TrendLabs has declared a Yellow Alert to control the spread of PE_BAGLE.Q. TrendLabs has received numerous infection reports of this malware spreading in Korea and Japan.

This new BAGLE variant is capable of infecting files. It propagates via email in two ways. The first is by sending emails, which do not have an attachment. Instead it contains a link, which upon opening the email, starts a series of events that eventually downloads this file infector into the system. The second is that the email may contain varying subjects, message bodies, and attachment file names, just like its earlier variants.

BetaNews: Just two days after portions of the Windows 2000 Service Pack 1 source made its way onto the Internet, the first exploit to take advantage of bugs discovered in the now opened code has appeared on security mailing lists. The vulnerability lies in Internet Explorer's handling of bitmap images. With a specially created bitmap, a remote user can cause a buffer overflow and execute arbitrary code on a target system. The author of the report, which was seemingly posted with malicious intent, indicates the flaw was uncovered when analyzing the file "imgbmp.cxx" within the Windows source code.

WinHelpLine.info bietet auf ihrer Homepage eine sehr gute FAQ zum Wurm 'MyDoom', der laut Kaspersky Labs die Liste der meist verbreiteten Malware mit fast 80% anführt. Es wird Hilfestellung in folgenden Bereichen gegeben:
- Wie können Sie sich vor diesem Virus schützen?
- Wie können Sie feststellen, dass ihr Computer von Mydoom.B infiziert ist?
- Was sollten Sie tun, wenn Ihr Computer infiziert ist? Zu finden ist diese FAQ HIER.

Trivial file spoofing in Internet Explorer 6.0.2800.1106 and all of 'its' patches to date on WIN XP [probably others]: Content-Disposition: attachment; filename=malware.{3050f4d8-98B5- 11CF-BB82-00AA00BDCE0B}fun_ball_gites_pie_throw%2Empeg"

Die Mailingliste Full Disclosure dokumentiert ein weiteres Sicherheitsloch im Internet Explorer, das nach einem ähnlichen Muster arbeitet wie der kürzlich bekannt gewordene Ordner-Bug in Windows XP. Ein Angreifer kann dem Internet Explorer Dateien mit falschen Endungen unterschieben, so dass ein Opfer vermeintlich sichere Dateien öffnet und so womöglich gefährlichen Programmcode ausführt. Mehr Infos

Symantec Security Response has developed a removal tool to clean W32.Novarg.A@mm infections.

Also known as: W32/Mydoom@MM [McAfee], WORM_MIMAIL.R [Trend], Win32.Mydoom.A [Computer Associates], W32/Mydoom-A [Sophos], I-Worm.Novarg [Kaspersky]

W32.Novarg.A@mm is a mass-mailing worm that arrives as an attachment with the file extension .bat, .cmd, .exe, .pif, .scr, or .zip.

Microsoft Internet Security and Acceleration (ISA) Server 2004 is the advanced application layer firewall, VPN, and Web cache solution that enables customers to easily maximize existing IT investments by improving network security and performance. ISA Server 2004 Beta allows you to preview the upcoming functionality in this upcoming version.

Just days after it first surfaced, the MyDoom worm has become the fastest spreading computer virus in history. MyDoom's payload is far from innocuous, too. When opened, the virus installs a stealth program on the victim's computer that opens up a software "back door." Attackers can then bypass the PC's security and turn the system into a bounce point, or proxy, for any network-based attack. More at TechReport

Computer security experts fear a new worm - Bagle-A - which began spreading rapidly across Australian email overnight could be a rehearsal for a more concerted worldwide attack in coming weeks. According to Daniel Zatz, security director for Computer Associates Australia, Bagle-A carries an expiry date, possibly indicating more robust versions of the worm could be slated for release soon - drawing comparison to the Sobig worm.

Die Computerwoche berichtet, das der AntiViren Hersteller Trend Micro vor dem Mail-Wurm "Bagle.A", der alle Windows-Versionen befällt, warnt.
Der Wurm ist mit der Betreffzeile "Hi" und dem Text "Yep, Test" und einer zufälligen Datei im Anhang zu erkennen.

Buffer Overrun in MDAC Function Could Allow Code Execution (832483) An attacker who successfully exploited this vulnerability could gain the same level of privileges over the system as the program that initiated the broadcast request. The actions an attacker could carry out would be dependent on the permissions under which the program using MDAC ran. If the program ran with limited privileges, an attacker would be limited accordingly; however, if the program ran under the local system context, the attacker would have the same level of permissions. Get more informations and download over here

Die Site Operash weist auf einen Fehler im Web-Browser Opera hin, der es Angreifern erlaubt, beliebige Dateien auf einem anfälligen System zu löschen. Betroffen ist Opera für Windows in der Version 7 bis einschließlich 7.22, 7.23 ist nicht betroffen, das berichtet das Internetmagazin Golem, welches zusätzlich noch mehr Informationen über das Problem hat.

"Mimail.I" tarnt sich als E-Mail vom Paypal-Kundendienst Die Antiviren-Spezialisten H+BEDV Datentechnik und Bitdefender warnen Windows-Anwender vor einer neuen Variante des Mimail-Wurms. Der Internet-Wurm verbreite sich über E-Mail an alle Adressbuch-Kontakte eines infizierten Rechners. Von dem seit der vergangenen Woche als Mimail.H aktiven Wurm liegt jetzt die schädlichste Variante vor: Mimail.I. H+BEDV geht davon aus, dass der Wurm die "Testphase" beendet habe und jetzt ernsthaften Schaden anrichten kann. Anwender, die über das Zahlungssystem "Paypal" abrechnen, sollten daher jetzt besonders vorsichtig sein: Der Wurm tarne sich als Aufforderung des populären Online-Bezahldienstes, Mitgliederdaten inklusive Kreditkartennummern zu aktualisieren.

As a extension of the 2 x $250.000 bounty on the releasers of Blaster and SoBig, Microsoft is now setting up a virus-hunting fund with a initial donation of $5 million including the 2 x $250.000, so its bigger than first assumed. Microsoft will work together with law enforcement to track down the creators of Virii, worms and other forms of malicious code. It will be exciting to see if this has any effect on the amounts of attacks on the security of Microsoft's products.

Quote: "These are not just Internet crimes, cybercrimes or virtual crimes. These are real crimes that disrupt the lives of real people," Brad Smith, general counsel at Microsoft, said in a press conference.

Read more on CNet.

A new email-worm - Mimail.c - has surfaced. Not much is unusual about this one, but i thought it worth mentioning because the payload comes as a zip compressed file, so it will slip the usual file extension filters in most email programs.
So be sure to have your Anti-Virus installed and running when checking your mail. You can read more details about the virus and the actual payload at CNet.

Tuesday Apple released a update to OSX v 10.3 (Panther) that includes a number of security fixes. This seems as a good thing, but at the same time Apple is choosing NOT to fix the security errors in earlier versions of its OS (10.2 and below). This means that apple users are forced to pay a rather large update fee ($129) to stay secure.

Quote:
"It is not a friendly thing to tell your customers to shell out a lot of money to stay secure," said Thor Larholm, senior researcher for software security firm PivX Solutions. "It would be a dangerous precedent, if they did."

"Apple declined comment."

So even if we windows users are more exposed to flaws than Mac users, at least we get our OS updated without having to pay big money.
Read the whole article at News.com.com

A 17 year old kid from Brisbane, Australia has been arrested for 2 counts of cracking a 'prominent' Australian ISP. The name of the ISP hasn?t been released and won?t be until the case goes to court.

Quote:
"Australian High Tech Crime Centre director federal agent Alastair MacGibbon said he hoped the arrest served as a warning to would-be hackers, and appealed to any ISPs who believed they had been hacked to contact the centre."

(As usual the popular media has the term 'hacking' wrong.)
For more warp 2 Australian IT

Heise: Cracker nutzen wieder eine Sicherheitslücke in Microsofts Internet Explorer aus, um über Web-Sites ein Trojanisches Pferd auf die Systeme ihrer Opfer zu schleusen. Dazu verbreiten sie in Chats und Newsgruppen URLs, die auf ihre speziell präparierten Seiten verweisen. Im IRCnet und QuakeNet endeten diese URLs auf britney.jpg, das kann sich jedoch jederzeit ändern. Beim Besuch der Seiten installiert sich ein Trojanisches Pferd über den Windows Media Player und andere Windows-System-Dateien. Betroffene berichteten, dass sie das System nur durch Neuinstallation säubern konnten, Antiviren-Software erkennt den Schädling bisher anscheinend nicht.

Sunday the 26. another internet worm was released through IRC networks.
The worm is disguised as a .jpg picture named Britney.jpg from Angelfire. Whatever you do do not open britney links in Internet explorer.
An exploit taking advantage of holes in Internet Explorer along with Windows Media Player ensures the worm free passage to your computer, where it starts deleting system files and destroying the registry.
The effect of this is: no shortcuts work, no programs, except those already running will work. If mirc is running it will proceed by installing a script that announces the url to britney.jpg in all the channels you have joined. Some have mentioned that it even uploads sites.dat from your FlashFXP directory.

The following link is a closer description and a timeline:
Charmy

Thx to El_Coyote for the information.

Panda Software warnt von von einem neuen "potenziell gefährlichen" Trojaner mit dem Namen Sdbot.N (Bck/Sdbot.N). Der gefährliche Code erlaube Hackern den Zugriff auf infizierte Computer per IRC. Dabei muss nicht einmal ein entsprechender Client auf dem betroffenen Rechner installiert sein.