|
VIRUS ALLERTS
Secunia Advisories
|
Secunia Advisory: |
SA12889 |
|
|
Release Date: |
2004-10-20 |
|
Last Update: |
2005-01-12 |
|
|
|
Critical: |
Extremely critical
|
|
Impact: |
Security Bypass
Cross
Site Scripting
System access |
|
Where: |
From remote |
|
Solution Status: |
Partial Fix |
|
|
|
Software: |
Microsoft Internet Explorer 6 |
|
|
|
Select
a product and view a complete list of all Patched/Unpatched Secunia advisories affecting it. |
|
|
|
|
CVE reference: |
CAN-2004-1043 |
|
|
|
|
Description:
Some vulnerabilities have been discovered in Internet Explorer, which
can be exploited by malicious people to compromise a user's system, conduct cross-site/zone scripting and bypass a security
feature in Microsoft Windows XP SP2.
1) Insufficient validation of drag and drop events from the "Internet" zone to
local resources for valid images or media files with embedded HTML code. This can be exploited by e.g. a malicious web site
to plant arbitrary HTML documents on a user's system, which may allow execution of arbitrary script code in the "Local Computer"
zone.
This vulnerability is a variant of:
SA12321
NOTE: Microsoft Windows XP SP2 does not allow Active Scripting in the "Local Computer" zone.
2) A security
site / zone restriction error, where an embedded HTML Help control on e.g. a malicious web site references a specially crafted
index (.hhk) file, can execute local HTML documents or inject arbitrary script code in context of a previous loaded document
using a malicious javascript URI handler.
Successful exploitation may allow execution of arbitrary HTML and script
code in a user's browser session in context of arbitrary sites, or execution of local programs with parameters from the "Local
Computer" zone using a HTML Help shortcut.
NOTE: This will bypass the "Local Computer" zone lockdown security feature
in SP2.
3) A security site / zone restriction error in the handling of the "Related Topics" command in an embedded
HTML Help control can be exploited by e.g. a malicious website to execute arbitrary script code in the context of arbitrary
sites or zones.
NOTE: This may be exploited to bypass the "Local Computer" zone lockdown security feature in SP2.
Secunia
has constructed a test, which can be used to check if your browser is affected by this issue:
http://secunia.com/internet_explorer_command_execution_vulnerability_test/
Vulnerability 1 and 2, or 3 alone, in combination with an inappropriate behaviour where the ActiveX Data Object (ADO)
model can write arbitrary files can be exploited to compromise a user's system. This has been confirmed on a fully patched
system with Internet Explorer 6.0 and Microsoft Windows XP SP2.
Solution:
1) The vendor recommends that the
"Drag and drop or copy and paste files" option is disabled.
2, 3) Apply patches.
Microsoft Windows 2000 (requires
Service Pack 3 or Service Pack 4):
http://www.microsoft.com/downloa...11C0-EF09-4295-8FB2-0FF17BA65460
Microsoft Windows XP (requires Service Pack 1or Service Pack 2):
http://www.microsoft.com/downloa...1B00-298D-4C0C-A26F-AAEDF163FEB7
Microsoft Windows XP 64-Bit Edition (requires Service Pack 1):
http://www.microsoft.com/downloa...8C5F-3A97-4B89-96C3-AAEFFCE28535
Microsoft Windows XP 64-Bit Edition Version 2003:
http://www.microsoft.com/downloa...78C9-57FB-45A9-B5C2-234AD538D6CC
Microsoft Windows Server 2003:
http://www.microsoft.com/downloa...19FE-F6DB-4666-A247-339F55B059CC
Microsoft Windows Server 2003 64-Bit Edition:
http://www.microsoft.com/downloa...78C9-57FB-45A9-B5C2-234AD538D6CC
Microsoft Windows NT Server 4.0 (requires Service Pack 6a) and Microsoft Windows NT Server 4.0 Terminal Server Edition
(requires Service Pack 6):
http://www.microsoft.com/downloa...22A9-98C6-4661-9B8D-6C59C8812071
Provided and/or discovered by:
1) Discovered independently by:
* http-equiv
* Andreas Sandblad of
Secunia Research (reported to Microsoft on 2004-10-13).
2) Discovered by:
* http-equiv
Additional information
provided by:
* Roozbeh Afrasiabi
3) Discovered by:
* Paul, Greyhats Security
* Michael Evanchik
Additional
information provided by:
* ShredderSub7
Changelog:
2004-10-21: Updated advisory.
2004-10-28: Added
another workaround in "Solution" section and linked to Microsoft Knowledge Base article.
2004-11-02: Updated with additional
information in "Description" and "Solution" section.
2004-11-29: Updated "Description" section with additional information
from Paul.
2004-12-23: Added link to US-CERT vulnerability note.
2004-12-25: Updated "Description" section with additional
information from Paul and Michael Evanchik.
2005-01-07: Increased rating. Added link to test. Updated "Description" and
"Solution" sections.
2005-01-11: Updated solution. Microsoft has issued patches for issue 2 and 3.
2005-01-12: Added
link to US-CERT vulnerability note.
Original Advisory:
MS05-001 (KB890175):
http://www.microsoft.com/technet/security/Bulletin/MS05-001.mspx
3) http://freehost07.websamba.com/greyhats/sp2rc-analysis.htm
Other References:
SA12321:
http://secunia.com/advisories/12321/
How to Disable "Drag and Drop or copy and paste files" option in Internet Explorer:
http://support.microsoft.com/kb/888534
How to Disable Active Content in Internet Explorer:
http://support.microsoft.com/default.aspx?scid=kb;en-us;q154036
US-CERT VU#939688:
http://www.kb.cert.org/vuls/id/939688
US-CERT VU#972415:
http://www.kb.cert.org/vuls/id/972415 |
|
|
|
Please note: The information,
which this Secunia Advisory is based upon, comes from third party unless stated otherwise.
Secunia collects, validates,
and verifies all vulnerability reports issued by security research groups, vendors, and others. |
|
|
|
Zafi.D |
|
|
|
First Report: |
2004-12-14 11:45 |
|
Last Update: |
2005-01-12 23:33 |
|
|
|
Risk Rating: |
Medium Risk
|
|
|
|
Aliases: |
Email-Worm.Win32.Zafi.d
Nocard.A@mm
W32.Erkez.D@mm
W32/Zafi-D
W32/Zafi.D.worm
W32/Zafi.d@MM
Win32.Zafi.D
Win32.Zafi.D!ZIP
Win32/Zafi.D.Worm
WORM_ZAFI.D
Zafi.D |
|
|
|
Virus Alerts: |
Secunia issued a HIGH
RISK alert for this virus.
2004-12-15 09:04
Secunia issued a MEDIUM RISK
alert for this virus.
2004-12-14 15:31 |
|
|
|
Information
From AntiVirus Vendors |
|
|
|
Below you find information
from different vendors, which have been included in this Secunia Virus Profile.
Information from the vendors is sorted
by the time the information became publicly available at the vendor websites. The first available reports will be displayed
first. Please note timestamps are in GMT+1. |
|
|
|
|
|
|
|
|
|
|
#1 - F-SECURE |
|
|
|
|
Zafi.D |
Severity:
2/3 |
File Size:
11745 |
|
|
|
|
Reported:
2004-12-14 11:45 |
Last Update:
2004-12-14 16:50 |
|
|
|
Description:
A new variant of Zafi worm - Zafi.D is spreading. While the original Zafi.A
uses only Hungarian, the new Zafi.D spreads in email in English, Italian, Spanish, Russian, Swedish and several other languages.
|
|
|
|
Full Report From Vendor View/Hide ChangeLog |
|
|
ChangeLog: |
|
|
|
|
Changes are listed in
chronological order with the latest changes first. |
|
|
|
|
|
|
|
|
|
2004-12-14 14:50 |
Severity was raised
from N/A to 2/3. |
|
|
|
|
|
|
2004-12-14 14:50 |
Description was changed.
New:
"A new variant of Zafi worm - Zafi.D is
spreading. While the original
Zafi.A uses
only Hungarian, the new Zafi.D spreads in
email in English, Italian, Spanish, Russian,
Swedish and several
other languages."
Old:
"Zafi.D is the next one in the Zafi
mass-mailing worm family. Just like its
predecessors
it sends emails in many
different languages. This time the theme is
Christmas wishes." |
|
|
|
|
|
|
2004-12-14 14:50 |
File size was changed.
New:
"11745"
Old:
"N/A" |
|
|
|
|
|
|
2004-12-14 14:41 |
Description was changed.
New:
"Zafi.D is the next one in the Zafi
mass-mailing worm family. Just like
its
predecessors it sends emails in many
different languages. This time the theme is
Christmas wishes."
Old:
"A
new variant of Zafi worm - Zafi.D is
spreading. While the original Zafi.A uses
only Hungarian, the new Zafi.D spreads
in
email in English, Italian, Spanish, Russian,
Swedish and several other languages." |
|
|
|
|
|
|
2004-12-14 14:41 |
File size was changed.
New:
"N/A"
Old:
"11745" |
|
|
|
|
|
|
2004-12-14 14:40 |
Description was changed.
New:
"A new variant of Zafi worm - Zafi.D is
spreading. While the original
Zafi.A uses
only Hungarian, the new Zafi.D spreads in
email in English, Italian, Spanish, Russian,
Swedish and several
other languages."
Old:
"Zafi.D is the next one in the Zafi
mass-mailing worm family. Just like its
predecessors
it sends emails in many
different languages. This time the theme is
Christmas wishes." |
|
|
|
|
|
|
2004-12-14 14:40 |
File size was changed.
New:
"11745"
Old:
"N/A" |
|
|
|
|
|
|
|
|
#2 - NETWORK ASSOCIATES |
|
|
|
|
W32/Zafi.d@MM |
Severity:
4/7 |
File Size:
11,745 bytes (EXE) |
|
|
|
|
Reported:
2004-12-14 13:11 |
Last Update:
2005-01-06 23:32 |
|
|
|
Description:
The risk assessment of this threat was raised to Medium due to increased
prevalence. The 4414 DATs were released early for this threat. -- |
|
|
|
Full Report From Vendor View/Hide ChangeLog |
|
|
ChangeLog: |
|
|
|
|
Changes are listed in
chronological order with the latest changes first. |
|
|
|
|
|
|
|
|
|
2004-12-14 19:31 |
Description was changed.
New:
"The risk assessment of this threat was raised
to Medium due to increased
prevalence. The
4414 DATs were released early for this
threat. --"
Old:
"N/A" |
|
|
|
|
|
|
2004-12-14 15:26 |
Severity was raised
from 2/7 to 4/7. |
|
|
|
|
|
|
2004-12-14 15:26 |
Description was changed.
New:
"N/A"
Old:
"This new variant contains the following
characteristics:" |
|
|
|
|
|
|
2004-12-14 15:26 |
File size was changed.
New:
"11,745 bytes (EXE)"
Old:
"N/A" |
|
|
|
|
|
|
|
|
#4 - COMPUTER ASSOCIATES |
|
|
|
|
Win32.Zafi.D |
Severity:
3/5 |
File Size:
11,745 |
|
|
|
|
Reported:
2004-12-14 13:51 |
Last Update:
2004-12-20 23:32 |
|
|
|
Description:
Win32.Zafi.D is a worm that spreads via e-mail and peer-to-peer file sharing.
It has been distributed as a 11,745-byte, FSG-packed Windows executable, which may be inside a ZIP archive. When run, Zafi.D
displays a simulated error message |
|
|
|
Full Report From Vendor View/Hide ChangeLog |
|
|
ChangeLog: |
|
|
|
|
Changes are listed in
chronological order with the latest changes first. |
|
|
|
|
|
|
|
|
|
2004-12-14 21:31 |
Description was changed.
New:
"Win32.Zafi.D is a worm that spreads via
e-mail and peer-to-peer file
sharing. It has
been distributed as a 11,745-byte, FSG-packed
Windows executable, which may be inside a ZIP
archive.
When run, Zafi.D displays a
simulated error message"
Old:
"Win32.Zafi.D is a worm that spreads via
e-mail
and peer-to-peer file sharing. It has
been distributed as a 11,745-byte, FSG-packed
Windows executable, which may be
inside a ZIP
archive. When run, Zafi.D copies itself to
%System%\Norton Update.exe. It sets a
registry value so this
copy is automatically
run each time Windows starts:" |
|
|
|
|
|
|
2004-12-14 18:21 |
Severity was raised
from 2/5 to 3/5. |
|
|
|
|
|
|
2004-12-14 14:21 |
Severity was raised
from N/A to 2/5. |
|
|
|
|
|
|
2004-12-14 14:21 |
Description was changed.
New:
"Win32.Zafi.D is a worm that spreads via
e-mail and peer-to-peer file
sharing. It has
been distributed as a 11,745-byte, FSG-packed
Windows executable, which may be inside a ZIP
archive.
When run, Zafi.D copies itself to
%System%\Norton Update.exe. It sets a
registry value so this copy is automatically
run
each time Windows starts:"
Old:
"N/A" |
|
|
|
|
|
|
2004-12-14 14:21 |
File size was changed.
New:
"11,745"
Old:
"N/A" |
|
|
|
|
|
|
|
|
#5 - PANDA ANTIVIRUS |
|
|
|
|
Zafi.D |
Severity:
3/4 |
File Size:
- |
|
|
|
|
Reported:
2004-12-14 14:57 |
Last Update:
2005-01-12 23:33 |
|
|
|
Description:
It opens the port 8181, waits for a file to be transferred through it,
and executes this file. |
|
|
|
Full Report From Vendor View/Hide ChangeLog |
|
|
ChangeLog: |
|
|
|
|
Changes are listed in
chronological order with the latest changes first. |
|
|
|
|
|
|
|
|
|
2005-01-12 23:33 |
Severity was raised
from 2/4 to 3/4. |
|
|
|
|
|
|
2005-01-11 23:33 |
Severity was decreased
from 3/4 to 2/4. |
|
|
|
|
|
|
2005-01-10 23:33 |
Severity was raised
from 2/4 to 3/4. |
|
|
|
|
|
|
2005-01-06 23:33 |
Severity was decreased
from 3/4 to 2/4. |
|
|
|
|
|
|
2005-01-05 23:33 |
Severity was raised
from 2/4 to 3/4. |
|
|
|
|
|
|
2005-01-04 23:33 |
Severity was decreased
from 3/4 to 2/4. |
|
|
|
|
|
|
2005-01-03 23:33 |
Severity was raised
from 2/4 to 3/4. |
|
|
|
|
|
|
2004-12-31 23:33 |
Severity was decreased
from 3/4 to 2/4. |
|
|
|
|
|
|
2004-12-27 23:33 |
Severity was raised
from 2/4 to 3/4. |
|
|
|
|
|
|
2004-12-25 23:33 |
Severity was decreased
from 3/4 to 2/4. |
|
|
|
|
|
|
2004-12-21 23:33 |
Severity was decreased
from 4/4 to 3/4. |
|
|
|
|
|
|
2004-12-15 11:02 |
Description was changed.
New:
"It opens the port 8181, waits for a file to
be transferred through
it, and executes this
file."
Old:
"It impedes access to applications that
contain certain text strings." |
|
|
|
|
|
|
2004-12-15 09:02 |
Severity was raised
from 3/4 to 4/4. |
|
|
|
|
|
|
2004-12-14 22:17 |
Severity was raised
from 2/4 to 3/4. |
|
|
|
|
|
|
2004-12-14 22:17 |
Description was changed.
New:
"It impedes access to applications that
contain certain text strings."
Old:
"N/A" |
|
|
|
|
|
|
2004-12-14 22:02 |
Severity was decreased
from 3/4 to 2/4. |
|
|
|
|
|
|
2004-12-14 22:02 |
Description was changed.
New:
"N/A"
Old:
"It impedes access to applications that
contain
certain text strings." |
|
|
|
|
|
|
2004-12-14 21:02 |
Description was changed.
New:
"It impedes access to applications that
contain certain text strings."
Old:
"N/A" |
|
|
|
|
|
|
2004-12-14 20:57 |
Severity was raised
from 2/4 to 3/4. |
|
|
|
|
|
|
2004-12-14 20:52 |
Severity was decreased
from 3/4 to 2/4. |
|
|
|
|
|
|
2004-12-14 20:52 |
Description was changed.
New:
"N/A"
Old:
"It impedes access to applications that
contain
certain text strings." |
|
|
|
|
|
|
2004-12-14 20:32 |
Description was changed.
New:
"It impedes access to applications that
contain certain text strings."
Old:
"N/A" |
|
|
|
|
|
|
2004-12-14 20:17 |
Description was changed.
New:
"N/A"
Old:
"It impedes access to applications that
contain
certain text strings." |
|
|
|
|
|
|
2004-12-14 19:57 |
Severity was raised
from 2/4 to 3/4. |
|
|
|
|
|
|
2004-12-14 19:57 |
Description was changed.
New:
"It impedes access to applications that
contain certain text strings."
Old:
"N/A" |
|
|
|
|
|
|
2004-12-14 19:52 |
Severity was decreased
from 3/4 to 2/4. |
|
|
|
|
|
|
2004-12-14 19:52 |
Description was changed.
New:
"N/A"
Old:
"It impedes access to applications that
contain
certain text strings." |
|
|
|
|
|
|
2004-12-14 19:42 |
Description was changed.
New:
"It impedes access to applications that
contain certain text strings."
Old:
"N/A" |
|
|
|
|
|
|
2004-12-14 19:37 |
Description was changed.
New:
"N/A"
Old:
"It impedes access to applications that
contain
certain text strings." |
|
|
|
|
|
|
2004-12-14 19:32 |
Description was changed.
New:
"It impedes access to applications that
contain certain text strings."
Old:
"N/A" |
|
|
|
|
|
|
2004-12-14 18:47 |
Severity was raised
from 2/4 to 3/4. |
|
|
|
|
|
|
2004-12-14 18:22 |
Severity was decreased
from 3/4 to 2/4. |
|
|
|
|
|
|
2004-12-14 17:07 |
Severity was raised
from 2/4 to 3/4. |
|
|
|
|
|
|
|
|
#6 - SYMANTEC |
|
|
|
|
W32.Erkez.D@mm |
Severity:
3/5 |
File Size:
- |
|
|
|
|
Reported:
2004-12-14 16:03 |
Last Update:
2004-12-16 07:44 |
|
|
|
Description:
W32.Erkez.D@mm is a mass-mailing worm that sends itself to email addresses
gathered from the infected computer. The worm may also attempt to lower security settings, terminate processes, and open a
back door on the compromised computer. |
|
|
|
Full Report From Vendor Removal Tool/Instructions View/Hide ChangeLog |
|
|
ChangeLog: |
|
|
|
|
Changes are listed in
chronological order with the latest changes first. |
|
|
|
|
|
|
|
|
|
2004-12-16 07:44 |
Description was changed.
New:
"W32.Erkez.D@mm is a mass-mailing worm that
sends itself to email addresses
gathered from
the infected computer. The worm may also
attempt to lower security settings, terminate
processes, and
open a back door on the
compromised computer. "
Old:
"W32.Erkez.D@mm is a mass-mailing worm that
sends
itself to the email addresses gathered
from the infected computer. The worm may also
attempt to lower the security settings,
terminate
processes, and open a backdoor on
the compromised computer." |
|
|
|
|
|
|
2004-12-16 07:44 |
Updated information
about removal tool/instructions. |
|
|
|
|
|
|
2004-12-16 01:43 |
Description was changed.
New:
"W32.Erkez.D@mm is a mass-mailing worm that
sends itself to the email
addresses gathered
from the infected computer. The worm may also
attempt to lower the security settings,
terminate
processes, and open a backdoor on
the compromised computer."
Old:
"W32.Erkez.D@mm is a mass-mailing worm
that
sends itself to email addresses gathered from
the infected computer. The worm may also
attempt to lower security
settings, terminate
processes, and open a back door on the
compromised computer. " |
|
|
|
|
|
|
2004-12-16 01:43 |
Updated information
about removal tool/instructions. |
|
|
|
|
|
|
2004-12-15 04:49 |
Description was changed.
New:
"W32.Erkez.D@mm is a mass-mailing worm that
sends itself to email addresses
gathered from
the infected computer. The worm may also
attempt to lower security settings, terminate
processes, and
open a back door on the
compromised computer. "
Old:
"W32.Erkez.D@mm is a mass-mailing worm that
sends
itself to email addresses gathered from
the infected computer. The worm may also
attempt to lower security settings,
terminate
processes, and open a back door on the
compromised computer." |
|
|
|
|
|
|
2004-12-15 04:49 |
Updated information
about removal tool/instructions. |
|
|
|
|
|
|
2004-12-15 02:03 |
Description was changed.
New:
"W32.Erkez.D@mm is a mass-mailing worm that
sends itself to email addresses
gathered from
the infected computer. The worm may also
attempt to lower security settings, terminate
processes, and
open a back door on the
compromised computer."
Old:
"W32.Erkez.D@mm is a mass-mailing worm that
sends
itself to the email addresses gathered
from the infected computer. The worm may also
attempt to lower the security settings,
terminate
processes, and open a backdoor on
the compromised computer." |
|
|
|
|
|
|
2004-12-15 01:49 |
Description was changed.
New:
"W32.Erkez.D@mm is a mass-mailing worm that
sends itself to the email
addresses gathered
from the infected computer. The worm may also
attempt to lower the security settings,
terminate
processes, and open a backdoor on
the compromised computer."
Old:
"W32.Erkez.D@mm is a mass-mailing worm
that
sends itself to email addresses gathered from
the infected computer. The worm may also
attempt to lower security
settings, terminate
processes, and open a back door on the
compromised computer." |
|
|
|
|
|
|
2004-12-15 01:19 |
Description was changed.
New:
"W32.Erkez.D@mm is a mass-mailing worm that
sends itself to email addresses
gathered from
the infected computer. The worm may also
attempt to lower security settings, terminate
processes, and
open a back door on the
compromised computer."
Old:
"W32.Erkez.D@mm is a mass-mailing worm that
sends
itself to the email addresses gathered
from the infected computer. The worm may also
attempt to lower the security settings,
terminate
processes, and open a backdoor on
the compromised computer." |
|
|
|
|
|
|
2004-12-15 00:03 |
Severity was raised
from 2/5 to 3/5. |
|
|
|
|
|
|
2004-12-14 20:39 |
Description was changed.
New:
"W32.Erkez.D@mm is a mass-mailing worm that
sends itself to the email
addresses gathered
from the infected computer. The worm may also
attempt to lower the security settings,
terminate
processes, and open a backdoor on
the compromised computer."
Old:
"W32.Erkez.D@mm is a mass-mailing worm
that
sends itself to email addresses gathered from
the infected computer. The worm may also
attempt to lower security
settings, terminate
processes, and open a back door on the
compromised computer." |
|
|
|
|
|
|
2004-12-14 18:33 |
Description was changed.
New:
"W32.Erkez.D@mm is a mass-mailing worm that
sends itself to email addresses
gathered from
the infected computer. The worm may also
attempt to lower security settings, terminate
processes, and
open a back door on the
compromised computer."
Old:
"W32.Erkez.D@mm is a mass-mailing worm that
sends
itself to email addresses gathered from
the infected computer. The worm may also
attempt to terminate processes and
open a
back door on the compromised computer." |
|
|
|
|
|
|
2004-12-14 18:29 |
Description was changed.
New:
"W32.Erkez.D@mm is a mass-mailing worm that
sends itself to email addresses
gathered from
the infected computer. The worm may also
attempt to terminate processes and open a
back door on the
compromised computer."
Old:
"W32.Erkez.D@mm is a mass-mailing worm that
sends itself to email addresses
gathered from
the infected computer. The worm may also
attempt to lower security settings, terminate
processes, and
open a back door on the
compromised computer." |
|
|
|
|
|
|
2004-12-14 18:23 |
Description was changed.
New:
"W32.Erkez.D@mm is a mass-mailing worm that
sends itself to email addresses
gathered from
the infected computer. The worm may also
attempt to lower security settings, terminate
processes, and
open a back door on the
compromised computer."
Old:
"W32.Erkez.D@mm is a mass-mailing worm that
sends
itself to email addresses gathered from
the infected computer. The worm may also
attempt to terminate processes and
open a
back door on the compromised computer." |
|
|
|
|
|
|
2004-12-14 18:09 |
Description was changed.
New:
"W32.Erkez.D@mm is a mass-mailing worm that
sends itself to email addresses
gathered from
the infected computer. The worm may also
attempt to terminate processes and open a
back door on the
compromised computer."
Old:
"Symantec Security Response is currently
analyzing W32.Erkez.D@mm and will
provide
more details shortly. Rapid Release
definitions with a sequence number of 39330
or higher provide detection
for this threat." |
|
|
|
|
|
|
2004-12-14 17:29 |
Description was changed.
New:
"Symantec Security Response is currently
analyzing W32.Erkez.D@mm and
will provide
more details shortly. Rapid Release
definitions with a sequence number of 39330
or higher provide detection
for this threat."
Old:
"W32.Erkez.D@mm is a mass-mailing worm that
sends itself to email addresses gathered
from
the infected computer. The worm may also
attempt to terminate processes and open a
back door on the compromised
computer." |
|
|
|
|
|
|
2004-12-14 17:23 |
Description was changed.
New:
"W32.Erkez.D@mm is a mass-mailing worm that
sends itself to email addresses
gathered from
the infected computer. The worm may also
attempt to terminate processes and open a
back door on the
compromised computer."
Old:
"Symantec Security Response is currently
analyzing W32.Erkez.D@mm and will
provide
more details shortly. Rapid Release
definitions with a sequence number of 39330
or higher provide detection
for this threat." |
|
|
|
|
|
|
2004-12-14 17:19 |
Description was changed.
New:
"Symantec Security Response is currently
analyzing W32.Erkez.D@mm and
will provide
more details shortly. Rapid Release
definitions with a sequence number of 39330
or higher provide detection
for this threat."
Old:
"W32.Erkez.D@mm is a mass-mailing worm that
sends itself to email addresses gathered
from
the infected computer. The worm may also
attempt to terminate processes and open a
back door on the compromised
computer." |
|
|
|
|
|
|
2004-12-14 17:13 |
Description was changed.
New:
"W32.Erkez.D@mm is a mass-mailing worm that
sends itself to email addresses
gathered from
the infected computer. The worm may also
attempt to terminate processes and open a
back door on the
compromised computer."
Old:
"Symantec Security Response is currently
analyzing W32.Erkez.D@mm and will
provide
more details shortly. Rapid Release
definitions with a sequence number of 39330
or higher provide detection
for this threat." |
|
|
|
|
|
|
2004-12-14 17:09 |
Description was changed.
New:
"Symantec Security Response is currently
analyzing W32.Erkez.D@mm and
will provide
more details shortly. Rapid Release
definitions with a sequence number of 39330
or higher provide detection
for this threat."
Old:
"W32.Erkez.D@mm is a mass-mailing worm that
sends itself to email addresses gathered
from
the infected computer. The worm may also
attempt to terminate processes and open a
back door on the compromised
computer." |
|
|
|
|
|
|
2004-12-14 16:59 |
Description was changed.
New:
"W32.Erkez.D@mm is a mass-mailing worm that
sends itself to email addresses
gathered from
the infected computer. The worm may also
attempt to terminate processes and open a
back door on the
compromised computer."
Old:
"Symantec Security Response is currently
analyzing W32.Erkez.D@mm and will
provide
more details shortly. Rapid Release
definitions with a sequence number of 39330
or higher provide detection
for this threat." |
|
|
|
|
|
|
|
|
#7 - TREND MICRO |
|
|
|
|
WORM_ZAFI.D |
Severity:
2/3 |
File Size:
- |
|
|
|
|
Reported:
2004-12-14 16:45 |
Last Update:
2004-12-23 23:32 |
|
|
|
Description:
As of December 14, 2004 8:13 AM (PST), 11 days before Christmas, TrendLabs has declared a MEDIUM risk virus alert to control
the spread of this mass-mailing worm. It has been found spreading in Germany,
France, and Spain.
|
|
|
|
Full Report From Vendor View/Hide ChangeLog |
|
|
ChangeLog: |
|
|
|
|
Changes are listed in
chronological order with the latest changes first. |
|
|
|
|
|
|
|
|
|
2004-12-16 19:42 |
Description was changed.
New:
"As of December 14, 2004 8:13 AM (PST), 11
days before Christmas, TrendLabs has declared
a MEDIUM risk virus alert to control
the
spread of this mass-mailing worm. It has been
found spreading in Germany,
France, and
Spain."
Old:
"As
of December 14, 2004 8:13 AM (PST),
TrendLabs has declared a
MEDIUM risk virus
alert to control the spread of this
mass-mailing worm. It has been found
spreading in Germany, France, and Spain." |
|
|
|
|
|
|
2004-12-14 23:45 |
Description was changed.
New:
"As of December 14, 2004 8:13 AM (PST),
TrendLabs has declared a MEDIUM risk virus
alert to control the spread of this
mass-mailing
worm. It has been found
spreading in Germany, France, and Spain."
Old:
"As of December 14, 2004 8:13 AM (PST),
TrendLabs has declared a Medium risk virus
alert to control the
spread of this
mass-mailing worm. It has been found
spreading in Germany,
France, and Spain." |
|
|
|
|
|
|
2004-12-14 22:15 |
Description was changed.
New:
"As of December 14, 2004 8:13 AM (PST),
TrendLabs has declared a Medium risk virus
alert to control the spread of this
mass-mailing
worm. It has been found
spreading in Germany, France, and Spain."
Old:
"As of December 14, 2004 8:13 AM (PST),
TrendLabs has declared a medium risk virus
alert to control the
spread of this malware.
It has been found spreading in Germany,
France, and Spain via email." |
|
|
|
|
|
|
2004-12-14 21:21 |
Description was changed.
New:
"As of December 14, 2004 8:13 AM (PST),
TrendLabs has declared a medium risk virus
alert to control the spread of this
malware.
It has been found spreading in Germany,
France, and Spain via email."
Old:
"As of December 14, 2004 8:13
AM (PST),
TrendLabs has declared a medium risk virus
alert
to control the spread of this malware.
It has been found spreading in Germany,
France, and Spain via email and network
shares." |
|
|
|
|
|
|
2004-12-14 19:01 |
Description was changed.
New:
"As of December 14, 2004 8:13 AM (PST),
TrendLabs has declared a medium risk virus
alert to control the spread of this
malware.
It has been found spreading in Germany,
France, and Spain via email and network
shares."
Old:
"As of December 14, 2004 8:13 AM (PST),
TrendLabs has declared a
medium risk virus
alert to control the spread of this malware.
It has been found spreading in Germany,
France, and Spain via
email and peer-to-peer
(P2P) file-sharing networks." |
|
|
|
|
|
|
2004-12-14 18:05 |
Description was changed.
New:
"As of December 14, 2004 8:13 AM (PST),
TrendLabs has declared a medium risk virus
alert to control the spread of this
malware.
It has been found spreading in Germany,
France, and Spain via email and peer-to-peer
(P2P) file-sharing networks."
Old:
"As
of December 14, 2004 8:13 AM PST,
TrendLabs has declared a medium
risk virus
alert to control the spread of this malware.
It has been found spreading in Germany,
France, and Spain via
email and peer-to-peer
(P2P) file-sharing networks." |
|
|
|
|
|
|
2004-12-14 17:31 |
Description was changed.
New:
"As of December 14, 2004 8:13 AM PST,
TrendLabs has declared a medium risk virus
alert to control the spread of this malware.
It
has been found spreading in Germany,
France, and Spain via email and peer-to-peer
(P2P) file-sharing networks."
Old:
"As of December 14, 2004 8:13 AM PST,
TrendLabs has declared a medium
risk virus
alert to control the spread of this malware." |
|
|
|
|
|
|
2004-12-14 17:21 |
Severity was raised
from 1/3 to 2/3. |
|
|
|
|
|
|
2004-12-14 17:21 |
Description was changed.
New:
"As of December 14, 2004 8:13 AM PST,
TrendLabs has declared a medium risk virus
alert to control the spread of this malware."
Old:
"As
of December 14, 2004 6:05 PM PST,
TrendLabs has received several
infection
reports of a new malware spreading" |
|
|
|
|
|
|
|
|
|
|
Please note: The
information, which this Secunia Virus Profile is based upon, comes from third party unless stated otherwise.
|
|
HOME
|
