" und als Datei unter:
C:\WINDOWS\AnnaKournikova.jpg.vbs) und verschickt sich anschliessend
an alle Adressen aus dem Outlook Adressbuch des Empfaengers, was zu
einem Schneballeffekt fuehren und die E-Mail Systeme ueberlasten
kann. Schlussendlich legt der Wurm noch einen weiteren Registry Key
unter "HKEY_USERS\.DEFAULT\Software \OnTheFly\mailed=1" an, um ein
mehrfaches Versenden des Wurms vom selben Account zu verhindern.

Die bisher beobachteten Varianten dieses Wurms scheinen keinen
weiteren Schaden anzurichten. Allerdings zeigt die Erfahrung, dass
schon bald nach dem Original Varianten auftauchen, fuer die das der
Fall sein koennte.

Betroffen sind MS Outlook Benutzer sowie Benutzer von Mail-Readern,
die die Ausfuehrung von MS-VB Script aus dem Mail-Reader heraus
zulassen und die eine der folgenden Massnahmen nicht ergriffen haben.

Bisher haben das DFN-CERT keine Meldungen ueber diesen Wurm erreicht,
das CERT/CC berichtet von einigen hundert Faellen.

Im uebrigen wiederholen wir unseren Hinweis, unbekannte Daten oder
Daten aus nicht vertrauenswuerdiger Quelle auf keinen Fall zu
oeffnen. Aus diesem Grunde sollen auch Preview und Auto-Open
Funktionen in Mail-Readern, News-Readern, Browsern, Filemanagern,
etc. grundsaetzlich deaktiviert sein.

Fuer Outlook 98 und Outlook 2000 existiert ein Security Patch von
Microsoft, durch den das Oeffnen von Anhaengen mit ausfuehrbarem
Inhalt unterbunden wird. Dieser Patch ist neben den im Advisory
genannten URLs von Mircosoft auch vom Mirror des DFN-CERT unter

	ftp://ftp.cert.dfn.de/pub/vendor/microsoft/outlook

erhaeltlich.

Ebenso kann der Wurm mit aktuellen Viren-Scannern erkannt und entfernt
werden. Weitere Informationen und Software zum Thema Computer-Viren
finden Sie auf unserem AnonFtp-Server

        ftp://ftp.cert.dfn.de/pub/virus

Leider koennen wir Ihnen allerdings keine Empfehlung geben, welches der
dort liegenden Programme mit Sicherheit gegen Ihren speziellen Virus
hilft bzw. fuer Ihre Anwendungssituation relevant ist.

Wir selber (als DFN-CERT) beschaeftigen uns nicht mit den Details von
Computer-Viren. Als Ansprechadresse in Deutschland empfehlen wir das
Virus-Test-Center (VTC) an der Universitaet Hamburg. Dieses ist unter
der E-Mail-Adresse "vtc@informatik.uni-hamburg.de" zu erreichen.

Weitere Adressen in Deutschland finden Sie auf unserer Seite:

        http://www.cert.dfn.de/resource/virus.html

Mit freundlichen Gruessen,
		Klaus Moeller, DFN-CERT

- --
Klaus Moeller            |                    mailto:moeller@cert.dfn.de
DFN-CERT GmbH            |          http://www.cert.dfn.de/team/moeller/
Vogt-Koelln-Str. 30      |                      Phone: +49(40)42883-2262
D-22527 Hamburg          |                        FAX: +49(40)42883-2241
Germany	                 |       PGP-Key: finger moeller@ftp.cert.dfn.de

- -----BEGIN PGP SIGNED MESSAGE-----

CERT Advisory CA-2001-03 VBS/OnTheFly (Anna Kournikova) Malicious Code

   Original release date: February 12, 2001
   Last revised: February 12, 2001
   Source: CERT/CC

   A complete revision history can be found at the end of this file.

Systems Affected

   Users of Microsoft Outlook who have not applied previously available
   security updates.

Overview

   The "VBS/OnTheFly" malicious code is a VBScript program that spreads
   via email. As of 7:00 pm EST(GMT-5) Feb 12, 2001, the CERT
   Coordination Center had received reports from more than 100 individual
   sites. Several of these sites have reported suffering network
   degradation as a result of mail traffic generated by the
   "VBS/OnTheFly" malicious code.

   This malicious code can infect a system if the enclosed email
   attachment is run. Once the malicious code has executed on a system,
   it will take the actions described in the Impact section.

I. Description

   When the malicious code executes, it attempts to send copies of
   itself, using Microsoft Outlook, to all entries in each of the address
   books. The sent mail has the following characteristics:

     SUBJECT: "Here you have, ;o)"
     
     BODY:

          Hi:
          Check This!

     ATTACHMENT: "AnnaKournikova.jpg.vbs"

   Users who receive copies of the malicious code via electronic mail
   will probably recognize the sender. We encourage users to avoid
   executing code, including VBScripts, received through electronic mail,
   regardless of the sender's name, without prior knowledge of the origin
   of the code or a valid digital signature.

   It is possible for the recipients to be be tricked into opening this
   malicious attachment since file will appear without the .VBS extension
   if "Hide file extensions for known file types" is turned on in
   Windows.

II. Impact

   When the attached VBS file is executed, the malicious code attempts to
   modify the registry by creating the following key:

          HKEY_CURRENT_USER\Software\OnTheFly="Worm made with Vbswg1.50b"

   Next, the it will then place a copy of itself into the Windows
   directory.

          C:\WINDOWS\AnnaKournikova.jpg.vbs

   Finally, the malicious code will attempt to send separate, infected
   email messages to all recipients in the Windows Address Book. Once the
   mail has been sent, the malicious code creates the following registry
   key to prevent future mailings of the malicious code.

          HKEY_USERS\.DEFAULT\Software\OnTheFly\mailed=1

   The code's propagation can lead to congestion in mail servers that may
   prevent them from functioning as expected.

   Beyond this effect, there does not appear to be a destructive payload
   associated with this malicious code. However, historical data has
   shown that the intruder community can quickly modify the code for more
   destructive behavior.

III. Solution

Update Your Anti-Virus Product

   It is important for users to update their anti-virus software. Some
   anti-virus software vendors have released updated information, tools,
   or virus databases to help combat this malicious code. A list of
   vendor-specific anti-virus information can be found in Appendix A.

Apply the Microsoft Outlook E-mail Security Update

   To protect against this malicious code, and others like it, users of
   Outlook 98 and 2000 may want to install the Outlook E-mail Security
   update included in an Outlook SR-1. More information about this update
   is available at

     http://office.microsoft.com/2000/downloaddetails/Out2ksec.htm

   You may also find the following document on Outlook security useful

     http://www.microsoft.com/office/outlook/downloads/security.htm

   The Outlook E-mail security update provides features that can prevent
   attachments containing executable content from being displayed to
   users. Other types of attachments can be configured so that they must
   be saved to disk before they can be opened (or executed). These
   features may greatly reduce the chances that a user will incorrectly
   execute a malicious attachment.

Filter the Virus in Email

   Sites can use email filtering techniques to delete messages containing
   subject lines known to contain the malicious code, or can filter
   attachments outright.

Exercise Caution When Opening Attachments

   Exercise caution when receiving email with attachments. Users should
   disable auto-opening or previewing of email attachments in their mail
   programs. Users should never open attachments from an untrusted
   origin, or that appear suspicious in any way. Finally, cryptographic
   checksums should also be used to validate the integrity of the file.

IV. General protection from email Trojan horses and viruses

   Some previous examples of malicious files known to have propagated
   through electronic mail include:

     Melissa macro virus - discussed in CA-99-04
     http://www.cert.org/advisories/CA-1999-04.html

     False upgrade to Internet Explorer - discussed in CA-99-02
     http://www.cert.org/advisories/CA-1999-02.html

     Happy99.exe Trojan Horse - discussed in IN-99-02
     http://www.cert.org/incident_notes/IN-99-02.html

     CIH/Chernobyl virus - discussed in IN-99-03
     http://www.cert.org/incident_notes/IN-99-03.htm

   In each of the above cases, the effects of the malicious file are
   activated only when the file in question is executed. Social
   engineering is typically employed to trick a recipient into executing
   the malicious file. Some of the social engineering techniques we have
   seen used include

     * Making false claims that a file attachment contains a software
       patch or update
     * Implying or using entertaining content to entice a user into
       executing a malicious file
     * Using email delivery techniques that cause the message to appear
       to have come from a familiar or trusted source
     * Packaging malicious files in deceptively familiar ways (e.g., use
       of familiar but deceptive program icons or file names)

   The best advice with regard to malicious files is to avoid executing
   them in the first place. CERT advisory CA-1999-02.html and the
   following CERT tech tip discuss malicious code and offers suggestions
   to avoid them.

     http://www.cert.org/advisories/CA-99-02.html

     http://www.cert.org/tech_tips/malicious_code_FAQ.html

Appendix A. - Vendor Information

   Appendix A. Anti-Virus Vendor Information

Aladdin Knowledge Systems

     http://www.aks.com/home/csrt/valerts.asp#AnnaK

Command Software Systems, Inc.

     http://www.commandcom.com/virus/vbsvwg.html

Computer Associates

     http://ca.com/virusinfo/virusalert.htm#vbs_sstworm

F-Secure

     http://www.f-secure.com/v-descs/onthefly.shtml

Finjan Software, Ltd.

     http://www.finjan.com/attack_release_detail.cfm?attack_release_id=47

McAfee

     http://www.mcafee.com/anti-virus/viruses/vbssst/default.asp

Dr. Solomon, NAI

     http://vil.nai.com/vil/virusSummary.asp?virus_k=99011

Sophos

     http://www.sophos.com/virusinfo/analyses/vbsssta.htm

Symantec

     http://www.symantec.com/avcenter/venc/data/vbs.sst@mm.html

Trend Micro

     http://www.antivirus.com/pc-cillin/vinfo/virusencyclo/default5.asp?VName=VBS_KALAMAR.A

   You may wish to visit the CERT/CC's Computer Virus Resources Page
   located at: 
   
     http://www.cert.org/other_sources/viruses.html
   ______________________________________________________________________

   This document was written by Cory Cohen, Roman Danyliw, Ian Finlay,
   John Shaffer, Shawn Hernan, Kevin Houle, Brian B. King, and Shawn Van
   Ittersum.
   ______________________________________________________________________

   This document is available from:
   http://www.cert.org/advisories/CA-2001-03.html
   ______________________________________________________________________

CERT/CC Contact Information

   Email: cert@cert.org
          Phone: +1 412-268-7090 (24-hour hotline)
          Fax: +1 412-268-6989
          Postal address:
          CERT Coordination Center
          Software Engineering Institute
          Carnegie Mellon University
          Pittsburgh PA 15213-3890
          U.S.A.

   CERT personnel answer the hotline 08:00-20:00 EST(GMT-5) / EDT(GMT-4)
   Monday through Friday; they are on call for emergencies during other
   hours, on U.S. holidays, and on weekends.

Using encryption

   We strongly urge you to encrypt sensitive information sent by email.
   Our public PGP key is available from

   http://www.cert.org/CERT_PGP.key

   If you prefer to use DES, please call the CERT hotline for more
   information.

Getting security information

   CERT publications and other security information are available from
   our web site

   http://www.cert.org/

   To subscribe to the CERT mailing list for advisories and bulletins,
   send email to majordomo@cert.org. Please include in the body of your
   message

   subscribe cert-advisory

   * "CERT" and "CERT Coordination Center" are registered in the U.S.
   Patent and Trademark Office.
   ______________________________________________________________________

   NO WARRANTY
   Any material furnished by Carnegie Mellon University and the Software
   Engineering Institute is furnished on an "as is" basis. Carnegie
   Mellon University makes no warranties of any kind, either expressed or
   implied as to any matter including, but not limited to, warranty of
   fitness for a particular purpose or merchantability, exclusivity or
   results obtained from use of the material. Carnegie Mellon University
   does not make any warranty of any kind with respect to freedom from
   patent, trademark, or copyright infringement.
   _____________________________________________________________________

   Conditions for use, disclaimers, and sponsorship information

   Copyright 2001 Carnegie Mellon University.

   Revision History
     February 12, 2001: Initial release







- -----BEGIN PGP SIGNATURE-----
Version: PGP for Personal Privacy 5.0
Charset: noconv

iQCVAwUBOoiQEgYcfu8gsZJZAQE5ywQAiY1gtNtBfjO79N0O4NocSq9lzNJKsXlE
fSxC3vcBKZcnew5BGFJD/kGOnKvJvl1aYltDiLoRvfDGxoG3QisD+kzp3L76zBI2
JwK8xk8/EAqM7YvVqAKHGxwujkTAU5Y9K5ioeuZsIvqkXTUlTYxNV2aI9iM6teG2
d8+/N4weQ1M=
=cD9T
- -----END PGP SIGNATURE-----

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2i
Comment: Processed by Mailcrypt 3.5.5, an Emacs/PGP interface

iQEVAwUBOolxTYrEggYLt8j5AQEevQf/Wlwy92yRcy5mC0CnnTa/NubCwVuU673E
qAaCPbaApVLs/L+QpYULt6bZF9rXTfbDPI5GW/rcwlmtudbm+hdYBQDT1mzLml/u
QuPNSfRi+AxeGIHcBG73qJXC2LA38XEVjFE5emqXZ/h5wtdvEc4/fYK4G5Jbg97O
B/zh9mrkbht1/MKgZBxC7F/oVB0kpSeMZxIhYLDzSE46HOdyoC/Cuvua8p+sabRt
o6K7L0UmGegkpEQP/VmOyvlkNUKZzPHHIw2mx1Ad8Y/GyYE9NONJXpwCv+q3RMq9
kD0453iRidFjduJz+Rzk5/cSH0BkgEV2xGRU+aboku+vEyZyb1flQA==
=N0X9
-----END PGP SIGNATURE-----


-- 
 _  __                     The Cognitive Systems Group
| |/ /___  __ _ ___                                       University of Hamburg
| ' </ _ \/ _` (_-<  phone:    +49 (0)40 42883-2576      Vogt-Koelln-Strasse 30
|_|\_\___/\__, /__/  fax  :    +49 (0)40 42883-2572             D-22527 Hamburg
          |___/ http://kogs-www.informatik.uni-hamburg.de/~utcke/home.html