This week’s report looks principally at the latest security bulletins released by Microsoft as part of its policy to publish security updates every second Tuesday of the month. These bulletins offer solutions for a range of errors and vulnerabilities in the company’s systems and applications. The report also takes a look at two malicious codes: Nedro.B and Haxdoor.NJ.
Microsoft has made ten security bulletins available to users. These address vulnerabilities rated as “critical” (six), “important” (one), “moderate” (two) and “low” (one) according to their severity:
* MS06-056: Fixes a vulnerability (cross site scripting) in servers with .Net Framework 2.0. This flaw has been rated as “moderate”.
* MS06-057: Updates Windows Shell to avoid remote code execution. Affects Windows 2000, XP and Server 2003. Rated as “critical”.
* MS06-058: Fixes six vulnerabilities in PowerPoint and is rated as “critical”.
* MS06-059: Resolves four vulnerabilities in Microsoft Excel also rated as “critical”.Â
* MS06-060: Update to fix a “critical” vulnerability in Microsoft Word.
* MS06-061: Includes an update to solve two Microsoft XLM Core Services vulnerabilities. Microsoft rates this bulletin as “critical”. It applies to Windows NT4 SP6, 2000, XP and Server 2003.         Â
* MS06-062: Update to fix Microsoft Office vulnerabilities. It affects Microsoft Office, Project and Visio. Rated as “critical” by Microsoft.
* MS06-063: Resolves two vulnerabilities in the Windows Server service.  Rated as “important”, it affects Windows 2000, Server 2003 and XP.
* MS06-064: Fixes three denial of service vulnerabilities on TCP/IP IPv6 systems. Microsoft gives this bulletin a “low” severity rating. It applies to Windows XP and Server 2003 systems.
* MS06-065: Fixes a vulnerability affecting Windows XP and Server 2002, more precisely, “Windows Object Packager. Rated as “moderate”.
The first malicious code in this week’s report is the W32/Nedro.B.worm worm, designed to affect Windows operating systems. It spreads across IRC and the Yahoo! instant messenger.
Nedro.B takes a series of actions in order to go unnoticed by users and evade detection and elimination:
Â
- It prevents access to the Windows Registry.
- It alters the system to execute the worm’s code whenever files with the following extensions are run:Â art, dat, avi, ini and pif.
- It assigns the Microsoft Word icon to .scr files (screensavers) to make them less suspicious to users.
- It hides .bat, .com, .exe and .scr files from view (all these files are executables and therefore potentially dangerous).
- It deletes the “Run” option from the “Start” menu.
- It prevents users from browsing the hard disk through Windows Explorer.
- It terminates numerous security applications.
These actions not only enable Nedro.B to hide itself, but also leave the system vulnerable to other malicious codes.
Haxdoor.NJ is a backdoor Trojan that gathers different types of passwords from the infected computer, such as those for logging in to a session and for using the Outlook and The Bat mail clients. Haxdoor.NJ also tries to steal any passwords to eBay, e-gold and paypal systems. If it gets this information, it sends it to the creator of the malicious code using a rootkit detected as Rootkit/Haxdoor.NJ.
Haxdoor.NJ needs to be spread by an attacker as it cannot spread itself automatically. This rootkit also opens three random ports to enable the creator to collect the data.
In order to spread, Haxdoor.NJ injects its code in the Windows explorer.exe process, thereby ensuring it is run on every system startup. To prevent the Windows XP SP2 firewall from doing its job, it alters the firewall settings so that it is treated as an authorized application.
For further information contact Panda Software Cyprus on Tel: 22441514, [email protected]
