-----Original Message-----
From: UNIRAS (UK Govt CERT) [mailto:uniras@;niscc.gov.uk]
Sent: 06 November 2002 12:33
To: [EMAIL PROTECTED]
Subject: UNIRAS Brief - 392/02 - PSS Security Response Team Alert - New
Virus:W32/Braid@mm
-----BEGIN PGP SIGNED MESSAGE-----
-
------------------------------------------------------------------------
----------
UNIRAS (UK Govt CERT) Briefing Notice - 392/02 dated 06.11.02 Time:
12:10
UNIRAS is part of NISCC(National Infrastructure Security Co-ordination
Centre)
-
------------------------------------------------------------------------
----------
UNIRAS material is also available from its website at
www.uniras.gov.uk and
Information about NISCC is available from www.niscc.gov.uk
-
------------------------------------------------------------------------
----------
Title
=====
PSS Security Response Team Alert - New Virus:W32/Braid@mm
Detail
======
The worm attempts to exploit a previously patched vulnerability that
exists in some versions of Microsoft Outlook, Microsoft Outlook Express,
and Internet Explorer. This vulnerability can be used to allow an
executable attachment to run automatically, even if you do not
double-click on the attachment.
PSS Security Response Team Alert - New Virus:W32/Braid@mm
SEVERITY: MODERATE
DATE: November 4, 2002
PRODUCTS AFFECTED: Microsoft Outlook, Microsoft Outlook Express, and
Web-based e-mail programs
**********************************************************************
WHAT IS IT?
W32/Braid@mm is a new e-mail worm. The Microsoft Product Support
Services Security Team is issuing this alert to advise customers to be
on the alert for this virus as it spreads in the wild. Best practices,
such as filtering certain file types and applying security patches would
prevent infection from this mass-mailer worm.
IMPACT OF ATTACK: Mass Mailing, Network Share Infection
TECHNICAL DETAILS:
W32/Braid@mm is a new e-mail worm. The W32/Braid@mm worm arrives in an
e-mail message with the following characteristics:
Subject: (Sender's Windows registered company name) or (Blank)
Body:
Hello,
Product Name: Microsoft Windows (version of Windows on the infected
sender's system)
Product Id: (Windows ID on the infected sender's system)
Product Key: (Windows key on the infected sender's system)
Process List:
(processes running on the infected sender's system)
Thank you.
Attachment: Readme.exe
The worm attempts to exploit a previously patched vulnerability that
exists in some versions of Microsoft Outlook, Microsoft Outlook Express,
and Internet Explorer. This vulnerability can be used to allow an
executable attachment to run automatically, even if you do not
double-click on the attachment. Information on this vulnerability can
be found here:
http://www.microsoft.com/technet/security/bulletin/MS01-020.asp
Upon execution W32/Braid@mm drops a file named Help.eml on the Desktop
of the infected machine. The help.eml file on the Desktop, if opened,
will have properties similar to the original message that infected the
machine. This worm infects .exe, .scr and .ocx files and will also
attempt to spread via network shares.
For more detailed information on this worm please contact your Antivirus
vendor.
PREVENTION:
1) Block harmful attachment types at your Internet mail gateways.
2) This virus utilizes a previously-announced vulnerability as part of
its infection method. Because of this, customers must ensure that their
computers are patched for the vulnerability that is identified in
Microsoft Security Bulletin MS01-020:
http://www.microsoft.com/technet/security/bulletin/ms01-020.asp
The most recent cumulative security patch for Internet Explorer, which
includes the fixes for the vulnerabilities that were announced in
Microsoft Security Bulletin MS01-020 can be found here:
http://www.microsoft.com/technet/security/bulletin/ms02-047.asp
3) After customers have ascertained the status of the preceding fix in
their environments, the following prevention steps will also apply:
Outlook 2000 post SP2 and Outlook XP SP1 include the most recent updates
to improve the security in Outlook and other Microsoft Office programs.
This includes the functionality to block potentially harmful attachment
types. If you are running either of these versions, they will (by
default) block the attachment, and you will be unable to open it.
To ensure you are using the latest version of Office click here:
http://office.microsoft.com/ProductUpdates/default.aspx
By default, Outlook 2000 pre-SR1 and Outlook 98 did not include this
functionality, but it can be obtained by installing the Outlook E-mail
Security Update. More information about the Outlook E-mail Security
Update can be found here:
http://office.microsoft.com/Downloads/2000/Out2ksec.aspx
Outlook Express 6 can be configured to block access to
potentially-damaging attachments. Information about how to configure
this can be found here:
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q291387
Outlook Express all other versions: Previous versions of Outlook Express
do not contain attachment-blocking functionality. Please use extreme
caution when you open unsolicited e-mail messages with attachments.
Web-based e-mail programs: Use of an application-level firewall can
protect you from being infected with this virus through Web-based e-mail
programs.
RECOVERY:
If your computer has been infected with this virus, please contact
Microsoft Product Support Services or your preferred antivirus vendor
for assistance with removing it.
RELATED KB ARTICLES:
http://support.microsoft.com/support/misc/kblookup.asp?ID=810012
This article will be available within 48 hours.
RELATED SECURITY BULLETINS:
http://www.microsoft.com/technet/security/bulletin/ms01-020.asp
http://www.microsoft.com/technet/security/bulletin/ms02-047.asp
As always please make sure to use the latest Anti-Virus detection from
your Anti-Virus vendor to detect new viruses and their variants.
If you have any questions regarding this alert please contact your
Technical Account Manager or Application Development Consultant.
PSS Security Response Team
-
------------------------------------------------------------------------
----------
For additional information or assistance, please contact the HELP Desk
by
telephone or Not Protectively Marked information may be sent via EMail
to:
[EMAIL PROTECTED]
Tel: 020 7821 1330 Ext 4511
Fax: 020 7821 1686
-
------------------------------------------------------------------------
----------
UNIRAS wishes to acknowledge the contributions of Microsoft for the
information
contained in this Briefing.
-
------------------------------------------------------------------------
----------
This Briefing contains the information released by the original author.
Some
of the information may have changed since it was released. If the
vulnerability
affects you, it may be prudent to retrieve the advisory from the
canonical site
to ensure that you receive the most current information concerning that
problem.
Reference to any specific commercial product, process, or service by
trade
name, trademark manufacturer, or otherwise, does not constitute or imply
its endorsement, recommendation, or favouring by UNIRAS or NISCC. The
views
and opinions of authors expressed within this notice shall not be used
for
advertising or product endorsement purposes.
Neither UNIRAS or NISCC shall also accept responsibility for any errors
or omissions contained within this briefing notice. In particular, they
shall
not be liable for any loss or damage whatsoever, arising from or in
connection
with the usage of information contained within this notice.
UNIRAS is a member of the Forum of Incident Response and Security Teams
(FIRST)
and has contacts with other international Incident Response Teams (IRTs)
in
order to foster cooperation and coordination in incident prevention, to
prompt
rapid reaction to incidents, and to promote information sharing amongst
its
members and the community at large.
-
------------------------------------------------------------------------
----------
<End of UNIRAS Briefing>
-----BEGIN PGP SIGNATURE-----
Version: PGP 7.0.4
iQCVAwUBPckGYopao72zK539AQGd0AP/UPCrRrOvhIUgrxf3B6vk+8X7RyZQKPE4
HPLF3hsjg5X0x/SKkc12vkdwMI4U/GQzNwq7HLYZ1FpocNuga9nH62bib0M5uri5
6NMfGO7MbwB9uXJbQ+NvWucnQQ5H4yhEg4U17wbelWgc/y43GI9weLwXx2kEE1og
6lSR87d7CMI=
=2Q5V
-----END PGP SIGNATURE-----
IWS INFOCON Mailing List
@ IWS - The Information Warfare Site
http://www.iwar.org.uk
