| Forum Home | ||||
| Press F1 | ||||
| Thread ID: 10845 | 2001-08-16 08:53:00 | eg why unbinding protocols is so handy | Guest (0) | Press F1 |
| Post ID | Timestamp | Content | User | ||
| 17083 | 2001-08-16 08:53:00 | copied from www.securitynewsportal.com New HAI worm may slip past old versions of ZoneAlarm and Symantec Anti-Virus Written on Wednesday, August 15 @ 11:13:33 EDT Topic: Insight and Indepth I just received an interesting e-mail from BigBill, concerning a worm that entered his Symantec and ZoneAlarm protected home computer. The tale he tells is interesting and I have been able to confirm some of the information he said about Symantec issuing an update as a result of what happened to him. I have included his e-mail explaining what happened... To quote from Symantec W32.HLLW.Hai is a worm that spreads over a network. It spreads by looking for computers 1) on which the NetBIOS protocol is installed, and 2) that share the Windows folder with full access for 'Everyone.' The worm does this by spawning a new thread that looks for computers with open Windows shares. When it finds such a computer, the worm copies itself into the Windows folder. It also modifies the Win.ini file so that the next time the computer is started, the worm will be executed. The name that this worm uses is chosen at random...... continued.... What makes Bills story interesting is that the infection appears to have happened during a Code Red scan of his system. The current version of ZoneAlarm is 2.6.231. All of the samples of this worm that SARC has received have been encrypted with a known Portable Executable (PE) file-encryption program Here is the message that I received from BigBill New worm drilled through ZoneAlarm I know you are very busy, but the following email I sent to my broadband friends discusses an apparent failure of the ZoneAlarm firewall to protect me from a worm during the current CRIII attack episode. - - - - Howdy broadband friends, Apparently ZoneAlarm failed to protect me from a worm and I was vulnerable because I had open sharing enabled on my desktop hard drive. I thought I was safe, because of ZoneAlarm and an updated Norton Anti-virus 2000. Apparently this worm is so new the latest available NAV live update definitions do not contain detection for it. After I submitted the file to them, Symantec sent me a virus update file with the quoted message below. Below is a status update on your virus submission: Date: Wed Aug 15 06:06:55 PDT 2001 We have analyzed your submission. The following is a report of our findings for each file you have submitted: filename: C:windowsBJCDCX.EXE machine: P3 DESKTOP result: This file is infected with W32.HLLW.Hai [/quote] Info on this worm can be found at www.symantec.com Note that ZoneAlarm notified me via the automatic check for updates this morning of a new version. So if you don't have that automatic check feature enabled go to their site for the new version. I don't know if this would have protected me or not as I was apparently infected yesterday afternoon. The ZA web site does not have detailed enough info for me to determine this. I've now password protected my shared disks now (better late than never,) even though that is going to make it lots less convenient to exchange data between my desktop and laptop. BC, if you have technical suggestions, let me know. I'm using netBUI between laptop and desktop and so no evidence of infection by this worm on the laptop. ZoneAlarm did detect the worm trying to connect to it yesterday, but I didn't pay much attention at the time, just said 'no.' Today when the same program wanted to connect to the Internet, that caught my attention and prompted my investigation. I do not know how I got the worm, but am suspicious because the worm attempted to connect to an IP number within the block that has been hammering me since Code Red III hit. There were a couple of people who posted on Security News Portal that their Windows ME systems began to attempt to connect to the 'net after getting hit by CR III, but I pooh-poohed this. Maybe there is a variant that can get into non-password protected disks through a hole in ZoneAlarm. There is a hit recorded in the log for the exact minute the worm file was created. I suppose that could be a coincidence??? ZA logged 85 attempted entries yesterday (down from the approx 50 per hour Sunday the 5th.) I opened no email attachments yesterday and neither loaded or read any external file, so firewall failure seems the only likely source. I even checked my FTP logs. If you can think of any other possible mechanism, please let me know. Bill tweak's 2 cents- i just checked my sever (win98se with ics and file/printer shareing on) to see what ports where open to the net WITHOUT the fire wall on, glad to see netbios was not open. thank goodness the protocol unbinding works :-) |
Guest (0) | ||
| 17084 | 2001-08-16 09:23:00 | Your lucky that you can close your netbios. Unfortunatly if I disable it for my dialup connection it disables it for my LAN as well, stupid windows. Atleast i'm not stupid enough to share everything, let alone give write access to everything. |
Guest (0) | ||
| 17085 | 2001-08-16 09:30:00 | which windoze do you use?? | Guest (0) | ||
| 1 | |||||