Weekly Report on Viruses and Intruders – Four vulnerabilities and Mydoom.AK

First we will take a look at the main characteristics of the four security problems, for which Microsoft has released patches. Users of affected systems are advised to install the patches.

– Server Message Block -SMB- problem. This affects Windows 2000, Windows XP and Windows Server 2003 and allows code to be executed. Ways of exploiting it include creating special network packets and sending them to a vulnerable computer, generating an email message with a link to a web page and using a program that passes parameters to the vulnerable SMB component.

– License Logging vulnerability. This affects Windows NT Server 4.0 (SP6a and Terminal Server Edition SP6), Windows 2000 Server SP4 and SP3 and Windows Server 2003. It could permit remote execution of code and could be exploited through a specially crafted network packet sent to the vulnerable computer.

If a hacker successfully exploited this problem he could take control of the computer with the same privileges as the user that started the session. If the user had administrator rights, the hacker could take control of the entire system (and therefore create, modify or delete files; install programs; create new user accounts, etc.). In computers with Windows 2003 Server it could allow a denial of service attack (DoS).

– Security problem in the processing of PNG (Portable Network Graphic) files. This affects applications such as Windows Media Player 9.0 (when run on Windows 2000, Windows XP Service Pack 1 and Windows Server 2003), Microsoft Windows Messenger version 5.0, Microsoft MSN Messenger 6.1 and Microsoft MSN Messenger 6.2. It could be used by viruses to rapidly infect computers via malformed real PNG images which, when processed by one of the affected products, could cause the computer to crash.

– Vulnerability in Microsoft Office XP. This affects Office XP, Word 2002, PowerPoint 2002, Project 2002, Visio 2002, Works 2002, Works 2003 and Works 2004. This could allow a buffer overflow, which if exploited by a hacker, could give control over the computer with the same privileges as the user that started the session.

Mydoom.AK, is a worm with variable characteristics that spreads via email. The subject field sometimes includes messages referring to Valentine’s Day, such as “Happy Valentine’s day”.

Mydoom.AK terminates active processes belonging to certain antivirus products, firewalls and other security programs. For this reason, this worm can leave computers vulnerable to attack from other malware.

Mydoom.AK searches for email addresses in the affected computer in files with the following extensions: ADB, ASP, DBX, DOC, EML, FPT, HTM, HTML, INB, MBX, OFT, PAB, PHP, PL, PMR, SHT, TBB, TXT, UIN and XLS-. It then sends itself out to them -other than those that contain certain text strings-, using its own SMTP engine.




Share this