"Updated kernel packages available for Red Hat Enterprise Linux 3"
Advisory: RHSA-2004:017-06 "On AMD64 systems, a fix was made to the eflags checking in 32-bit ptrace emulation that could have allowed local users to elevate their privileges. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0001 to this issue." http://rhn.redhat.com/errata/RHSA-2004-017.html Affected Products: Red Hat Enterprise Linux AS (v. 3) Red Hat Enterprise Linux ES (v. 3) Red Hat Enterprise Linux WS (v. 3) CVEs (cve.mitre.org): CAN-2004-0001 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0001 Bagel AV Vendor Summary Reports to the ISC indicate that AV gateways intercepting this worm and configured to "Autoreply" to the spoofed "From:" source are once again causing needless congestion (see SOBIG issues). Offenders should consider changing this configuration. Three write-ups specify the worm's email will have an attachment "Length: 15,872 bytes" and one write-up says it is "an .exe file extension and consists of 3 - 11 randomly-generated lowercase characters." After infection and initiation of it's email routine AV write-ups state that Bagel "will initialize and open a TCP socket in listening mode on port 6777." The Trojan Retrieval Routine consists of: "[HTTP connection] HTTP GET REQUEST GET /1.php?p=6777&id=[uid value, same value as used in the registry key] User-Agent: beagle_beagle" In AV Vendor write-ups so far the worm has hardcoded URLS which have not had 1.php available. One Vendor (TrendMicro) cryptically reports "This worm may perform port scanning to connect to a remote system." http://securityresponse.symantec.com/avcenter/venc/data/w32.beagle.a@mm.html http://vil.nai.com/vil/content/v_100965.htm http://www3.ca.com/virusinfo/virus.aspx?ID=38019 http://www.sophos.com/virusinfo/analyses/w32baglea.html http://www.f-prot.com/virusinfo/descriptions/bagle_a.html http://www.messagelabs.com/viruseye/threats/list/default.asp http://wtc.trendmicro.com/wtc/summary.asp Patrick Nolan |
Patrick 193 Posts Jan 19th 2004 |
Thread locked Subscribe |
Jan 19th 2004 1 decade ago |
Sign Up for Free or Log In to start participating in the conversation!