US-CERT Current Activity

Last reviewed: October 14, 2004 16:30:56 EDT

US-CERT is aware of exploitation of a JPEG parsing vulnerability in the Microsoft GDI+ library. By convincing a victim to view a specially crafted JPEG image with a program that uses the GDI+ library, an attacker could execute arbitrary code with the privileges of the victim. Affected programs include Microsoft Internet Explorer, Office, Outlook, Outlook Express, and Windows Explorer. An attacker could exploit this vulnerability to install malicious code which might permit access to your computer.

More information about the vulnerability is available in VU#297462.

Microsoft has released patches for this vulnerability in Microsoft Security Bulletin MS04-028. Microsoft also suggests reading email in plain text mode to reduce the risk associated with the HTML email attack vector. Note that this workaround will prevent HTML formatted email messages from displaying properly.

Seven months since the W32/Bagle mass-mailing virus first appeared on the Internet, US-CERT continues to see new variants appearing and many variants (new and old) continuing to spread. Many variants of W32/Beagle are known to open a backdoor on an infected system which can lead to further exploitation by remote attackers.

The most recent variant is W32/Bagle.AO (discovered on August 9th). This variant arrives as an email message with the following characteristics:

• Spoofed From address
• Blank Subject line
• Body text containing "new price"
• Attachment containing .ZIP file extension

US-CERT strongly encourages users to install and maintain anti-virus software and exercise caution when handling attachments. Anti-virus software may not be able to scan password protected archive files so users must use discretion when opening archive files and should scan files once extracted from an archive.

You may also wish to visit the US-CERT's computer virus resources page.

Six months since the W32/MyDoom mass-mailing virus first appeared on the Internet, US-CERT continues to see new variants appearing and many variants (new and old) continuing to spread. Many variants of W32/MyDoom are known to open a backdoor and use its own SMTP engine to spread through email.

US-CERT strongly encourages users to install and maintain anti-virus software and exercise caution when handling attachments. Anti-virus software may not be able to scan password protected archive files so users must use discretion when opening archive files and should scan files once extracted from an archive.

Please see US-CERT's Cyber Security Alert SA04-208A for more information.

You may also wish to visit the US-CERT's computer virus resources page.

US-CERT continues to receive reports of a worm known as "W32/Sasser". This worm attempts to exploit a buffer overflow vulnerability in the Windows Local Security Authority Service Server (LSASS). The vulnerability allows a remote attacker to execute arbitrary code with SYSTEM privileges. More information on this vulnerability is available in Vulnerability Note VU#753212 and Microsoft Security Bulletin MS04-011.

The worm has been reported to propagate by scanning random IP addresses on port 445/tcp to identify vulnerable systems. When a vulnerable system is found, the worm will exploit the LSASS vulnerability, create a remote shell on port 9996/tcp, and start an FTP server on port 5554/tcp. The victim system will then connect back to the attacking system on port 5554/tcp to retrieve a copy of the worm. Systems infected by this worm may notice significant performance degradation.

US-CERT strongly encourages users to install anti-virus software, and keep its virus signature files up-to-date.

You may also wish to visit the US-CERT computer virus resources page.

US-CERT is aware of exploitation of a cross-domain scripting vulnerability in the Outlook Express MIME Encapsulation of Aggregate HTML Documents (MHTML) protocol handler. The MHTML protocol handler is installed as part of Outlook Express and uses Internet Explorer (IE) to access mhtml: URLs. Microsoft Windows systems install Outlook Express, IE, and the vulnerable MHTML handler by default.

By convincing a victim to view an HTML document (web page, HTML email), an attacker could execute arbitrary code with the privileges of the user running IE and possibly read or modify content in another web site.

More information about the vulnerability is available in TA04-099A and VU#323070.

This vulnerability appears to be exploited by the Ibiza trojan, W32/Bugbear.E, and various web sites that host malicious URLs and related malware. Exploits also may be identified as BloodHound.Exploit.6. Attackers may distribute malicious URLs in unsolicited email, instant messages, chat rooms, or web forums. Attackers may also distribute exploits in HTML email messages.

This vulnerability is remedied by the patches described in Microsoft Security Bulletin MS04-013. For additional protection against these types of attacks, do not click on unsolicited links and maintain updated anti-virus software.

Please see US-CERT Incident Note IN-2004-02 for more information.

US-CERT strongly encourages users to install and maintain anti-virus software. We also encourage users to exercise discretion when opening any email attachment.

You may also wish to visit the US-CERT's computer virus resources page.