FYI. Trend is covering it in 170/970 and higher -----Original Message----- From: Windows NTBugtraq Mailing List [mailto:[EMAIL PROTECTED]] On Behalf Of Russ Sent: Sunday, November 25, 2001 7:08 PM To: [EMAIL PROTECTED] Subject: Alert: W32/BadTrans.B-mm
We saw this rising on Friday and today found out that MessageLabs is seeing 400 copies/hour over the weekend (which is extremely high volume of infected messages given it was the weekend); http://www.messagelabs.com/viruseye/report.asp?id=86 We've talked about the potential of this delivery mechanism on NTBugtraq several times, but tomorrow those of you who manage email servers are likely going to find numerous copies in your mail stores (or user's inboxes). This thing exploits a vulnerability in some versions of Internet Explorer (see below) that was first fixed back on March of this year. The way these versions of IE handled certain MIME types allowed files to be delivered that would automatically execute when the email was opened (when using Outlook) or rendered in the Preview Pane (when using Outlook Express). It was subsequently used by Nimda in two of its propagation mechanisms (it used .eml and .nws files via HTML to delivery the MIME header, and also mass mailed messages formed specifically to exploit this vulnerability). TruSecure's analysis of this over the weekend leads us to believe that a great many people must not have applied the patch, or other packages that deliver the patch. This should be considered carefully by anyone who thinks there's a reasonable amount of time within which people apply such patches, we're talking more than 6 months and 4 packages that contained the fix for each affected version, yet we still seem to be seeing this thing get considerable legs. Although this is a BadTrans variant, it has been repackaged (compressed) and as such probably requires an AV update to be detected. Most AV Vendors should have updates available by the time you read this, check with them. Ultimately the message comes with a MIME Content Type of "audio/x-wav", and a double extension (.doc.scr) ending in .scr or .pif. The attachment itself is a Win32 executable. If executed it will mass-mail itself, probably as replies to unread messages in your inbox. NTBugtraq posters may have already received some in response to their list messages (I have). See your AV Vendor for more details. That done, take a minute to review the possible IE patch mechanisms described below. We predicted, when this vulnerability was first discovered, that this was going to be heavily exploited. Nimda's email component didn't seem to work very well, still unclear precisely why, but its web browser propagation certainly seemed effective. Now this BadTrans variant, and we will likely see more. If you cannot get your browsers to one of the unaffected versions for some reason other than time/manpower, drop me a note and let me know why. I'd like to understand what's preventing this vulnerability from going away. Notes: Microsoft Outlook Email Security Update, and Outlook 2002, can be configured to prevent email attachments from arriving in user's inbox. IE Version Information: Vulnerability being exploited is described under; http://www.microsoft.com/technet/security/bulletin/MS01-020.asp (read the following before applying the patch in MS01-020) IE 4.x's status is unknown, probably *not* vulnerable IE 5.01 prior to SP2 is vulnerable IE 5.01 SP2 is *not* vulnerable IE 5.5 prior to SP2 is vulnerable IE 5.5 SP2 and above is *not* vulnerable IE 6.0 is *not* vulnerable (see IE 6.0 caveat) IE 6.0 Caveat: Customers who are using Windows 95, 98, 98SE or ME, and choose to eliminate this vulnerability by upgrading from an affected version to IE 6 should ensure that they either perform a Full Install or Typical Install, as discussed in the FAQ. Anyone who is going to apply a patch to their system to address this vulnerability now should follow these guidelines, if possible; 1. Upgrade to IE 6.0 (see IE 6.0 caveat above) http://www.microsoft.com/windows/ie/downloads/ie6/default.asp or 2. Apply latest IE Service Pack for their version (this eliminates the vulnerability) IE 5.01 SP2 http://www.microsoft.com/windows/ie/downloads/recommended/ie501sp2/defau lt.a sp IE 5.5 SP2 http://www.microsoft.com/windows/ie/downloads/recommended/ie55sp2/defaul t.as p then Apply MS01-055 http://www.microsoft.com/technet/security/bulletin/MS01-055.asp or 3. Apply MS01-027 http://www.microsoft.com/technet/security/bulletin/MS01-027.asp (Note: MS01-027 supercedes MS01-020 and addresses the same vulnerabilities, plus additional vulnerabilities discovered after MS01-020) (Note: You cannot apply MS01-051 or MS01-055 unless you have upgraded to SP2 for IE 5.01 or IE 5.5, so it clearly makes sense to get SP2 install and not apply MS01-027) or 4. Apply MS01-020 http://www.microsoft.com/technet/security/bulletin/MS01-020.asp (Note: You cannot apply MS01-051 or MS01-055 unless you have upgraded to SP2 for IE 5.01 or IE 5.5, so it clearly makes sense to get SP2 install and not apply MS01-020) Cheers, Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor "My thoughts are facts in my world, opinion to you. YMMV" ======================================================================== ==== Delivery co-sponsored by Trend Micro, Inc. ======================================================================== ==== BEST-OF-BREED ANTIVIRUS SOLUTION FOR MICROSOFT EXCHANGE 2000 Earn 5% rebate on licenses purchased for Trend Micro ScanMail for Microsoft Exchange 2000 between October 1 and November 16. ScanMail ensures 100% scanning of inbound and outbound traffic and provides remote software management. For program details or to download your 30-day FREE evaluation copy: http://www.antivirus.com/banners/tracking.asp?si=53&bi=245&ul=http://www .a ntivirus.com/smex2000_rebate _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED]
