help desk: Nebraska Viruses

Last modified on:

Virus Home

These are viruses that are currently effecting Nebraska. When we receive information about a virus making its way through our state, we will post it here, along with information on how to eradicate it from your system.

1/21/04 - "Bagel" and/or "Beagle" virus

There is a new virus entering the Untied States. It is known as the Bagel and/or Beagle virus. Please make sure your virus definition files are up to date.

8/20/03 - Welchia Worm

W32.Welchia.Worm is a worm that exploits multiple vulnerabilities, including:

The DCOM RPC vulnerability (described in Microsoft Security Bulletin MS03-026) using TCP port 135. The worm specifically targets Windows XP machines using this exploit. The WebDav vulnerability (described in Microsoft Security Bulletin MS03-007) using TCP port 80. The worm specifically targets machines running Microsoft IIS 5.0 using this exploit. IIS 5.0 will most likely be found on Windows 2000 systems.

W32.Welchia.Worm does the following:

Attempts to download the DCOM RPC patch from Microsoft's Windows Update Web site, install it, and then reboot the computer.
Checks for active machines to infect by sending an ICMP echo request, or PING, which will result in increased ICMP traffic.
Attempts to remove W32.Blaster.Worm.

More information on how to protect or remove this worm.
http://securityresponse.symantec.com/avcenter/venc/data/w32.welchia.worm.html

Welchia worm removal tool

8/20/03 - W32.Sobig.F@mm

W32.Sobig.F@mm is a mass-mailing, network-aware worm that sends itself to all the email addresses it finds in the files that have the following extensions:

  • .dbx
  • .eml
  • .hlp
  • .htm
  • .html
  • .mht
  • .wab
  • .txt

The worm uses its own SMTP engine to propagate and will attempt to create a copy of itself on accessible network shares, but fails due to bugs in the code.

Email Routine Details
The email message has the following characteristics:

From: Spoofed address (which means that the sender in the "From" field is most likely not the real sender). The worm may also use the address admin@internet.com as the sender.

NOTES:
The spoofed addresses and the Send To addresses are both taken from the files found on the computer. Also, the worm may use the settings of the infected computer's settings to check for an SMTP server to contact.

The choice of the internet.com domain appears to be arbitrary and does not have any connection to the actual domain or its parent company.

Subject:
Re: Details
Re: Approved
Re: Re: My details
Re: Thank you!
Re: That movie
Re: Wicked screensaver
Re: Your application
Thank you!
Your details

Body:
See the attached file for details
Please see the attached file for details.

  • Attachment:
  • your_document.pif
  • document_all.pif
  • thank_you.pif
  • your_details.pif
  • details.pif
  • document_9446.pif
  • application.pif
  • wicked_scr.scr
  • movie0045.pif

NOTE: The worm de-activates on September 10, 2003. The last day on which the worm will spread is September 9, 2003.

More information on how to protect or remove this virus.
http://securityresponse.symantec.com/avcenter/venc/data/w32.sobig.f@mm.html

W32.Sobig.F@mm removal tool

1/27/03 - CERT Advisory CA-2003-04 MS-SQL Server Worm

Systems Affected

* Microsoft SQL Server 2000

Overview

The CERT/CC has received reports of self-propagating malicious code that exploits multiple vulnerabilities in the Resolution Service of Microsoft SQL Server 2000. The propagation of this worm has caused varied levels of network degradation across the Internet, in addition to the compromise of vulnerable machines

I. Description

The worm targeting SQL Server computers is self-propagating malicious code that most likely exploits two vulnerabilities in the Resolution Service of Microsoft SQL Server 2000 vulnerabilities. The vulnerability documented in VU#370308 allows the keep-alive functionality employed by the SQL Server Resolution Service to launch a denial of service against other hosts. Either the vulnerability VU#399260 or VU#484891 allow for the execution of arbitrary code on the SQL Server computer due to a buffer overflow.

VU#370308 - http://www.kb.cert.org/vuls/id/370308
VU#399260 - http://www.kb.cert.org/vuls/id/399260
VU#484891 - http://www.kb.cert.org/vuls/id/484891

Reports to the CERT/CC indicate that the high volume of 1434/udp traffic generated between hosts infected with the worm targeting SQL Server computers may itself lead to performance issues (including possible denial-of-service conditions) on networks with infected hosts.

Activity of this worm is readily identifiable on a network by the presence of small UDP packets (we have received reports of 376-410 byte packets) from seemingly random IP addresses from across the Internet to port 1434/udp.

II. Impact

Compromise by the worm indicates that a remote attacker can execute arbitrary code as the local SYSTEM user on the victim system. It may be possible for an attacker to subsequently leverage a local privilege escalation exploit in order to gain Administrator access to the victim system.

The high volume of 1434/udp traffic generated between hosts infected with the worm may itself lead to performance issues on networks with both infected and targeted, but non-vulnerable hosts.

III. Solution

Apply a patch

Administrators of all systems running Microsoft SQL Server 2000 are encouraged to review CA-2002-22 and VU#370308 for detailed vendor recommendations regarding installing the patch:

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS02-039.asp

CA-2002-22 - http://www.cert.org/advisories/CA-2002-22.html
VU#370308 - http://www.kb.cert.org/vuls/id/370308

Ingress/Egress filtering

The following steps are only effective in limiting the damage that can be done by systems already infected with the worm. They provide no protection whatsoever against the initial infection of systems. As a result, these steps are only recommended in addition to the preventative steps outlined above, not in lieu thereof.

Ingress filtering manages the flow of traffic as it enters a network under your administrative control. Servers are typically the only machines that need to accept inbound traffic from the public Internet. In the network usage policy of many sites, external hosts are only permitted to initiate inbound traffic to machines that provide public services on specific ports. Thus, ingress filtering should be performed at the border to prohibit externally initiated inbound traffic to non-authorized services.

Egress filtering manages the flow of traffic as it leaves a network under your administrative control. There is typically limited need for machines providing public services to initiate outbound connections to the Internet.

In the case of this worm, employing ingress and egress filtering can help prevent compromised systems on your network from attacking systems elsewhere. Blocking UDP datagrams with both source and destination ports 1434 from entering or leaving your network reduces the risk of external infected systems communicating with infected hosts inside your network.

Recovering from a system compromise

If you believe a system under your administrative control has been compromised, please follow the steps outlined in:

Steps for Recovering from a UNIX or NT System Compromise http://www.cert.org/tech_tips/win-UNIX-system_compromise.html

Reporting

The CERT/CC is interested in receiving reports of this activity. If machines under your administrative control are compromised, please send mail to cert@cert.org with the following text included in the subject line: "[CERT#35663]".