IT@TT - Online

Majestic Sadmind Homepage

This week I was planning to focus on a little known, but nevertheless lethal Windows virus dubbed Flip. But as I put this column together, up popped news about a W32.Magister computer virus attack on businesses in Europe, the U.S. and in Australasia. The weekend just past saw many company servers receiving a deluge of infected email. Requests to remove or cease and desist only invited more spam.

Most victims were in the food industry and had subscribed to an e-mail newsletter service from Foodnavigator.com. The site was not directly responsible. It received an infected email which is passed on to other subscribers. Yet, even if you didn't use or subscribe to this service, proof yourself against Magister. See my previous Viruswatch column (it@tt, 10 April 2001). The good news is besides the free Housecall Service offered by Trend Micro (http://housecall.antivirus.com/), the company also has a Magister insta-fix (http://www.antivirus.com/vinfo/security/fix_magistr.exe).

Sun and Microsoft may call each other names. But the two companies need to work together to remove sadmind/IIS worm. This new, self-propagating and rapidly spreading worm affects both Sun's Solaris operating system as well as Microsoft Internet Information Server product. sadmind/IIS uses a well-known vulnerability in each OS to turns a Solaris server into a robot which silently sniffs out Windows systems running IIS and defaces their home pages. As of writing, over 30 major Solaris systems had been infected. Virus experts are now checking the log files on the infected host systems to trace which Windows-driven sites have been compromised.

Sadmind exploits a buffer-overflow bug in a Solstice component to gain root-level control of the server. The infected machines run a script which takes advantage of Unicode, a well-known vulnerability, to compromise over 3,000 remote IIS servers. sadmind begins by probing Port 80 on a random Class B set of IP addresses. It looks for the signature of other Solaris or IIS web servers. And when it finds another vulnerable Solaris machine, it uploads ROOT.EXE, its attack tool to infect the target server. On its web prowl, were sadmind to finds an unpatched IIS 4.0 or IIS 5.0, the worm defaces the home page, usually INDEX.HTML file with this text "fuck USA Government. fuck PoizonBOx. contact:[email protected]." And after defacing the IIS systems, the worm also deface its Solaris host's index page with the same message.

Luckily sadmind doesn't destroy data on either Solaris or the IIS system. However, the embarrassment you or your company can suffer when visitors view the infected page wrecks the public trust in your products or services. However this worm opens the host Solaris system's to attack as well. Please read the CERT Advisory (http://www.cert.org/advisories/CA-2001-11.html) for more details including links to software patches.

And as we went to press came news of the Homepage Internet worm. This one is dangerous. And by the time this column is published, the infection will be on the rampage. VBS_HOMEPAGE.A (HOMEPAGE.A, VBS/VBSWG.X, VBS/VBSWG.X@mm, VBS.VBSWG2.D@mm, VBS/SSI.gen@MM, VBS/SSI.gen, SSI, VBSWG) is a VBS (Visual Basic script) virus created using a generator. It self-propagates via Microsoft Outlook. And sends itself as an email attachment to everyone in your Address Book. The virus then use Internet Explorer to randomly open these (pornographic) Web sites:
http://hardcore.pornbillboard.net/shannon/1.htm; http://members.nbci.com/_XMCM/prinzje/1.htm; http://www2.sexcropolis.com/amateur/sheila/1.htm; http://sheila.issexy.tv/1.htm.

Upon execution, it drops a copy of itself in the Windows directory as "HOMEPAGE.HTML.VBS." The worm also checks if email it sends out exists in the MS Outlook Journal and Sent Items folder, by looking for the subject "Homepage." And on finding such email deletes it to avoid detection. The worm requires the Windows Scripting Host (See Tips 'n Tweaks, it@tt, 1 May 2001 for information on disabling this service) to be installed.

Govind Menon
[email protected]

Top

Other Articles