Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2003.0163 -- Trend Micro Medium Risk Virus Alert CODERED.F 13 March 2003 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Vendor: Trend Micro Operating System: Windows Impact: Administrator Compromise Access Required: Remote Ref: ESB-2001.238 Comment: For more information, please see: http://securityresponse.symantec.com/avcenter/venc/data/codered.f.html http://www.sophos.com/virusinfo/articles/coderedf.html http://vil.mcafee.com/dispVirus.asp?virus_k=100142 http://www3.ca.com/virusinfo/virus.asp?ID=14538 - --------------------------BEGIN INCLUDED TEXT-------------------- TrendLabs has received a significant number of infection reports on this worm from Japan and Italy. As of 4:59 AM March 12, 2003 (US Pacific Time), Trend has declared a Yellow Alert to control the spread of this malware. This worm, similar to the other variants of CodeRed, makes use of a remote buffer overflow vulnerability in Microsoft's Internet Information Server (IIS) that can give system level privileges to an attacker. It drops a backdoor program on an infected Web server, giving an attacker full access to this Web server thereby compromising network security. This worm poses no risk to Windows 95, 98, and ME users. Windows NT and 2000 users who do not have Microsoft's IIS Web Server installed are also at no risk. This worm only affects computers running Microsoft IIS that have not been patched with the Microsoft MS01-033 patch. The only difference between this variant and the .C variant is that the older variant executes its reboot payload if the year is greater than 2002. This .F variant executes its payload if the year is greater than 34952. This worm code only resides in memory, and there are no file counterparts. Because of this, antivirus scanners that do not support memory scanning will not be able to detect the code. Further analysis is currently being done on this malware. For more information on CODERED.F please visit our Web site at: http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=CODERED.F - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to use any or all of this information is the responsibility of each user or organisation, and should be done so in accordance with site policies and procedures. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 If you believe that your system has been compromised, contact AusCERT or your representative in FIRST (Forum of Incident Response and Security Teams). Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: noconv Comment: http://www.auscert.org.au/render.html?it=1967 iQCVAwUBPnBj4ih9+71yA2DNAQFCSQP8DI2MBN7LVSBZGv3FapQuCXEtGa30O4eZ NY+Z5FZyce0Jx+RNOsOywIilD26R9JoK86P3sDw3sZK1M0sFiHwrP9f/JAwZn6d8 FFgvP1atwRcctbxooZvzS3u66iwhpLMKfW5A4jrj8QMHNTih0VBpUS29CNziSFxt hW7sPgGFS4w= =WMaa -----END PGP SIGNATURE-----