---------------------- Forwarded by Vince J Kaminski/HOU/ECT on 08/21/2000 
05:28 PM ---------------------------


"NW Security and Bug Patch Alert" <Security-BugPatch@bdcimail.com> on 
08/21/2000 05:12:07 PM
Please respond to "Security and Bug Patch Alert Help" <NWReplies@bellevue.com>
To: <vkamins@enron.com>
cc:  
Subject: New Love Letter variant


NETWORK WORLD FUSION FOCUS: JASON MESERVE on
SECURITY AND BUG PATCH ALERT
TODAY'S FOCUS: New Love Letter variant
08/21/00

Dear Wincenty Kaminski,

~~~~~~~~~~~~~ This newsletter sponsored by 
Finjan Software ~~~~~~~~~~~~

YES, THERE ARE ALTERNATIVES TO REACTIVE ANTI-VIRUS TECHNOLOGY
Finjan Software offers proactive security solutions using real-time
behavior monitoring technology to block malicious code WITHOUT relying
on database updates. Get proactive protection for VB Script,.exe
Trojans and worms like ILOVEYOU, ExploreZip and LifeStages. Why rely on
security products that offer updates AFTER you've been hit when you can
block first-strike attacks before damage occurs? Find out more, and
download Finjan's personal security freeware, at:
http://nww1.com/go/1643930a.html
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

11 FREE Newsletter Additions from Network World!
Sign up Today at http://www.nwwsubscribe.com/foc35
Wireless in the Enterprise, Servers, Optical Networking,
The Network Channel, The Edge, Net Worker, Convergence,
Free Stuff, Mobile Computing, The Network World 200, and
Technology Executive
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Today's Focus: New Love Letter variant
---------------------------------------------------------------
By Jason Meserve

Here we go yet again.

The antivirus vendors are all sending out alerts warning their
customers of a new strain of the infamous Love Letter virus that struck
last May. This version comes with the subject line of "resume" and
contains an attachment called "resume.txt.vbs".

The file contains a fake resume, though reports vary on whether it is a
German or a Swiss engineer that is profiled. Makes no difference - the
file infects the host computer and then attempts to send itself to
everyone in the local Outlook address book.

It seems as if the virus is targeted at customers of the United Bank of
Switzerland. The new strain attempts to steal UBS account information
off the infected computer. UBS claims that the virus threatens few
people and that most customer data is secure.

For U.S. users, the problem could be more clogged e-mail pipes. But
hopefully, the general user population is now trained to be wary of any
attachment, especially those ending in .vbs. Most of the antivirus
vendors are updating their virus definition files, and protection
should be available shortly, if not already. For more:
http://www.nwfusion.com/news/2000/0817swissbug.html


Before we get on to today's alerts and patches, I'd like to mention
some upcoming coverage in Network World. A few weeks back I mentioned a
company in London offering "hacker insurance."  A couple of you wrote
in looking for more information. Unfortunately, I do not have the space
to cover such issues here.

Not to fret. Mich Kabay, author of Network World's Security newsletter,
plans to take up the topic in an upcoming edition. Mich has some great
tips for keeping your company network equipment secure, so check out his
newsletter at:
http://www.nwfusion.com/newsletters/sec/


Also, the features department here at Network World is working on a
feature on the subject of hacker insurance, and they are looking for
help. If you've got something to share, check out our forum:
http://www.nwfusion.com/cgi-bin/WebX.cgi?230@@.ee6f1b5


If you're looking for more information, stay tuned to Network World and
Mich's newsletter.


Now on with the latest patches and alerts:


Guninski finds another IE and Windows problem

Famed Microsoft bug hunter Georgi Guninski has found problems in
Internet Explorer 5.5 and Windows 98 that could allow outside users to
take control of the affected system. Both problems revolve around the
Shell DefView ActiveX control. The issue has been confirmed by
independent sources, according to news reports. For more information:
http://www.nat.bg/~joro/ieshelldefview.html
**********


SGI fixes problem with Linux kernel

SGI has released a patch for its ProPack for Linux, which ships with a
modified Linux kernel. A problem in the kernel could allow a local user
on an affected machine to gain root access. For fix information:
http://www.linux.org.uk/VERSION/relnotes.2216.html
**********


Microsoft releases patch for "Specialized Header" vulnerability

A problem in the Windows 2000 version of Microsoft's Internet
Information Server could allow a remote user to view sensitive file
information. The problem can be exploited using a specially formatted
request header. For more information on the problem and to download the
patch:
http://www.microsoft.com/technet/security/bulletin/fq00-058.asp
**********


OS/2 Warp 4.5 FTP vulnerability

For those still running the OS/2 Warp operating system, security
consultancy Vigilante has discovered a vulnerability in the system,s
FTP server. The vulnerability could be used to crash the server. IBM
has released a patch for the problem:
ftp://ftp.software.ibm.com/ps/products/tcpip/fixes/v4.3os2/ic27721/
**********


FreeBSD fixes range of problems:

Zope: The open-source Web application server contains a vulnerability
that could allow DHTML files to be changed remotely. Patches are
available from:
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/www/zope-2.2.0.
tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/www/zope-2.2.0.
tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/www/zope-2.2.0
.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/www/zope-2.2.0
.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/www/zope-2.2.
0.tgz

Dhclient: The DHCP client for Linux can be tricked by a rogue DHCP
server into executing arbitrary commands. For patches:
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/net/isc-dhcp3-3
.0.b1.17.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/net/isc-dhcp3-3
.0.b1.17.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/net/isc-dhcp3-
3.0.b1.17.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/net/isc-dhcp3-
3.0.b1.17.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/net/isc-dhcp3
-3.0.b1.17.tgz

Proftpd: The FTP server could allow both named and anonymous FTP users
to execute arbitrary commands on the server as root. For patches:
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/ftp/proftpd-1.2
.0rc2.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/ftp/proftpd-1.2
.0rc2.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/ftp/proftpd-1.
2.0rc2.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/ftp/proftpd-1.
2.0rc2.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/ftp/proftpd-1
.2.0rc2.tgz

Ntop: This program is used for monitoring network usage. However, it
can be susceptible to buffer overflow attacks, which can be used to
execute arbitrary commands on the affected server. For patches:
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/net/ntop-1.1.tg
z
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/net/ntop-1.1.tg
z
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/net/ntop-1.1.t
gz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/net/ntop-1.1.t
gz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/net/ntop-1.1.
tgz
**********


Red Hat fixes gpm module problems

Red Hat Linux last week announced it has fixed two potential problems
in the gpm module that ships with Version 5.2 and 6.x of the
open-source operating system. The problems could let a local user
launch a denial-of-service attack or execute arbitrary commands using
elevated privilege. For more information:
http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=11607
**********


Trustix urges users to upgrade Linux mail and perl packages

Two vulnerabilities in mail and perl packages that can be exploited
together to give a user root access have been patched in Trustix's
Secure Linux. The company is urging customers to upgrade as soon as
possible. For source files:
ftp://ftp.trustix.com/pub/Trustix/updates/1.1/SRPMS/mailx-8.1.1-16.src.rpm
ftp://ftp.trustix.com/pub/Trustix/updates/1.1/SRPMS/perl-5.00503-10tr.src.rpm
**********


Today's list of virus alerts:

W32/Sysid - This e-mail worm comes with no subject and could have up to
99 different filenames. The virus infects a number of system files and
attempts to e-mail itself to users listed in an Outlook address book.
(Sophos, Computer Associates)

WM97/Doeii-A - The Word macro virus displays a message, changes a
document's content and adds a password to the document. (Sophos)

W32/Bugfix and VBS/Bugfix - This virus shows up in an inbox claiming to
be a Windows bugfix with an attachment called "bugfix.exe." When the
file is opened it infects all files in the Windows directory and
attempts to send itself to all users listed in an Outlook address book.
(Sophos, Computer Associates)

WM97/Vmpck1-DV - Word macro virus attempts to change the label of the
infected computer's C: drive to "suca." It also tries to replace all
references to "il" in a Word document to "il cazzo duro." (Sophos)

WM97/Marker-FF - Another Word macro virus that tries to change a
document's author information to "Ethan Frome." (Sophos)

WM97/Marker-C - This Word macro virus takes the infected file's summary
information and transmits it to the Codebreaker's Web site. (Sophos)

WM97/Tpro-A - A lame Word macro virus that comes without a payload.
(Sophos)
**********


Miss an issue?

Just point your browser at the following link and you'll be caught up on
all your summer reading in no time:
http://www.nwfusion.com/newsletters/bug/


To contact Jason Meserve:
-------------------------
Jason Meserve is a staff writer with Network World, covering search
engines, portals, videoconferencing, IP Multicast and document
management. He also oversees the "Security Alerts" page on Fusion
(http://www2.nwfusion.com/security/bulletins.html). Jason can be
reached at mailto:jmeserve@nww.com.
-------------------------

Got a security alert or bug patch question related to your
corporate network? Post it at Experts Exchange on Fusion at
http://nwfusion.experts-exchange.com/. Another network
professional may have the solution to your problem.

May We Send You a Free Print Subscription?
You've got the technology snapshot of your choice delivered at your
fingertips each day. Now, extend your knowledge by receiving 51 FREE
issues to our print publication. Apply today at
http://www.nwwsubscribe.com/nl

*********************************************************
Subscription Services

To subscribe or unsubscribe to any Network World e-mail newsletters,
go to:
http://www.nwwsubscribe.com/news/scripts/notprinteditnews.asp

To change your email address, go to:
http://www.nwwsubscribe.com/news/scripts/changeemail.asp

Subscription questions? Contact Customer Service by replying to this
message.

Other Questions/Comments

Have editorial comments? Write Jeff Caruso, Newsletter Editor, at:
mailto:jcaruso@nww.com

For advertising information, write Jamie Kalbach, Account Executive,
at: mailto:jkalbach@nww.com

Network World Fusion is part of IDG.net, the IDG Online Network.
IT All Starts Here:
http://www.idg.com

Copyright Network World, Inc., 2000