This is our virus, trojan, and worm information page containing the latest news, information, and links specific to Computer and Network viruses, trojans, and worms. RHP Studios supports Full Disclosure in hopes that software manufacturers can quickly fix problems that may exist in their software so that WE can do our jobs more efficiently and bug-free. We also have additional Links concerning General Help, Windows Help, and Linux Help. If you wish to view those pages, please select from a link on the left.

Notice: RHP Studios is providing this page as a service to the public. Some information on this site may be objectionable, and may contain code that could cause damage to your or someone elses computer or networks if used incorrectly. RHP Studios is not responsible for YOUR mistakes, or responsible for what you do with, or how you use the information available on our web site. This information is provided as a resource, meant to help others in the IS/IT field and is not here for the destruction of property.

Latest News Articles Related to Viruses, Trojans, & Worms

January 18, 2001

Someone posted information concerning a Redhat Linux Server being hacked to SecurityFocus.com newsgroup. This is from their posting:

"They got in through "lpd" printer service which "yes" on all our production servers is disabled. They then ran ./hack.sh and Synscan"

Redhack Linux has had an update to the LPRng package since 04-Oct-2000 that would have patched this vulnerability. The updated package is available at their web site: http://www.redhat.com

It seems that someone has created a Worm that searches Redhat Linux servers still running the vulnerable LPRng package. Here is the information I have found concerning this:

Note: RHP Studios clients who are running Redhat Linux v6.2 or 7.0 are NOT affected by this worm or vulnerability. Those running the LPRng package that this worm exploits have been patched since the fix was issued by Redhat Linux on October 04, 2000. Those clients running stand-alone/dedicated Web Servers do not have the LPRng package installed on the Web Servers. As with any computer system connected to any network, you should only install software/services that are needed for the systems functions to reduce the possibility of exploits in services or software that is not used. Regular updates should be performed by running up2date. RHP Studios checks for any needed updates daily and applies them for each of our clients. LPRng package is not needed on a dedicated web server. Because this information/exploit is due to a worm, this information will also be posted on the Virus News.

If you are not a RHP Studios client, you should update your Redhat Linux Packages by either running up2date after su to root, or by clicking on the next two links (one for Redhat Linux version 6.2 and the other for Redhat Linux version 7.0).

Redhat Linux v6.2 Updates - http://www.redhat.com/support/errata/rh62-errata-security.html

Redhat Linux v7.0 Updates - http://www.redhat.com/support/errata/rh7-errata-security.html

More Information can be found below concerning this exploit and worm:

Redhat worm touts instant noodles

An Internet worm cobbled together from pre-existing scripts is spreading rapidly through Redhat Linux systems, leaving in its wake a trail of defaced Web pages touting the virtues of instant Oriental noodles.

http://www.theregister.co.uk/content/6/16168.html

To: BUGTRAQ@SECURITYFOCUS.COM

SUMMARY

LPRng is almost certainly vulnerable to remote-root compromise on account of a format string bug. The flaw is almost identical to the rpc.statd one I found; namely a faulty syslog() wrapper. This is becoming a very common flaw.

http://lwn.net/2000/0928/a/sec-lprng.php3

F-SECURE VIRUS DESCRIPTIONS: RAMEN - ALIAS: LINUX.RAMEN,LINUX/RAMEN - LINUX WORM

"Ramen affects systems running a default installations of Red Hat Linux 6.2 and 7.0. It attempts to infect the system by exploiting two known security vulnerabilities."

http://www.f-secure.com/v-descs/ramen.shtml

BBC NEWS: LINUX VIRUS INFECTION FEARS; RAMEN HITS RED HAT

"The webmasters who have had to deal with the problem are those running sites using Redhat Linux. Servers have been invaded by a worm that replaces the site's main page with one showing an image of a Ramen instant noodle packet."

http://news.bbc.co.uk/hi/english/sci/tech/newsid_1123000/1123827.stm

LINUXPLANET: RAMEN AND THE DANGER OF DEFAULT LINUX CONFIGURATIONS

The security field is all aflutter about a worm that takes advantage of well-known security lapses in Red Hat Linux -- lapses that most experienced Linux system administrators addressed back in September 2000. And while the so-called Ramen worm doesn't do a whole lot of damage to Linux systems, it does point out the need for constant awareness to security issues -- beginning with the default configurations offered by most Linux distributions. Kevin Reichard reports.

http://www.linuxplanet.com/linuxplanet/opinions/2921/1/

January 16, 2001

MACROMEDIA: FLASH IS SECURE

Macromedia Inc. on Monday said its own tests have shown there is no risk that its popular Flash multimedia player could allow a computer virus to be sent to attack the computers of Internet users. http://www.zdnet.com/zdnn/stories/news/0,4586,2672473,00.html

Infected Objects by Robert Vibert

Infected Objects Part 1 - DOS
Infected Objects Part 2 - Windows Infectable
Infected Objects Part 3 - Win Apps
Infected Objects Part 4 - No matter how quickly the speed of the Internet increases, we still find it convenient to compress files before we send them. Once a file is compressed, however, it becomes harder for a virus scanner to find any virus threat that may be lurking inside it. The challenge of peering inside the various compression and archival formats to discover the viruses hidden there has not gotten easier over time. This article - the fourth in a series by Robert Vibert examining different aspects of viruses - will discuss the implications of various forms of file compression for virus protection.
http://www.securityfocus.com/focus/virus/articles/infobj4.html

WRITING INTERNET WORMS FOR FUN AND PROFIT

The media, kindly supported by AV "experts", have drawn an apocalyptical vison of desctruction caused by little MS Outlook / VisualBasic worm, called "ILOVEYOU". Rough estimations - $10M lost for "defending the disease", especially when you look at increasing with the speed of light value of AV companies market shares, made many people curious - is it really the worst disease ever? Or just another lame VBS application that is not even able to spread without user "click-me" interaction, and is limited to one, desk-end it's original version, kills mp3 files on your disk. This article is a study of research on Internet worms.
http://linuxnews.pl/news.html?id=3D41498

HYBRIS VIRUS: A SLEEPER HIT?

Hybris, a computer worm that uses encrypted plug-ins to update itself,could be the sleeper hit of 2001, anti-virus experts say. "It's not a fast mailer or a mass mailer. It's slow and subtle," said Roger Thompson, technical director of malicious-code research for security firm TruSecure. But "slow and steady wins the race." The spread of most computer worms tends to spike quickly and just as quickly die out. But the 3-month-old Hybris worm shows no sign of dying anytime soon, Thompson said.
http://news.cnet.com/news/0-1007-201-4448139-0.html

IRC ATTACK LINKED TO DOS THREAT

Recent cyberattacks on IRC services have now been linked to a National Infrastructure Protection Center security warning that advised systems administrators to protect their systems against a potential widespread distributed denial of service attack over New Year's weekend. According to court documents filed by the FBI as well as sources involved in the investigation, the agency is now investigating a Lynwood, Washington teenager. The teenager is also under investigation for attacking the servers of DALNet, an IRC service.
http://www.wired.com/news/culture/0,1284,41167,00.html

ATTACKERS "WILL TARGET MOBILES NEXT"?

Network Associates says virus attacks are capable of raiding a mobile phone to gain personal details about the user. In one case, a virus was able to glean banking details from an Internet-enabled WAP mobile phone, the company says.
Sandra England, a President of one of Network Associations' divisions specialising in encryption, said it was possible in theory to send a virus as part of a text (SMS) message.
http://itn.co.uk/news/20010112/business/09virus.shtml

EUROPEAN FIRMS HIT BY POTENT NEW VIRUS

Four European companies have lost all their data in an attack from a new HTML virus, it emerged on Friday evening. According to an alert from anti-virus developer Panda Software, the worm called Little Davinia spreads via the internet and potentially wipes out all files on hard disks and network drives.
The virus began spreading from a "very large ISP" in Spain, which Panda has refused to name. It also declined to name the four companies attacked. Panda initially alerted the ISP to the virus and has worked to remove it from the provider's systems.
http://www.vnunet.com/News/1116313

Copyright © 1998 - 2004 RHP Studios
All Rights Reserved!
Report errors to webmaster@rhpstudios.com
Last Updated on July 24,2004 @ 11:45 hrs EST