CERT-In Monthly Security Bulletin May-June 06
High Vulnerabilities
Microsoft
Title of Vulnerability
Discovery/Publish Date
CERT-In References & Patch Information
Microsoft Power Point
Microsoft PowerPoint Malformed Record Vulnerability
June 14,2006
Microsoft Windows
Microsoft Windows Graphics Rendering Engine
June 14,2006
Microsoft Windows
Microsoft Windows RRAS Memory and Registry Corruption Vulnerability
June 14,2006
Windows Media Player
Windows Media Player Remote Code Execution Vulnerability
June 14,2006
Microsoft Windows
Microsoft Windows JScript Memory Corruption Vulnerability
June 14,2006
Internet explorer
ART Image rendering Vulnerability
June 14,2006
Internet explorer
Multiple Vulnerabilities in Internet Explorer
June 14,2006
Microsoft Word
Microsoft Word Unspecified Code Execution Vulnerability
June 14,2006
Microsoft Windows
Remote Code Execution Vulnerabilities in Macromedia Flash Player running on Microsoft Windows
May 10,2006
Microsoft Exchange server
Microsoft Exchange Server Calendar Vulnerability
May 10,2006
Unix
Title of Vulnerability
Discovery/Publish Date
CERT-In References & Patch Information
Mozilla Firefox
Mozilla Firefox Deleted Object Reference Remote Code Execution Vulnerability
May 05,2006
spamassassin
SpamAssassin Vpopmail and Paranoid Switches Code Execution Vulnerability
Jun 06,2006
Sendmail
Sendmail Remote Code Execution Vulnerability
Jun 15,2006
phpCMS
phpCMS "PHPCMS_INCLUDEPATH" File Inclusion Vulnerabilities
June 13,2006
phpMyDirectory
phpMyDirectory "ROOT_PATH" File Inclusion Vulnerability
May 22,2006
phpBB foing module
phpBB foing Module Multiple File Inclusion Vulnerabilities
May 15,2006
Miscellaneous
Title of Vulnerability
Discovery/Publish Date
CERT-In References & Patch Information
Symantec
Symantec AntiVirus and Client Security Remote Buffer Overflow Vulnerability
May 29,2006
Medium Vulnerabilities
Microsoft
Title of Vulnerability
Discovery/Publish Date
CERT-In References & Patch Information
Microsoft
TCP/IP Remote Code Execution Vulnerability
June 14,2006
Microsoft Windows
Microsoft Windows RPC Mutual Authentication Spoofing Vulnerability
June 14,2006
Microsoft Windows
Microsoft Windows Server Message Block (SMB) Privilege Escalation and DoS Vulnerabilities
June 14,2006
Microsoft Outlook
Microsoft Outlook Web Access for Exchange Server script injection vulnerability
June 14,2006
Microsoft
Microsoft Distributed Transaction Coordinator Heap Overflow Vulnerability
May 10,2006
Database
Title of Vulnerability
Discovery/Publish Date
References & Patch Information
MySQL
MySQL Multi-byte Encoding Processing Remote SQL Injection Vulnerability
June 09,2006
Unix
Title of Vulnerability
Discovery/Publish Date
CERT-In References & Patch Information
lynx
Lynx Malformed HTML Infinite Loop Denial of Service Vulnerability
May 30, 2006
GnuPG 1.4.x
GnuPG "parse-packet.c" Denial of Service Vulnerability
June 23, 2006
Mambo
Mambo MOD_CBSMS Module File Inclusion Vulnerability
June 27,2006
OpenOffice
OpenOffice Multiple Vulnerabilities
June 30,2006
LibTIFF
LibTIFF Code Execution and DoS Vulnerabilities
June 08,2006
ImageMagick
ImageMagick libMagick Heap Overflow Vulnerability
May 29,2006
MPlayer
Multiple MPlayer Code Execution Vulnerabilities
May 01,2006
PHP-Fusion
PHP-Fusion "srch_where" SQL Injection Vulnerablility
May 17,2006
Malicious Code Threats
Title of Malicious Code
Type
Overview
Aliases
Discovery Date
References
Nugache
Worm
The Nugache worm is a mass
mailing worm propagates via e-
mail, network shares, instant
messengers and by exploiting
windows vulnerabilities.
mailing worm propagates via e-
mail, network shares, instant
messengers and by exploiting
windows vulnerabilities.
W32.Nugache.A@mm
(Symantec),WORM_NUGACHE.A(Trend
Micro),Backdoor.Win32.SdBot.aqy (F-
Secure Corp.),Win32/Nugache.A
(Computer Associates),W32/Rbot-DDI
(Sophos),W32/Nugache.A.worm (Panda
Software)
(Symantec),WORM_NUGACHE.A(Trend
Micro),Backdoor.Win32.SdBot.aqy (F-
Secure Corp.),Win32/Nugache.A
(Computer Associates),W32/Rbot-DDI
(Sophos),W32/Nugache.A.worm (Panda
Software)
May 1, 2006
Trojan.Arhiveus
Trojan
Trojan.Arhiveus is a ransomware
Trojan that scans the hard drive of
an infected machine for certain file
types, copies these files to its own
encrypted archive named
ArchivedFiles.als and deletes the
original files. It then issues a
ransom demand in an attempt to
extort money from the victim, in
order for them to obtain the
password to recover the
encrypted files.
Trojan that scans the hard drive of
an infected machine for certain file
types, copies these files to its own
encrypted archive named
ArchivedFiles.als and deletes the
original files. It then issues a
ransom demand in an attempt to
extort money from the victim, in
order for them to obtain the
password to recover the
encrypted files.
MayArchive(McAfee),MayArchive.B(F-
Secure),TROJ_MYARC.A(Trend
Micro),Trojan.Win32.MayArchive.b
(Kaspersky W32/Archiveus.A (F-Prot)
Secure),TROJ_MYARC.A(Trend
Micro),Trojan.Win32.MayArchive.b
(Kaspersky W32/Archiveus.A (F-Prot)
May 5,2006
Ginwui.A
Trojan
Ginwui is a backdoor with rootkit
characteristics which is distributed
inside a Word document file with
shell-code that drops the
backdoor's file to the hard drive
and activates it. Two specific
varients of the trojan that is
installed by exploiting a new
Microsoft Word vulnerability (as
described in Microsoft Security
Advisory 919637 ) areBackDoor-
CKB!cfaae1e6 ,BackDoor-
CKB!6708ddaf
characteristics which is distributed
inside a Word document file with
shell-code that drops the
backdoor's file to the hard drive
and activates it. Two specific
varients of the trojan that is
installed by exploiting a new
Microsoft Word vulnerability (as
described in Microsoft Security
Advisory 919637 ) areBackDoor-
CKB!cfaae1e6 ,BackDoor-
CKB!6708ddaf
Backdoor.Ginwui(Symantec),BackDoor-
CKB!cfaae1e6(McAfee),BackDoor-
CKB!6708ddaf(McAfee),Trojan.Mdropper.H
[SAV],W32/Ginwui.A@dr [F-Secure]
CKB!cfaae1e6(McAfee),BackDoor-
CKB!6708ddaf(McAfee),Trojan.Mdropper.H
[SAV],W32/Ginwui.A@dr [F-Secure]
May 19, 2006
W32.Mytob.PP@mm
Worm
W32.Mytob.PP@mm is a mass-
mailing worm that uses its own
SMTP engine to send email
messages which contain phising
URL’s to addresses that it
harvests from compromised
system. The worm uses phising
URL to download a copy of itself
on the affected system. It also
opens a back door to listen for
attackers command.
mailing worm that uses its own
SMTP engine to send email
messages which contain phising
URL’s to addresses that it
harvests from compromised
system. The worm uses phising
URL to download a copy of itself
on the affected system. It also
opens a back door to listen for
attackers command.
WORM_MYTOB.HH
(Trend Micro)W32.Mytob.PP@mm (Symantec)
(Trend Micro)W32.Mytob.PP@mm (Symantec)
May 23, 2006
SymbOS.Cardtrp.AD
Trojan
SymbOS.Cardtrp.AD is a trojan
horse that runs on the Symbian OS
for Nokia Series 60 cellular
phones. It disables some
applications installed on the device
and drops threats onto the device's
memory card, which can
compromise computers running
Windows.
horse that runs on the Symbian OS
for Nokia Series 60 cellular
phones. It disables some
applications installed on the device
and drops threats onto the device's
memory card, which can
compromise computers running
Windows.
Cardtrp.AD (F-
Secure),SymbOS.Cardtrp.AD (Symnatec)
Secure),SymbOS.Cardtrp.AD (Symnatec)
May 24, 2006
Banwarum
Worm
This is a mass-mailing worm that
uses its own SMTP engine to send
an email with different German
subjects and body texts to
addresses that it harvests from the
compromised system. The worm
also spreads through the network
by exploiting the Microsoft
Windows Vulnerability.
uses its own SMTP engine to send
an email with different German
subjects and body texts to
addresses that it harvests from the
compromised system. The worm
also spreads through the network
by exploiting the Microsoft
Windows Vulnerability.
W32.Banwarum@mm(Symantec),W32/Banwarum
.A(F- Secure),WORM_RANCHNEG.A(Trend
Micro),W32/Zasran-A(Sophos),Email-
Worm.Win32.Banwarum.a(KAV),W32/Zasran.A (F- Prot)
.A(F- Secure),WORM_RANCHNEG.A(Trend
Micro),W32/Zasran-A(Sophos),Email-
Worm.Win32.Banwarum.a(KAV),W32/Zasran.A (F- Prot)
May 25, 2006
W32/Melo.worm.gen
Worm
This worm attempts to spread by
sending itself to MSN Messenger
contacts and via floppy diskettes.
The worm deletes files on the local
system and attempts to delete
chunks of data from the registry
sending itself to MSN Messenger
contacts and via floppy diskettes.
The worm deletes files on the local
system and attempts to delete
chunks of data from the registry
W32.Jesse (Symantec) W32/Melo (Sophos)
May 30, 2006
Yamanner
Worm
A JavaScript based mass mailer
worm known as Yamanner is in
the wild. The worm is exploiting
vulnerability in Yahoo! Web-
based email service to run the
malicious JavaScript embedded in
Yahoo mail message.
worm known as Yamanner is in
the wild. The worm is exploiting
vulnerability in Yahoo! Web-
based email service to run the
malicious JavaScript embedded in
Yahoo mail message.
JS/Yamanner@MM [McAfee],
JS_YAMANER.A [Trend Micro],
Yamanner.A [F-Secure],
JS/Yamann-A [Sophos]
JS_YAMANER.A [Trend Micro],
Yamanner.A [F-Secure],
JS/Yamann-A [Sophos]
June 12, 2006
Trojan.Mdropper.J
Trojan
Trojan.Mdropper.J is a Trojan
horse that drops a malware
(Downloader.Booli.A )on the
compromised computer by
exploiting the Microsoft Excel
Unspecified Remote Code
Execution Vulnerability (as
described in Microsoft Security
Advisory (921365)).It may arrive
as a Microsoft Excel file
attachment with the "okN.xls"
name.
horse that drops a malware
(Downloader.Booli.A )on the
compromised computer by
exploiting the Microsoft Excel
Unspecified Remote Code
Execution Vulnerability (as
described in Microsoft Security
Advisory (921365)).It may arrive
as a Microsoft Excel file
attachment with the "okN.xls"
name.
No Aliases
June 14, 2006
W32.Beagle.FD@mm
Worm
It is a mass-mailing worm that uses
its own SMTP engine to send out
copies of another threat,
Trojan.Tooso.R. The worm also
opens a back door on the
compromised computer using TCP
port 80 and lowers security
settings.
its own SMTP engine to send out
copies of another threat,
Trojan.Tooso.R. The worm also
opens a back door on the
compromised computer using TCP
port 80 and lowers security
settings.
W32.Beagle.FD@mm [Symantec],Email-
Worm.Win32.Bagle.gk W32/Bagle-KG[Sophos].
Worm.Win32.Bagle.gk W32/Bagle-KG[Sophos].
June 16, 2006
W32.Amirecivel.E@mm
Worm
W32.Amirecivel.E@mm is a
mass-mailing worm that also
spreads through file-sharing
networks. The worm requires
Microsoft .Net Framework 2.0 in
order to run.
mass-mailing worm that also
spreads through file-sharing
networks. The worm requires
Microsoft .Net Framework 2.0 in
order to run.
No Aliases
June 22, 2006
Worm_Kidala
Worm
It is a mass mailing worm propagates via network shares and software vulnerabilities. Further it opens a backdoor using random ports.
W32.Kidala.E@mm(Symantec)
June 23, 2006
Perl.Lekbot.B
Worm
It has been observed that the
worm known as Perl.Lekbot.B is in the wild exploiting the phpBB
Viewtopic.PHP PHP Script
Injection Vulnerability ( BID
10701 ). The worm also opens a
backdoor on the compromised
system to listen for the remote
attacker commands.
worm known as Perl.Lekbot.B is in the wild exploiting the phpBB
Viewtopic.PHP PHP Script
Injection Vulnerability ( BID
10701 ). The worm also opens a
backdoor on the compromised
system to listen for the remote
attacker commands.
PERL_SHELLBOT.AV( Trend Micro)
June 23, 2006
Kukudro.A(CME-745)
Trojan
Kukudro is an MS Word macro
trojan dropper written in Visual
Basic for Applications (VBA). The
dropper has been spammed in
various e-mails as
my_Notebook.doc inside a zip
archive. Once a user opens the
document, it drops and runs a
binary executable
trojan dropper written in Visual
Basic for Applications (VBA). The
dropper has been spammed in
various e-mails as
my_Notebook.doc inside a zip
archive. Once a user opens the
document, it drops and runs a
binary executable
W97M/Kukudro.A, Trojan-
Dropper.MSWord.Lafool.i
Dropper.MSWord.Lafool.i
June 27, 2006