Dangerous!

[Lagu]

Hello

Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â* - Remote denial of service in Yahoo! Messenger -
Â*Â*Â*Â*Â*Â*Â*Â* Oxygen3 24h-365d, by Panda Software (http://www.pandasoftware.com)

Madrid, May 19, 2005 - A vulnerability has been reported in Yahoo! Messenger that could lead to a denial of service, with remote attackers being able to disconnect users from Chat sessions. The advisory is available at http://www.securiteam.com/windowsntf...HP0H20FPE.html.

The problem lies in the way that Yahoo! Messenger processes arguments in YMSGR: URL handler links. An attacker modifying the links with certain characters after the colon could create malformed packets to send to Yahoo! YMSG servers. When these packets are sent, Yahoo! will immediately disconnect users from the chat session.

The problem affects Yahoo! Messenger versions 5.0 and 6.0 and all details have been published along with proof of concepts with malicious urls that could disconnect a user.

The recommended workaround is to eliminate the registry key: "HKEY_CLASSES_ROOT\ymsgr\shell\open\command" la cadena "c:\progra~1\yahoo!\messenger\ypager.exe %1".

NOTE: The address above may not show up on your screen as a single line. This would prevent you from using the link to access the web page. If this happens, just use the 'cut' and 'paste' options to join the pieces of the URL.

Lagu

[Lagu]

Hello!

- A Trojan digitally encrypts files and asks for a ransom -
Oxygen3 24h-365d, by Panda Software (http://www.pandasoftware.com)

MADRID, May 25, 2005 - PandaLabs has recently reported the appearance of a type of malware that encrypts files on the infected computer and then asks for a fee in order to release these files. This is a new type of behavior, rarely seen until now, and to which the FBI in the United States are now alert.

The malware in question, Trj.PGPCoder.A, is a Trojan, and as is usual in these cases, cannot propagate by itself. Once installed on a computer, it creates two registry keys: one to ensure it is run on every system startup, and the second to monitor the progress of the Trojan in the infected computer, counting the number of files that have been analyzed by the malicious code.

Once it has been run, the Trojan embarks on its mission, which is to encrypt, using a digital encryption key, all the files it finds on computer drives with extensions corresponding to those listed in its code. These extensions include DOC (Microsoft Word documents), HTML (web pages), JPG (images), XLS (Microsoft Excel spreadsheets), ZIP and RAR (two common compressed file formats).

The blackmail is completed with the Trojan dropping a text file in each directory, with instructions to the victim of what to do. An email address is supplied through which users are supposed to request for their files to be released after paying a ransom of $200.

To prevent infection from Trj.PGPCoder.A or other malicious code, Panda Software advises all users to keep their antivirus software up-to-date. Panda Software has already made the corresponding updates to detect and eliminate this new malicious worm available to clients.

Panda Software's clients can already access the updates for installing the new TruPrevent(tm) Technologies along with their antivirus protection, providing a preventive layer of protection against new malware. For users with a different antivirus program installed, Panda TruPrevent(tm) Personal is the perfect solution, as it is both compatible with and complements these products, providing a second layer of preventive protection that acts while the new virus is still being studied and the corresponding update is incorporated into traditional antivirus programs, decreasing the risk of infection.

Lagu

[Lagu]

"Just because something doesn't do what you planned
it to do doesn't mean it's useless".
Thomas Alva Edison (1847-1931), US inventor and physicist.

- Disclosure of sensitive information in Microsoft ASP.NET -
Oxygen3 24h-365d, by Panda Software (http://www.pandasoftware.com)

Madrid, May 24 2005 - A vulnerability has been reported (at http://www.securitytracker.com/alert...y/1013996.html) in Microsoft ASP.NET web services which could allow an attacker to obtain certain sensitive information about the server.

The problem occurs when there is a file error. At this moment, the FileStream method may return an error message containing the full path to the requested file, even if an absolute path was requested. If the ASP.NET application does not filter error messages, remote users could see the exact location of the file.

Another problem occurs with an SQL query error, in that the server may return an error message containing information about the database structure. Like the previous case, if the ASP.NET application does not filter the error message, the information may be disclosed to remote users.
Programmers are advised to follow secure programming practices and implementing exception handling mechanisms to properly catch and filter the error exceptions.

Microsoft has published a series of security considerations for ASP.NET applications at: http://msdn.microsoft.com/library/en...ormessages.asp

NOTE: The address above may not show up on your screen as a single line. This would prevent you from using the link to access the web page. If this happens, just use the 'cut' and 'paste' options to join the pieces of the URL.

Lagu

[Lagu]

Hello

Virus varnings!

"Recommend virtue to your children; it alone, not money,
can make them happy. I speak from experience."
Ludwig van Beethoven (1770-1827); German composer.

- Panda Software's weekly report on viruses and intruders -
Oxygen3 24h-365d, by Panda Software (http://www.pandasoftware.com)

MADRID, June 19, 2005 - This week, Panda Software's report looks at three examples of malware, the Trojan Downloader.DCM, the backdoor Trojan Dumador.BC, and the hacking tool Looxee. What's more, it includes six new vulnerabilities in Microsoft Windows, classified as critical.

Downloader.DCM is a Trojan that downloads Dumador.BC and runs it. Like the majority of Trojans, it must be manually distributed. When it is installed on a computer, it uses a sophisticated technique to hide from any firewalls that can be installed on the computer: It creates a remote run thread associated to the process explorer.exe, so that the firewall thinks that Explorer is accessing the Internet, when Downloader.DCM is actually accessing. When it connects to the Internet, this thread deletes the downloader file and downloads and runs another file (the backdoor Trojan) from a specific website, pretending to be a temporary file.

Dumador.BC, the file downloaded by the downloader, is a backdoor Trojan that cannot spread by itself. Its function is to allow remote control of the affected computer by opening TCP ports in the computer and receiving remote run command requests. It also logs different user details and modifies the system hosts file to prevent the computer from accessing the websites belonging to antivirus companies.

Looxee is a hacking tool that monitors and logs different activities carried out by the user of the affected computer, such as the email messages sent and received, chats via instant messaging, websites visited and it even captures screenshots, among other actions. Curiously, it has a characteristic that warns the user, if a certain key word is entered. This tool is not dangerous as such, but can be used for malicious purposes.

What's more, a series of vulnerabilities have been reported and are detailed by Microsoft in the bulletins MS05-025, MS05-026, MS05-027, MS05-028, MS05-029 and MS05-030. These vulnerabilities affect various Microsoft applications and have been classified as critical. Therefore, it is recommendable to apply the update in order to keep your computer protected from malware that can exploit these vulnerabilities to get into your computer. The affected applications are Explorer, Windows, SMB (Service Message Block), Web Client Service, Outlook Web Access for Exchange Server 5.5 and Outlook Express.

To prevent these malware or any other malicious code from affecting your computer, Panda Software recommends keeping antivirus software up-to-date. Panda Software clients can already access the updates to detect and disinfect these malicious code.

For further information about these and other computer threats, visit Panda Software's Encyclopedia.

------------------------------------------------------------
To unsubscribe from Oxygen3 24h-365d, please visit:
http://www.pandasoftware.com/unsubscribe.asp

To contact with Panda Software, please visit:
http://www.pandasoftware.com/about/contact/
------------------------------------------------------------

Lagu

[Lagu]

- Orange Alert:Panda Software reports new Trojan that could steal
online banking passwords of thousands of Spanish-speaking users

Virus Alerts, by Panda Software
(http://www.pandasoftware.com)

A new Trojan, Nabload.U, which is distributing itself through Messenger, has appeared a few hours ago. This Trojan downloads another Trojan, called Banker.bsx, which is currently the number one detected piece of malware from Panda's ActiveScan. Its objective is to obtain the passwords of certain banks that it has stored in its code primarily from Spanish-speaking users.

The most unusual aspect of this Trojan is its ability to capture the information without the use of a traditional key logger. The user will be unaware that this is occurring. Banks that use virtual keyboards to avoid keyloggers won't be protected from this Trojan.

Once the author has the keys, he can commit banking fraud with the accounts.

According to Luis Corrons, PandaLabs director: "This Trojan is an example of a hybrid virus that mixes different techniques. Once the user clicks on the URL, it is able to download a Trojan and use techniques similar to some spyware and phishing attacks. It is, without a doubt, a Trojan designed to steal data quickly, and without leaving any tracks."


Nabload.U uses social engineering techniques to get the user to click on the URL provided. The sentence is in Spanish: "ve esa vaina http://hometown.%eliminado%.au/miralafoto/foto.exe." It is disguised as a personal contact. When the user clicks on this URL, another Trojan, Banker.BSX, is downloaded. It also offers two others URLs_ http://hometown.%eliminado%.au/arqarq/coco2006.jpg and http://hometown.%eliminado%.au/modnatal/coco2006.jpg that downloads a configuration file. In this file, you can find - as well as other
information- the e-mail address where the stolen data will be sent.


This Trojan opens up port 1106 on the computer and stays active. So, when the user tries to access one of the online bank addresses shown bellow, the Trojan will be able to capture what the user is doing on the screen, including the login and password typed by virtual keyboards to access the bank account. This Trojan only captures the information from the addresses below:

https://secure2.venezolano.com/
https://e-bdvcp.banvenez.com
https://www.ibprovivienda.com.ve/personas/
https://banco.micasaeap.com/individualmc/
https://olb.todo1.com/servlet/msfv/
https://www.banesco.com/servicios_electronicos_pag.htm
https://www.banesconline.com
https://www.provinet.net/shtml/
https://bod.bodmillenium.com
https://www.corp-line.com.ve/personas/

Once the Trojan has captured the information, it sends this data to an e-mail address. The author can change this e-mail address as desired.

To help as many users as possible scan and disinfect their systems, Panda Software offers its free, online anti-malware solution, Panda ActiveScan, which now also detects spyware, at http://www.activescan.com. Webmasters who would like to include ActiveScan on their websites can get the HTML code, free from http://www.pandasoftware.com/partners/webmasters.

TruPreventTM detection technologies detect and eliminate Banker.BSX with no need for previous updates, so computers with these technologies have been protected from the moment the Trojan Horse appeared.

For further information about Nabload.U and Banker.BSX, visit Panda Software's Encyclopedia:
http://www.pandasoftware.com/virus_info/encyclopedia/

Lagu

[Lagu]

"There is no such thing on earth as an uninteresting subject;
the only thing that can exist is an uninterested person."
G. K. Chesterton (1874 - 1936); English author & mystery novelist.

- Vulnerability in Linux kernel -
Oxygen3 24h-365d, by Panda Software (http://www.pandasoftware.com)

Madrid, December 27 2005 - iDefense has announced a complete memory exhaustion vulnerability in versions 2.4 and 2.6 of the Linux kernel, which could allow denial of service attacks.

The flaw stems from a limitation in the design of the Linux kernel, and consists of a lack of resource checking during the buffering of data for transfer over a pair of sockets. An attacker could create a situation which, depending on the available system resources, can cause a 'kernel panic' due to memory resource exhaustion.

An attack can be launched by opening up a number of connected file descriptors or socket pairs and creating the largest possible kernel buffer for data transfer between the two sockets. By causing the process to enter a zombie state or closing the file descriptor while keeping a reference open, the data is kept in the kernel until the transfer can complete. If done repeatedly, system memory resources can be exhausted from the kernel.

To fully exploit this vulnerability, an attacker would need local access to the affected system.

------------------------------------------------------------

The 5 viruses most frequently detected by Panda ActiveScan, Panda Software's free online scanner: 1)Banker.BSX; 2)Nabload.U; 3)Sdbot.ftp; 4)Sober.AH; 5)Galapoper.IE.

Lagu

[Lagu]

"Don't think of words when you stop but to see the picture better."
Jack Kerouac (1922-69); US writer.

- Windows MetaFile handling vulnerability -
Oxygen3 24h-365d, by Panda Software (http://www.pandasoftware.com)

Madrid, December 29 2005 - US-CERT has reported a security vulnerability in Windows that could allow arbitrary code to be run remotely. The security patch that fixes this vulnerability has not been made available yet, therefore the flaw continues to be exploited to affect systems.

The vulnerability stems from a buffer overflow in the library that handles WMF (Windows MetaFile) files, which is used, among other programs, by the Windows Picture and Fax Viewer. This weakness affects the following Windows platforms: 98, Millennium Edition (ME), 2000, XP and Server 2003, according to information published by Microsoft at http://www.microsoft.com/technet/sec...ry/912840.mspx

In order to exploit this security flaw, attackers are placing specially crafted WMF files in several web pages, so that, when users access them with Internet Explorer, malicious code is automatically run on their computers. If a different browser is used, users can be warned of a file download.

Until a security patch is made available to fix this vulnerability, users are advised not to access web pages they are invited to visit from untrusted sources (links in unsolicited emails, IRC channels, instant messaging, newsgroups, web forums, etc). It is also advisable to have a security solution installed like those offered by Panda Software, which can detect "Exploit/Metafile", malicious code specifically written to exploit this security flaw.

For more information about Panda Software solutions, go to:
http://www.pandasoftware.com

NOTE: The addresses above may not show up on your screen as a single line. This would prevent you from using the link to access the web page.
If this happens, just use the 'cut' and 'paste' options to join the pieces of the URL.

------------------------------------------------------------

The five viruses most frequently detected by Panda ActiveScan, free online antivirus from Panda Software: 1)Banker.BSX; 2)Sdbot.ftp; 3)Sober.AH; 4)Qhost.DS; 5)Netsky.P.

Lagu

[Lagu]

Hi

- Buffer overflow due to incorrect update of KDE kpdf/xpdf -
Oxygen3 24h-365d, by Panda Software (http://www.pandasoftware.com)

Madrid, March 13, 2006-A vulnerability has been reported in KDE kpdf/xpdf, the PDF viewer for Linux. This flaw could be used by a remote user to run arbitrary code on affected systems.

The problem which affects kpdf is based on the code of xpdf (which it shares with kpdf) and is due to an incorrect correction of a previously discovered vulnerability. A remote user could maliciously create a pdf file which, when loaded by the victim, would cause a buffer overflow and the consequent execution of code on the system with the same privileges as the victim.

Systems running KDE 3.3.2 with the patch for CVE-2005-3627 installed are affected. Updates for systems with KDE 3.4.x and later are not affected.

An update to avoid this problem has been published for KDE 3.3.2 and later versions, and is available at:
ftp://ftp.kde.org/pub/kde/security_p...raphics-CVE-20
06-0746.diff

Take care
Lagu

[Lagu]

Hi

Madrid, March 15 2006 - Microsoft has published two updates for its products. The first of these, according to "Microsoft Security Bulletin MS06-011", corrects an error through which an attacker could take control of the affected system. The attacker could install programs with serious consequences, or carry out any type of task without the owner of the system realizing.

The systems affected are Microsoft Windows XP Service Pack 1 and Microsoft Windows Server 2003 (including the version for Itanium systems). The updates to correct the error, along with further information, can be found at:
http://www.microsoft.com/technet/sec.../ms06-011.mspx.

The second update, in bulletin MS06-012, corrects an error similar to the previous one, as it can also allow an attacker to take control of the system, in this case if the user starts a session as the administrator.

According to this second bulletin, the affected systems are Office 2000 SP 3, Office XP SP 3, Office 2003 SP 1 or 2 and Microsoft Works Suites, from version 2000 to 2006. In addition, Office for Mac (Versiones X and
2004) is affected. Microsoft offers more information at:
http://www.microsoft.com/technet/sec.../ms06-012.mspx.

Take care
Lagu ;)