CERT-In:Indian Computer Emergency Response Team

High Vulnerabilities

Title of Vulnerability

Discovery/Publish Date

CERT-In References & Patch Information

Microsoft Power Point

Microsoft PowerPoint Remote code execution vulnerabilities

Microsoft Visual Basic

Microsoft Visual Basic for Applications Buffer Overflow Vulnerability

Microsoft Management Console

Microsoft Management Console Remote Code Execution Vulnerability

Microsoft Internet Explorer

Multiple vulnerabilities in Microsoft Internet Explorer

Vulnerabilities in DNS Resolution Could Allow Remote Code Execution

Microsoft Windows Server Service Buffer Overrun Vulnerability

Title of Vulnerability

Discovery/Publish Date

CERT-In References & Patch Information

MySQL MaxDB WebDBM Database Name Handling Remote Buffer Overflow Vulnerability

Title of Vulnerability

Discovery/Publish Date

CERT-In References & Patch Information

Apache "mod_rewrite" Remote Off-By-One Buffer Overflow Vulnerability

Multiple Linux Kernel SCTP vulnerabilities

Wireshark (Ethereal)

Wireshark (Ethereal) Protocol Dissectors Code Execution and Denial of Service Vulnerabilities

Medium Vulnerabilities

Title of Vulnerability

Discovery/Publish Date

CERT-In References & Patch Information

Microsoft Windows Kernel Remote Code execution vulnerabilities

Microsoft Windows Hyperlink Object Library vulnerabilities

Windows Kernel Privilege Elevation Vulnerability

Microsoft Windows MHTML Parsing Vulnerability

Title of Vulnerability

Discovery/Publish Date

CERT-In References & Patch Information

rPath Security Update Fixes GnuPG "parse_comment()" Integer Overflow Vulnerability

libTIFF Multiple Vulnerabilities

SquirrelMail "compose.php" Variable Manipulation Vulnerability

Malicious Code Threats

Title of Malicious Code

Win32_Graweg/IRC-Mocbot

The worm/backdoor is exploiting the recently discovered vulnerability in Microsoft Windows MS06-040 described in CERT-In Vulnerability Note CIVN- 2006-75 It opens an IRC backdoor on the compromised system to listen for remote attacker commands.

WORM_IRCBOT.JK
[Trend],
WORM_IRCBOT.JL
[Trend], IRC-
Mocbot!MS06-040
[McAfee], W32.Wargbot
[Symantec], IRCBOT-ST[F-Secure].

Trojan horse that exploits the Microsoft Visual Basic for Applications Buffer Overflow Vulnerability described in CIVN-2006-80 and attempts to drop a file on the compromised computer

Haxdoor is a backdoor with rootkit and spying capabilities.The backdoor was being spammed as an e-mail attachment to large number of people.

Backdoor.Haxdoor.IS
[Trend], Haxdoor.KI[F-
Secure]

It is a network-aware worm with back door capabilities that exploits common buffer overflow vulnerability in Microsoft Windows with latest described in CIVN-2006-75 .

WORM_RANDEX.AM
[Trend],
W32/Sdbot.worm!MS06-
040 [McAfee],
W32/Kassbot-V [Sophos],
W32./Vanebot-A
[Sophos], W32/Rbot-FKR
[Sophos]

It is a network-aware worm that opens a back door on the compromised computer. It also spreads to network shares and by exploiting Microsoft Windows vulnerabilities.

W32/Opanki.worm!MS06-
040 [McAfee],
Backdoor.Win32.Rbot.ayg
(Kaspersky),
WORM_RBOT.AEY
(TrendMicro)

Top 10 Spam Producing ISPs (Source: www.spamhaus.org)

Top Spam generating IPs (in August )

verizonbusiness.com

interbusiness.it

Home \|\| Feedback \|\| FAQ \|\| Site map

CERT-In Monthly Security Bulletin August 06
High Vulnerabilities
Microsoft		Title of Vulnerability		Discovery/Publish Date	CERT-In References & Patch Information
Microsoft Power Point		Microsoft PowerPoint Remote code execution vulnerabilities		August 09,2006	CIVN-2006-81
Microsoft Visual Basic		Microsoft Visual Basic for Applications Buffer Overflow Vulnerability		August 09,2006	CIVN-2006-80
Microsoft Management Console		Microsoft Management Console Remote Code Execution Vulnerability		August 09,2006	CIVN-2006-79
Microsoft Internet Explorer		Multiple vulnerabilities in Microsoft Internet Explorer		August 09,2006	CIVN-2006-77
Microsoft Windows		Vulnerabilities in DNS Resolution Could Allow Remote Code Execution		August 09,2006	CIVN-2006-76
Microsoft Windows		Microsoft Windows Server Service Buffer Overrun Vulnerability		August 09,2006	CIVN-2006-75
Database		Title of Vulnerability		Discovery/Publish Date	CERT-In References & Patch Information
MySQL		MySQL MaxDB WebDBM Database Name Handling Remote Buffer Overflow Vulnerability		August 30,2006	CVE-2006-4305
Unix		Title of Vulnerability		Discovery/Publish Date	CERT-In References & Patch Information
Apache		Apache "mod_rewrite" Remote Off-By-One Buffer Overflow Vulnerability		August 07,2006	CIVN-2006-74
Linux Kernel		Multiple Linux Kernel SCTP vulnerabilities		August 20,2006	CIAD-2006-25
Wireshark (Ethereal)		Wireshark (Ethereal) Protocol Dissectors Code Execution and Denial of Service Vulnerabilities		August 22,2006	CIAD-2006-26
Medium Vulnerabilities
Microsoft		Title of Vulnerability		Discovery/Publish Date	CERT-In References & Patch Information
Microsoft Windows		Microsoft Windows Kernel Remote Code execution vulnerabilities		August 09,2006	CIVN-2006-84
Microsoft Windows		Microsoft Windows Hyperlink Object Library vulnerabilities		August 09,2006	CIVN-2006-83
Microsoft Windows		Windows Kernel Privilege Elevation Vulnerability		August 09,2006	CIVN-2006-82
Microsoft Windows		Microsoft Windows MHTML Parsing Vulnerability		August 09,2006	CIVN-2006-78
Unix		Title of Vulnerability		Discovery/Publish Date	CERT-In References & Patch Information
GnuPG		rPath Security Update Fixes GnuPG "parse_comment()" Integer Overflow Vulnerability		August 02,2006	CVE-2006-3746
libTIFF		libTIFF Multiple Vulnerabilities		August 02,2006	CVE-2006-3459 CVE-2006-3460 CVE-2006-3461 CVE-2006-3462 CVE-2006-3463 CVE-2006-3464
SquirrelMail		SquirrelMail "compose.php" Variable Manipulation Vulnerability		August 11,2006	CVE-2006-4019
Malicious Code Threats
Title of Malicious Code	Type	Overview	Aliases	Discovery Date	References
Win32_Graweg/IRC-Mocbot	worm	The worm/backdoor is exploiting the recently discovered vulnerability in Microsoft Windows MS06-040 described in CERT-In Vulnerability Note CIVN- 2006-75 It opens an IRC backdoor on the compromised system to listen for remote attacker commands.	WORM_IRCBOT.JK [Trend], WORM_IRCBOT.JL [Trend], IRC- Mocbot!MS06-040 [McAfee], W32.Wargbot [Symantec], IRCBOT-ST[F-Secure].	August 12, 2006	http://www.cert-in.org.in/virus/Win32 _Graweg_IRC-Mocbot.htm
Trojan.MdropperN	worm	Trojan horse that exploits the Microsoft Visual Basic for Applications Buffer Overflow Vulnerability described in CIVN-2006-80 and attempts to drop a file on the compromised computer	No Aliase	August 16, 2006	http://www.symantec.com/ security_response/writeup.jsp? docid=2006-081616-2104-99
Backdoor.Haxdoor.P	Haxdoor	Haxdoor is a backdoor with rootkit and spying capabilities.The backdoor was being spammed as an e-mail attachment to large number of people.	Backdoor.Haxdoor.IS [Trend], Haxdoor.KI[F- Secure]	August 17, 2006	http://www.f-secure.com/v-descs/haxdoor_ki.shtml
Randex/Sdbot/Rbot	Worm	It is a network-aware worm with back door capabilities that exploits common buffer overflow vulnerability in Microsoft Windows with latest described in CIVN-2006-75 .	WORM_RANDEX.AM [Trend], W32/Sdbot.worm!MS06- 040 [McAfee], W32/Kassbot-V [Sophos], W32./Vanebot-A [Sophos], W32/Rbot-FKR [Sophos]	August 18, 2006	http://cert-in.org.in/virus/ randex.htm
W32.Spybot	Worm	It is a network-aware worm that opens a back door on the compromised computer. It also spreads to network shares and by exploiting Microsoft Windows vulnerabilities.	W32/Opanki.worm!MS06- 040 [McAfee], Backdoor.Win32.Rbot.ayg (Kaspersky), WORM_RBOT.AEY (TrendMicro)	August 28, 2006	http://vil.nai.com/vil/content/v _140546.htm
Top 10 Spam Producing ISPs (Source: www.spamhaus.org)
Rank			Network		Top Spam generating IPs (in August )	Location
1			verizonbusiness.com		63.117.23.210	US
					207.176.254.1	CA
					63.85.160.2	US
					63.85.219.3	US
					207.139.5.2	CA

2			rtcomm.ru		81.177.17.114	RU
					217.106.234.80	RU
					81.177.37.59	RU

3			sbc.com		69.211.99.120	US
					64.148.131.40	US

4			xo.com		38.98.138.2	US
					71.5.89.2	US
					207.155.174.221	US
					206.173.60.1	US

5			hinet.net		59.124.200.43	US
					59.125.132.134	US
					59.120.122.76	US

6			interbusiness.it		80.19.56.188	CN

7			ttnet.net.tr		81.214.136.236	CN

8			comcast.net		68.37.204.107	US
					24.13.237.155	US

9			internap.com		66.151.234.144	US
					72.5.205.6	US

10			serverflo.com		66.185.126.146	US
Top