Multiple Virus Reports

The CERT® Coordination Center (CERT/CC) is a center of Internet security expertise. It is located at the Software Engineering Institute, a federally funded research and development center operated by Carnegie Mellon University. They recently released CERT Advisory CA-2001-20 Continuing Threats to Home Users which has a number of very good links, including Home Network Security

Two particular virus reports which have recently come to my attention are:

VirusW32.SIRCAM@mm

This worm arrives as an email message with the following content:

Subject: The subject of the email will be random, and will be the same as the file name of the attachment in the email.
Message: The message body will be semi-random, but will always contain one of the following two lines (either English or Spanish) as the first and last sentences of the message.

English Version:
First line: Hi! How are you?
Last line: See you later. Thanks

Spanish Version:
First line: Hola como estas ?
Last line: Nos vemos pronto, gracias.

Between these two sentences, some of the following text may appear:

English Version:
I send you this file in order to have your advice
I hope you can help me with this file that I send
I hope you like the file that I sendo you
This is the file with the information that you ask for

Spanish Version:
Te mando este archivo para que me des tu punto de vista
Espero me puedas ayudar con el archivo que te mando
Espero te guste este archivo que te mando
Este es el archivo con la informaci=n que me pediste

Code Red Worm

has infected an estimated 100,000 Microsoft IIS Web Servers and could possibly cause serious damage to bandwidth on the Internet. The full story can be found at TechTV If you are running a Microsoft Web Server at OLSS, your office, or home the first thing you should do is reboot. Since the worm is memory based it will clear it and if the server was infected it will not be attacking the IP address of the www.Whitehouse.gov web site. The worm is in Whitehouse.gov attack mode from the 20th until the end of the month.

Next, install the patch per instructions at the Microsoft TechNet site. The fix can be found here.

If you do not install the patch before the first of the month, servers that are infected will go back into infect mode and begin scanning for Microsoft IIS servers and will then send the worm code to unpatched servers. The newly infected server then starts scanning and infecting other unpatched IIS servers.

The really bad news is that if some of these infected web servers are not patched they will begin pounding servers that have been patched. They will repeatedly try to infect the same machines over and over again until the 20th of the month or until they are shut down and fixed.

Previous TCS Virus Alerts:




Tulsa Computer Society
Don Singleton, President
djs@ionet.net