ms03
Microsoft Security Update MS03-026
Security patch to prevent Blaster Worm virus more>> The Microsoft Product Support Services Security Team is issuing this alert to inform customers about a new worm named W32.Blaster.Worm which is spreading in the wild. This virus is also known as: W32/Lovsan.worm (McAfee), WORM_MSBLAST.A (Trendmicro), Win32.Posa.Worm (Computer Associates). Best practices, such as applying security patch MS03-026 should prevent infection from this worm.
This worm scans a random IP range to look for vulnerable systems on TCP port 135. The worm attempts to exploit the DCOM RPC vulnerability patched by MS03-026.
Once the Exploit code is sent to a system, it downloads and executes the file MSBLAST.EXE from a remote system via TFTP. Once run, the worm creates the registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "windows auto update" = msblast.exe I just want to say LOVE YOU SAN!! bill
Symptoms of the virus: Some customers may not notice any symptoms at all. A typical symptom is the system is rebooting every few minutes without user input. Customers may also see:
- Presence of unusual TFTP* files
- Presence of the file msblast.exe in the WINDOWS SYSTEM32 directory
To detect this virus, search for msblast.exe in the WINDOWS SYSTEM32 directory or download the latest anti-virus software signature from your anti-virus vendor and scan your machine.
<<lessMicrosoft Security Bulletin MS03-039 824146
Critical update for NT/2000/XP/2003 more>> A security issue has been identified that could allow an attacker to remotely compromise a computer running Microsoft Windows and gain complete control over it. You can help protect your computer by installing this update from Microsoft.
Note: Windows 98, Windows 98 Second Edition (SE), and Windows 95 also are not affected by this issue. However, these products are no longer supported. Users of these products are strongly encouraged to upgrade to later versions.
<<lessMicrosoft Security Bulletin MS03-043 828035
Buffer Overrun in Could Allow Code Execution more>> A security vulnerability exists in the Messenger Service that could allow arbitrary code execution on an affected system. The vulnerability results because the Messenger Service does not properly validate the length of a message before passing it to the allocated buffer.
An attacker who successfully exploited this vulnerability could be able to run code with Local System privileges on an affected system, or could cause the Messenger Service to fail. The attacker could then take any action on the system, including installing programs, viewing, changing or deleting data, or creating new accounts with full privileges.
<<lessMicrosoft Security Bulletin MS03-005 810577
Unchecked Buffer in Windows Redirector more>> The Windows Redirector is used by a Windows client to access files, whether local or remote, regardless of the underlying network protocols in use. For example, the "Add a Network Place" Wizard or the NET USE command can be used to map a network share as a local drive, and the Windows Redirector will handle the routing of information to and from the network share.
A security vulnerability exists in the implementation of the Windows Redirector on Windows XP because an unchecked buffer is used to receive parameter information. By providing malformed data to the Windows Redirector, an attacker could cause the system to fail, or if the data was crafted in a particular way, could run code of the attacker?s choice.
<<lessBizTalk Server 2000 Security Release: MS03-016 1
BizTalk Server 2000 Security Release is created to be an essential security release which can be compatible with all BizTalk Server 2000 SKUs. more>>
BizTalk Server 2000 Security Release: MS03-016 1 is created to be an essential security release which can be compatible with all BizTalk Server 2000 SKU's.
Requirements: Windows 2000/XP
<<lessMicrosoft Security Bulletin MS03-041 823182
Vulnerability Could Allow Remote Code Execution more>> There is a vulnerability in Authenticode that, under certain low memory conditions, could allow an ActiveX control to download and install without presenting the user with an approval dialog.
To exploit this vulnerability, an attacker could host a malicious Web Site designed to exploit this vulnerability. If an attacker then persuaded a user to visit that site an ActiveX control could be installed and executed on the user?s system. Alternatively, an attacker could create a specially formed HTML e-mail and send it to the user. If the user viewed the HTML e-mail an unauthorized ActiveX control could be installed and executed on the user?s system. In both scenarios the vulnerability in Authenticode could allow an unauthorized ActiveX control to be installed and executed on the user?s system, with the same permissions as the user, without prompting the user for approval.
The risk of attack from the HTML email vector can be significantly reduced if the following conditions are met:
- You have applied the patch included with Microsoft Security bulletin MS03-040
- You are using Internet Explorer 6 or later
- You are using the Microsoft Outlook Email Security Update or
- Microsoft Outlook Express 6.0 and higher, or Microsoft Outlook 2000 or higher in their default configuration.
Microsoft Security Bulletin MS03-006 812709
Microsoft Security Bulletin MS03-006 812709 is a bulletin of security for Microsoft products that users can obtain assistance on a variety of topics. more>>
Microsoft Security Bulletin MS03-006 812709 is a bulletin of security for Microsoft products that users can obtain assistance on a variety of topics. For instance, it provides product documentation, assistance in determining hardware compatibility, access to Windows Update, online help from Microsoft, and other assistance. Users and programs can execute URL links to Help and Support Center by using the "hcp://" prefix in a URL link instead of "http://".
A security vulnerability is present in the Windows Me version of Help and Support Center, and results because the URL Handler for the "hcp://" prefix contains an unchecked buffer.
An attacker could exploit the vulnerability by constructing a URL that, when clicked on by the user, would execute code of the attacker's choice in the Local Computer security context. The URL could be hosted on a web page, or sent directly to the user in email. In the web based scenario, where a user then clicked on the URL hosted on a website, an attacker could have the ability to read or launch files already present on the local machine.
In the case of an e-mail borne attack, if the user was using Outlook Express 6.0 or Outlook 2002 in their default configurations, or Outlook 98 or 2000 in conjunction with the Outlook Email Security Update, then an attack could not be automated and the user would still need to click on a URL sent in e-mail. However if the user was not using Outlook Express 6.0 or Outlook 2002 in their default configurations, or Outlook 98 or 2000 in conjunction with the Outlook Email Security Update, the attacker could cause an attack to trigger automatically without the user having to click on a URL contained in an e-mail.
Requirements: Windows ME
Microsoft Security Bulletin MS03-047 828489
Vulnerability in Exchange Server 5.5 Could Allow Scripting Attack more>> A cross-site scripting (XSS) vulnerability results due to the way that Outlook Web Access (OWA) performs HTML encoding in the Compose New Message form.
An attacker could seek to exploit this vulnerability by having a user run script on the attackers behalf. The script would execute in the security context of the user. If the script executes in the security context of the user, the attackers code could then execute by using the security settings of the OWA Web site (or of a Web site that is hosted on the same server as the OWA Web site) and could enable the attacker to access any data belonging to the site where the user has access.
To exploit this vulnerability through OWA, an attacker would have to send an e-mail message that has a specially-formed link to the user. The user would then have to click the link. To exploit this vulnerability in another way, an attacker would have to know the name of the users Exchange server and then entice the user to open a specially-formed link from another source while the user is logged on to OWA.
Note: Customers who have customized any of the ASP pages in the File Information section in this document should backup those files before applying this patch as they will be overwritten when the patch is applied. Any customizations would then need to be reapplied to the new ASP pages. Please refer to the Microsoft Support Policy for the Customization of Outlook Web Access available at http://support.microsoft.com/default.aspx?scid=kb;en-us;327178
<<lessMicrosoft Security Bulletin MS03-007 815021
Unchecked Buffer In Windows 2000 more>> Microsoft Windows 2000 supports the World Wide Web Distributed Authoring and Versioning (WebDAV) protocol. WebDAV, defined in RFC 2518, is a set of extensions to the Hyper Text Transfer Protocol (HTTP) that provide a standard for editing and file management between computers on the Internet. A security vulnerability is present in a Windows component used by WebDAV, and results because the component contains an unchecked buffer.
An attacker could exploit the vulnerability by sending a specially formed HTTP request to a machine running Internet Information Server (IIS). The request could cause the server to fail or to execute code of the attacker?s choice. The code would run in the security context of the IIS service (which, by default, runs in the LocalSystem context).
Although Microsoft has supplied a patch for this vulnerability and recommends customers install the patch immediately, additional tools and preventive measures have been provided that customers can use to block the exploitation of this vulnerability while they are assessing the impact and compatibility of the patch. These temporary workarounds and tools are discussed in the ?Workarounds? section in the FAQ below.
<<lessJScript 5.6 Security Patch for Windows 2000 and XP MS03-008
Patch a critical vulnerability in the Windows Script Engine. more>> <<less
Internet Explorer 6 Cumulative Vulnerability Patch MS03-040
Protect your system from security vulnerabilities in Internet Explorer 6. more>>
Internet Explorer 6 Cumulative Vulnerability Patch MS03-040 is a useful software which eliminates all previously addressed security vulnerabilities affecting Internet Explorer 6, as well as two additional newly discovered vulnerabilities.
This update includes the functionality of all previously released patches for Internet Explorer 6, and eliminates the following newly discovered vulnerabilities: one that occurs because Internet Explorer does not properly determine an object type returned from a Web server in a pop-up window, and one that occurs because Internet Explorer does not properly determine an object type returned from a Web server during XML data binding.
Both flaws could have the effect of allowing an attacker to run arbitrary code on a user's system.
WareSeeker Editor
Microsoft Data Access Components (MDAC) Security Patch MS03-033 2.7
Microsoft Data Access Components (MDAC) Security Patch MS03-033 comes as a fully advanced security patch for Microsoft Data Access Components as described in the MS03-033: Security Update for Microsoft Data Access Components. more>>
Microsoft Data Access Components (MDAC) Security Patch MS03-033 2.7 comes as a fully advanced security patch for Microsoft Data Access Components as described in the MS03-033: Security Update for Microsoft Data Access Components. A number of security issues have been identified in Microsoft Data Access Components versions 2.5,2.6 and 2.7 that are described in this article. You can help protect your system by installing this patch from Microsoft.
Requirements: Windows 98/Me/NT/2000/XP
Internet Explorer 6 Cumulative Vulnerability Patch for Windows XP MS03-040
Protect your system from security vulnerabilities in Internet Explorer 6. more>>
Internet Explorer 6 Cumulative Vulnerability Patch for Windows XP MS03-040 is an effective software which eliminates all previously addressed security vulnerabilities affecting Internet Explorer 6, as well as two additional newly discovered vulnerabilities.
This update includes the functionality of all previously released patches for Internet Explorer 6, and eliminates the following newly discovered vulnerabilities: one that occurs because Internet Explorer does not properly determine an object type returned from a Web server in a pop-up window, and one that occurs because Internet Explorer does not properly determine an object type returned from a Web server during XML data binding.
Both flaws could have the effect of allowing an attacker to run arbitrary code on a user's system
WareSeeker Editor
Office XP SP3 English 3
Office XP SP3 English - Patch for Office XP more>>
This service pack applies to any level of Office XP. It contains all updates included in Office XP Service Pack 1 (SP1) and Office XP Service Pack 2 (SP2), and updates released after SP2.
Microsoft recommends you to use the Office Update site to determine if your computer requires this update before installing it.
Office XP SP3 addresses the issues described in the following Microsoft Security Bulletins:
- Microsoft Security Bulletin MS02-044: Unsafe Functions in Office Web Components (Q328130)
- Microsoft Security Bulletin MS02-059: Flaw in Word Fields and Excel External Updates Could Lead to Information Disclosure (Q330008)
- Microsoft Security Bulletin MS02-067: E-mail Header Processing Flaw Could Cause Outlook 2002 to Fail (331866)
- Microsoft Security Bulletin MS03-003: Flaw in how Outlook 2002 handles V1 Exchange Server Security Certificates could lead to Information Disclosure (812262)
- Microsoft Security Bulletin MS03-035 : Flaw in Microsoft Word Could Enable Macros to Run Automatically (827653)
- Microsoft Security Bulletin MS03-036: Buffer Overrun in WordPerfect Converter Could Allow Code Execution (827103)
- Microsoft Security Bulletin MS03-037: Flaw in Visual Basic for Applications Could Allow Arbitrary Code Execution (822715)
- Microsoft Security Bulletin MS03-038: Unchecked buffer in Microsoft Access Snapshot Viewer Could Allow Code Execution (827104)
- Microsoft Security Bulletin MS03-050: Vulnerability in Microsoft Word and Microsoft Excel Could Allow Arbitrary Code to Run (831527)
- Microsoft Security Bulletin MS04-009: Vulnerability in Microsoft Outlook Could Allow Code Execution (828040)
This service pack also includes all updates released for Office XP:
- Office XP Update: Service Pack 1 (SP1)
- Office XP Update: Service Pack 2 (SP2)
- Excel 2002 Update: October 16, 2002
- Word 2002 Update: October 16, 2002
- Outlook 2002 Update: December 4, 2002
- Outlook 2002 Update: January 22, 2003
- Office XP Italian Grammar Tools Update: KB813682
- Office XP Security Patch: KB822036
- Access 2002 Snapshot Viewer Security Patch: KB826293
- Office XP WordPerfect 5.x Converter Security Patch: KB824938
- Word 2002 Security Patch: KB824934
- Excel 2002 Security Patch: KB830350
- Word 2002 Security Patch: KB830346
Office XP SP3 will install successfully even if one or more of the publicly available updates, listed earlier in this document, have already been installed on your computer.
Office XP SP3 also includes stability improvements developed due to user input from the Error Reporting Tool in Office XP and from Microsoft Product Support feedback.
Resolve for Agobot 1.07
A tool that removes W32 Agobot more>> A tool that removes W32 Agobot
Resolve is the name for a set of small, downloadable Sophos utilities designed to remove and undo the changes made by certain viruses, Trojans and worms. They terminate any virus processes and reset any registry keys that the virus changed.
Existing infections can be cleaned up quickly and easily, both on individual workstations and over networks with large numbers of computers.
W32/Agobot-BT is a network worm which also allows unauthorised remote access to the computer via IRC channels.
W32/Agobot-BT copies itself to network shares with weak passwords and attempts to spread to computers using the DCOM RPC and the RPC locator vulnerabilities.
These vulnerabilities allow the worm to execute its code on target computers with System level privileges. For further information on these vulnerabilities and for details on how to protect/patch the computer against such attacks please see Microsoft security bulletins MS03-001 and MS03-026. MS03-026 has been superseded by Microsoft security bulletin MS03-039.
W32/Agobot-BT copies itself to the Windows system folder as sysinfo.exe and creates the following registry entries to run itself on system restart:
HKLMSoftwareMicrosoftWindowsCurrentVersionRun
Configuration Loader
HKLMSoftwareMicrosoftWindowsCurrentVersionRunServices
Configuration Loader
Each time W32/Agobot-BT is run it attempts to connect to a remote IRC server and join a specific channel.
W32/Agobot-BT attempts to terminate various processes related to anti-virus and security software (e.g. SWEEP95.EXE, BLACKICE.EXE and ZONEALARM.EXE).
W32/Agobot-BT, W32/Agobot-HD, W32/Agobot-HH, W32/Agobot-HL, W32/Agobot-HS, W32/Agobot-IJ, W32/Agobot-IK, W32/Agobot-LG, W32/Agobot-LT, W32/Agobot-MR, W32/Agobot-MW, W32/Agobot-NA, W32/Agobot-NZ, W32/Agobot-OT, W32/Agobot-OU, W32/Agobot-QF, W32/Agobot-QO,
Windows disinfector
AGOBTGUI is a disinfector for standalone Windows computers. To use it you have to do the following:
- Open AGOBTGUI.com file from your desktop after downloading it.
- Click on the Start Scan Button.
- Wait for the process to complete.
Command line disinfector
AGOBTSFX.EXE is a self-extracting archive containing AGOBTCLI, a Resolve command line disinfector for use by system administrators on Windows networks.
After removing the worm you should check the virus analysis for details of any Microsoft security updates you should make, or, on single computers, update with all relevant security patches from Windows update.
For W32/Agobot-HH, W32/Agobot-LT, W32/Agobot-NZ, W32/Agobot-OT, W32/Agobot-OU and W32/Agobot-SX you should replace the HOSTS file from backup, or open it in Notepad and remove any of the entries listed in the virus description.
- Page: 1 of 2
- 1
- 2
