-----Original Message----- From: UNIRAS (UK Govt CERT) [mailto:uniras@;niscc.gov.uk] Sent: 06 November 2002 12:33 To: [EMAIL PROTECTED] Subject: UNIRAS Brief - 392/02 - PSS Security Response Team Alert - New Virus:W32/Braid@mm
-----BEGIN PGP SIGNED MESSAGE----- - ------------------------------------------------------------------------ ---------- UNIRAS (UK Govt CERT) Briefing Notice - 392/02 dated 06.11.02 Time: 12:10 UNIRAS is part of NISCC(National Infrastructure Security Co-ordination Centre) - ------------------------------------------------------------------------ ---------- UNIRAS material is also available from its website at www.uniras.gov.uk and Information about NISCC is available from www.niscc.gov.uk - ------------------------------------------------------------------------ ---------- Title ===== PSS Security Response Team Alert - New Virus:W32/Braid@mm Detail ====== The worm attempts to exploit a previously patched vulnerability that exists in some versions of Microsoft Outlook, Microsoft Outlook Express, and Internet Explorer. This vulnerability can be used to allow an executable attachment to run automatically, even if you do not double-click on the attachment. PSS Security Response Team Alert - New Virus:W32/Braid@mm SEVERITY: MODERATE DATE: November 4, 2002 PRODUCTS AFFECTED: Microsoft Outlook, Microsoft Outlook Express, and Web-based e-mail programs ********************************************************************** WHAT IS IT? W32/Braid@mm is a new e-mail worm. The Microsoft Product Support Services Security Team is issuing this alert to advise customers to be on the alert for this virus as it spreads in the wild. Best practices, such as filtering certain file types and applying security patches would prevent infection from this mass-mailer worm. IMPACT OF ATTACK: Mass Mailing, Network Share Infection TECHNICAL DETAILS: W32/Braid@mm is a new e-mail worm. The W32/Braid@mm worm arrives in an e-mail message with the following characteristics: Subject: (Sender's Windows registered company name) or (Blank) Body: Hello, Product Name: Microsoft Windows (version of Windows on the infected sender's system) Product Id: (Windows ID on the infected sender's system) Product Key: (Windows key on the infected sender's system) Process List: (processes running on the infected sender's system) Thank you. Attachment: Readme.exe The worm attempts to exploit a previously patched vulnerability that exists in some versions of Microsoft Outlook, Microsoft Outlook Express, and Internet Explorer. This vulnerability can be used to allow an executable attachment to run automatically, even if you do not double-click on the attachment. Information on this vulnerability can be found here: http://www.microsoft.com/technet/security/bulletin/MS01-020.asp Upon execution W32/Braid@mm drops a file named Help.eml on the Desktop of the infected machine. The help.eml file on the Desktop, if opened, will have properties similar to the original message that infected the machine. This worm infects .exe, .scr and .ocx files and will also attempt to spread via network shares. For more detailed information on this worm please contact your Antivirus vendor. PREVENTION: 1) Block harmful attachment types at your Internet mail gateways. 2) This virus utilizes a previously-announced vulnerability as part of its infection method. Because of this, customers must ensure that their computers are patched for the vulnerability that is identified in Microsoft Security Bulletin MS01-020: http://www.microsoft.com/technet/security/bulletin/ms01-020.asp The most recent cumulative security patch for Internet Explorer, which includes the fixes for the vulnerabilities that were announced in Microsoft Security Bulletin MS01-020 can be found here: http://www.microsoft.com/technet/security/bulletin/ms02-047.asp 3) After customers have ascertained the status of the preceding fix in their environments, the following prevention steps will also apply: Outlook 2000 post SP2 and Outlook XP SP1 include the most recent updates to improve the security in Outlook and other Microsoft Office programs. This includes the functionality to block potentially harmful attachment types. If you are running either of these versions, they will (by default) block the attachment, and you will be unable to open it. To ensure you are using the latest version of Office click here: http://office.microsoft.com/ProductUpdates/default.aspx By default, Outlook 2000 pre-SR1 and Outlook 98 did not include this functionality, but it can be obtained by installing the Outlook E-mail Security Update. More information about the Outlook E-mail Security Update can be found here: http://office.microsoft.com/Downloads/2000/Out2ksec.aspx Outlook Express 6 can be configured to block access to potentially-damaging attachments. Information about how to configure this can be found here: http://support.microsoft.com/default.aspx?scid=kb;en-us;Q291387 Outlook Express all other versions: Previous versions of Outlook Express do not contain attachment-blocking functionality. Please use extreme caution when you open unsolicited e-mail messages with attachments. Web-based e-mail programs: Use of an application-level firewall can protect you from being infected with this virus through Web-based e-mail programs. RECOVERY: If your computer has been infected with this virus, please contact Microsoft Product Support Services or your preferred antivirus vendor for assistance with removing it. RELATED KB ARTICLES: http://support.microsoft.com/support/misc/kblookup.asp?ID=810012 This article will be available within 48 hours. RELATED SECURITY BULLETINS: http://www.microsoft.com/technet/security/bulletin/ms01-020.asp http://www.microsoft.com/technet/security/bulletin/ms02-047.asp As always please make sure to use the latest Anti-Virus detection from your Anti-Virus vendor to detect new viruses and their variants. If you have any questions regarding this alert please contact your Technical Account Manager or Application Development Consultant. PSS Security Response Team - ------------------------------------------------------------------------ ---------- For additional information or assistance, please contact the HELP Desk by telephone or Not Protectively Marked information may be sent via EMail to: [EMAIL PROTECTED] Tel: 020 7821 1330 Ext 4511 Fax: 020 7821 1686 - ------------------------------------------------------------------------ ---------- UNIRAS wishes to acknowledge the contributions of Microsoft for the information contained in this Briefing. - ------------------------------------------------------------------------ ---------- This Briefing contains the information released by the original author. Some of the information may have changed since it was released. If the vulnerability affects you, it may be prudent to retrieve the advisory from the canonical site to ensure that you receive the most current information concerning that problem. Reference to any specific commercial product, process, or service by trade name, trademark manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation, or favouring by UNIRAS or NISCC. The views and opinions of authors expressed within this notice shall not be used for advertising or product endorsement purposes. Neither UNIRAS or NISCC shall also accept responsibility for any errors or omissions contained within this briefing notice. In particular, they shall not be liable for any loss or damage whatsoever, arising from or in connection with the usage of information contained within this notice. UNIRAS is a member of the Forum of Incident Response and Security Teams (FIRST) and has contacts with other international Incident Response Teams (IRTs) in order to foster cooperation and coordination in incident prevention, to prompt rapid reaction to incidents, and to promote information sharing amongst its members and the community at large. - ------------------------------------------------------------------------ ---------- <End of UNIRAS Briefing> -----BEGIN PGP SIGNATURE----- Version: PGP 7.0.4 iQCVAwUBPckGYopao72zK539AQGd0AP/UPCrRrOvhIUgrxf3B6vk+8X7RyZQKPE4 HPLF3hsjg5X0x/SKkc12vkdwMI4U/GQzNwq7HLYZ1FpocNuga9nH62bib0M5uri5 6NMfGO7MbwB9uXJbQ+NvWucnQQ5H4yhEg4U17wbelWgc/y43GI9weLwXx2kEE1og 6lSR87d7CMI= =2Q5V -----END PGP SIGNATURE----- IWS INFOCON Mailing List @ IWS - The Information Warfare Site http://www.iwar.org.uk