-----Original Message----- From: UNIRAS (UK Govt CERT) [mailto:[EMAIL PROTECTED]] Sent: 25 November 2002 16:10 To: [EMAIL PROTECTED] Subject: UNIRAS Brief - 420/02 - Malicious Software report Importance: High -----BEGIN PGP SIGNED MESSAGE----- - ------------------------------------------------------------------------ ---------- UNIRAS (UK Govt CERT) Briefing Notice - 420/02 dated 25.11.02 Time: 16:02 UNIRAS is part of NISCC(National Infrastructure Security Co-ordination Centre) - ------------------------------------------------------------------------ ---------- UNIRAS material is also available from its website at www.uniras.gov.uk and Information about NISCC is available from www.niscc.gov.uk - ------------------------------------------------------------------------ ---------- Title ===== Malicious Software Report I-Worm.Winevar, WORM_WINEVAR.A, W32/Korvar, Worm/Bride.C, W32.HLLW.Winevar Detail ====== The details of the new trojan variant are as follows: Trojan name: W32/WineVar.A-mm Number of copies seen so far: 264 Time & Date first Captured: 22 Nov 2002, 08:55 GMT Origin of first intercepted copy: South Korea Number of countries seen active: 9 Top three most active countries: South Korea, UK, Russia Technical Details W32/WineVar.A-mm appears to add .CEO to the list of executable files. This means that if you do not completely clean up after this virus, the writer may be able to get you next time (because .CEO will not be on your list of known executable files. The virus utilizes the well-known MS01-020 vulnerability, and also exploits the com.ms.activeX.ActiveXComponent weakness. In copies that we have seen so far, an example of the e-mail is as follows: Subject: Re: AVAR (Association of Anti-Virus Asia Reseachers) Body: (None) Attachments: WIN(hex number).TXT (12.6 KB) MUSIC_1.HTM WIN(hex number).pif WIN(hex number).GIF (120 bytes) MUSIC_2.CEO Comment SkepticT detected W32/WineVar.A-mm heuristically. No MessageLabs customers were affected. Further information may be found at the MessageLabs website at: www.MessageLabs.com/VirusEye Useful URLs: http://www.sophos.co.uk/virusinfo/analyses/w32winevara.html http://www.fsecure.com/v-descs/winevar.shtml http://vil.nai.com/vil/content/v_99819.htm http://securityresponse.symantec.com/avcenter/venc/data/w32.hllw.winevar .html - ------------------------------------------------------------------------ ---------- For additional information or assistance, please contact the HELP Desk by telephone or Not Protectively Marked information may be sent via EMail to: [EMAIL PROTECTED] Tel: 020 7821 1330 Ext 4511 Fax: 020 7821 1686 - ------------------------------------------------------------------------ ---------- UNIRAS wishes to acknowledge the contributions of Messagelabs for the information contained in this Briefing. - ------------------------------------------------------------------------ ---------- This Briefing contains the information released by the original author. Some of the information may have changed since it was released. If the vulnerability affects you, it may be prudent to retrieve the advisory from the canonical site to ensure that you receive the most current information concerning that problem. Reference to any specific commercial product, process, or service by trade name, trademark manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation, or favouring by UNIRAS or NISCC. The views and opinions of authors expressed within this notice shall not be used for advertising or product endorsement purposes. Neither UNIRAS or NISCC shall also accept responsibility for any errors or omissions contained within this briefing notice. In particular, they shall not be liable for any loss or damage whatsoever, arising from or in connection with the usage of information contained within this notice. UNIRAS is a member of the Forum of Incident Response and Security Teams (FIRST) and has contacts with other international Incident Response Teams (IRTs) in order to foster cooperation and coordination in incident prevention, to prompt rapid reaction to incidents, and to promote information sharing amongst its members and the community at large. - ------------------------------------------------------------------------ ---------- <End of UNIRAS Briefing> -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com> iQCVAwUBPeJKLIpao72zK539AQH0KgP/ebEXslVzac/4e2MU87aRmZp5iRC4ZO7A DWNjitaOej6Sq9jsEKuKMLACVaOK9lHRyLhlfeGU4pAmSrEmkJSK4Xi+iQUXlhQO BRg7Z+8ceTXcAnCG1isj1kgWebBAlWsYM+7nok4Tut3l6MeExtaZDlLau6psinnI JycU+r9b/kY= =ErGd -----END PGP SIGNATURE----- IWS INFOCON Mailing List @ IWS - The Information Warfare Site http://www.iwar.org.uk