lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <00ff01c3fbba$299d7660$3200000a@alex>
From: jkuperus at planet.nl (Jelmer)
Subject: Fw: [Unpatched] The Bizex worm

there's more info at http://www.daemonology.net/ICQworm/worm.txt

It seems it uses the nearly 2 years!! old "icq downloads stuff to a known
location" vulnerability
http://www.derkeiler.com/Mailing-Lists/securityfocus/bugtraq/2002-07/0210.html

Recently made current by Arman Nayyeri, as you can see his post also
mentions icq as an attack vector
http://www.securityfocus.com/archive/1/348521

which they also use, effectively making this a worm that explots a zero day
vulnerability, no patch is available from eighter microsoft or icq, and
antivirus signatures are trivially defeated. So it's easy to make variants
to this virus

Shame on ICQ!


----- Original Message ----- 
From: "Thor Larholm" <thor@...x.com>
To: <full-disclosure@...ts.netsys.com>
Sent: Wednesday, February 25, 2004 4:12 AM
Subject: [Full-Disclosure] Fw: [Unpatched] The Bizex worm


> We have all talked about how most viruses and worms that actually spread
> in the wild could have been written so much better by any one of us. I
> guess someone stepped forward and took the bait.
>
> Everything indicates that Bizex is a worm which was created as a hired
> job. It's primary purpose was to collect banking information and create
> an armie of zombie machines. To accomplish this, it exploited a range of
> vulnerabilities, the latest of which was published as recently as
> February 19th on the Bugtraq mailing list.
>
> The antivirus companies are finally starting to update their signatures,
> hours after Bizex has already infected between 50.000 and 100.000
> machines (Kaspersky). Luckily, the main distribution sites have now been
> shut down which has halted the spread but left us with an armie of
> zombie machines waiting for new instructions on port 1534.
>
> New variants of Bizex are expected in the near future.
>
> Locking down the My Computer zone prevented Bizex from infecting a
> Windows system, a feature which is implemented as a demonstratory fix in
> the currently available Qwik-Fix beta ( www.qwik-fix.net ) and which
> Microsoft is also implementing in the upcomming Windows XP Service Pack
> 2, slated for release around June.
>
> More information about Bizex can be found at
>
> http://www.kaspersky.com/news.html?id=4277566
> http://www.viruslist.com/eng/viruslist.html?id=1029528
> http://securityresponse.symantec.com/avcenter/venc/data/w32.bizex.worm.h
> tml
> http://www.sophos.com/virusinfo/analyses/w32bizexa.html
> http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=101044
>
>
>
> Regards
>
> Thor Larholm
> Senior Security Researcher
> PivX Solutions
> 24 Corporate Plaza #180
> Newport Beach, CA 92660
> http://www.pivx.com
> thor@...x.com
> Phone: +1 (949) 231-8496
> PGP: 0x5A276569
> 6BB1 B77F CB62 0D3D 5A82 C65D E1A4 157C 5A27 6569
>
> PivX defines "Proactive Threat Mitigation". Get a FREE Beta Version of
> Qwik-Fix <http://www.qwik-fix.net>
>
> -----Original Message-----
> From: Thor Larholm
> Sent: Tuesday, February 24, 2004 5:31 PM
> To: Thor Larholm
> Subject: [Unpatched] The Bizex worm
>
>
>
> Dear Unpatched subscriber,
>
> Today a new worm was discovered in the wild, called Bizex. Employing a
> multilayered attack, spread and infection approach it spreads through
> several vulnerabilities and exploits in multiple technologies such as
> email attachments, ICQ instant messaging and HTTP web pages. Some of
> these vulnerabilities are without patches from the vendor, raising the
> level of potential damage.
>
> Kaspersky is currently labelling this a global epidemic with more than
> 50.000 infections just among ICQ users.
>
> Likewise, implementing multiple layers of defense can help mitigate the
> threat posed by multilayered worms such as Bizek. The currently
> available BETA version of Qwik-Fix completely protects against the Bizek
> worm by mitigating the impact of several vulnerabilities it relies on.
> You can download Qwik-Fix at
>
> http://www.qwik-fix.net/
>
> Symantec has labelled this worm W32.Bizex.worm, but has not yet
> published any details about it.
>
> http://securityresponse.symantec.com/avcenter/venc/data/w32.bizex.worm.h
> tml
>
> PivX Solutions are currently researching the potential impact of Bizex
> as well as its data gathering intentions. Some of the vulnerabilities
> this worm is exploiting in its effort to spread are:
>
> Microsoft Java virtual machine class loader
> ICQ SCM local file planting
> Microsoft Help CHM vulnerabilities
> ADODB Stream
> Internet Explorer Shell Folders
>
> Interestingly, the shell folder vulnerability was only recently
> categorized as being a serious threat on February 19 in a post to the
> Bugtraq mailing list. This once again demonstrates how malicious
> criminals are more rapidly exploiting vulnerabilities as they are being
> announced.
>
> Our initial analysis has shown that this worm is trying to collect
> credit card details from unsuspecting users, masquerading itself as a
> statement from banks and online trading sites, such as Wells Fargo,
> E*TRADE, American Express, e-gold, Verisign and LLoydsTSB.
>
> It has been linked to websites that are anonymously registered to
> russian individuals, is appareantly created using Microsoft Visual
> Studio and installs a backdoor on compromised machines to be used by
> professional spammers.
>
> Kaspersky has released more details at
>
> http://www.kaspersky.com/news.html?id=4277566
>
> We will keep you updated as more information is uncovered.
>
>
>
> Regards
>
> Thor Larholm
> Senior Security Researcher
> PivX Solutions
> 24 Corporate Plaza #180
> Newport Beach, CA 92660
> http://www.pivx.com
> thor@...x.com
> Phone: +1 (949) 231-8496
> PGP: 0x5A276569
> 6BB1 B77F CB62 0D3D 5A82 C65D E1A4 157C 5A27 6569
>
> PivX defines "Proactive Threat Mitigation". Get a FREE Beta Version of
> Qwik-Fix <http://www.qwik-fix.net>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ