Archive of CERT general posting, CERT Summary CS-99.02

26/05/99, CERT Summary CS-99.02
From: CERT Advisory <>

Generated by MHonArc

CSIM Logo WelcomeCourses
Faculty, Student, Staff
Projects and reports
Conferences, workshop and seminars
Laboratories and reasearch facilities
Information related to CSIM
Information non-related to CSIM
Address, map, phone, etc.

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Subject: CERT Summary CS-99.02
From: CERT Advisory <>
Date: Tue, 25 May 1999 14:52:25 -0400
Organization: CERT(sm) Coordination Center - +1 412-268-7090


CERT Summary CS-99-02

   May 25, 1999

   The CERT Coordination Center periodically issues the CERT summary to
   draw attention to the types of attacks currently being reported to our
   incident response team, as well as to other noteworthy incident and
   vulnerability information. The summary includes pointers to sources of
   information for dealing with the problems.

   Past CERT summaries are available from

Recent Activity

   Since the last CERT summary, issued in February 1999 (CS-99.01), we
   have seen an increase in virus activity and an increase in the use of
   some older, known attacks.

   Protect your systems. Use current software versions, install patches
   as they become available, and update your scanning tools and
   anti-virus software with the latest virus signatures or definitions.
   Be leery of unsolicited documents or executable programs received in
   electronic mail. Be wary of software that comes from untrusted

    1. Virus Activity
       In the last three months, we have received many reports of virus
       activity. Current versions of anti-virus software can help to
       protect your systems from these viruses.
       It is important to take great caution with any email or Usenet
       attachments that contain executable content. If attachments are in
       a message, we recommend that you save the file to the local drive
       and scan the file with an anti-virus scanning product before you
       open or run the file. Be aware that this is not a guarantee that
       the contents of the file are safe, but it will check for viruses
       and Trojan horses that your scanning software can detect.

       The Melissa virus spreads mainly as Microsoft Word 97 and Word
       2000 attachments in email. It can be detected and removed by
       current versions of anti-virus software. For more information see
        CERT Advisory CA-99-04 Melissa Macro Virus
            Frequently Asked Questions About the Melissa Virus

       The CIH virus infects executable files and is spread by executing
       an infected file. Since many files are executed during normal use
       of a computer, the CIH virus can infect many files quickly. The
       most common version of the virus becomes active on April 26, but
       there are other versions that become active on the 26th day of
       other months (especially June 26). For more information, see
        Incident Note IN-99-03 CIH/Chernobyl Virus
            Frequently Asked Questions About the CIH Virus

       Happy99.exe is a Trojan horse virus. The first time Happy99.exe is
       executed, a fireworks display saying "Happy 99" appears on the
       computer screen. At the same time, it modifies system files to
       email itself to other people. For more information, see
        IN-99-02 Happy99.exe Trojan Horse
            CA-99-02 Trojan Horses

    2. Resurgence of SYN Attacks
       Recently we have received an increased number of reports of SYN
       attacks that result in a denial of service. This is a known
       exploitation method for which protection is available. For
       information about how SYN attacks work and how to protect your
       systems, see
        CERT Advisory CA-96.21 TCP SYN Flooding and IP Spoofing Attacks

       For more information about denial of service attacks, see
        Denial of Service

    3. Continued Widespread Scans
       We are still receiving daily reports of intruders using tools to
       scan networks for multiple vulnerabilities. Intruder scanning
       tools continue to become more sophisticated, varying from scripted
       tools and stealth scanning techniques to a tool that incorporates
       probes for known vulnerabilities, remote operating system
       identification, and a scripting language that simplifies
       automation of probes and exploitation attempts. For more
       information, see
        "sscan" Scanning Tool
            Automated Scanning and Exploitation
            Probes with Spoofed IP Addresses
            Advanced Scanning
            New Tools Used for Widespread Scans

       The most frequent reports involve well-known vulnerabilities in
       mountd, IMAP, and POP3. These services are installed and enabled
       by default in some operating systems. See the following advisories
       for more information:
        sunrpc (TCP port 111) and mountd (635)
            IMAP (TCP port 143)
            POP3 (TCP port 110)

       While these scans involve known vulnerabilites for which patches
       are available, the scans and exploitation attempts still result in
       sites being compromised because system security has not been kept
       up-to-date. Protect your systems. Make sure that all systems at
       your site have current versions of patches and that your machines
       are properly secured.

    4. Web Server Attacks
       We have been receiving reports of attacks exploiting
       vulnerabilities in sample applications in Cold Fusion and IIS. The
       attacks result in read and write access on the web server,
       allowing intruders to change web pages at will. For information,
        Allaire Security Bulletin ASB99-02 ColdFusion 4.0 Example
            Applications and Sample Code Exposes Servers
            Microsoft Internet Information Server 4.0 Security Checklist

What's New and Updated

   Since the last CERT summary, we have developed new and updated
     * Advisories
     * Incident notes
     * Security improvement modules
     * Technical reports
     * Information about computer security education

   There are descriptions of these documents and links to them on our
   What's New web page at

   This document is available from:

CERT/CC Contact Information

          Phone: +1 412-268-7090 (24-hour hotline)
          Fax: +1 412-268-6989
          Postal address:
          CERT Coordination Center
          Software Engineering Institute
          Carnegie Mellon University
          Pittsburgh PA 15213-3890

   CERT personnel answer the hotline 08:00-20:00 EST(GMT-5) / EDT(GMT-4)
   Monday through Friday; they are on call for emergencies during other
   hours, on U.S. holidays, and on weekends.

Using encryption

   We strongly urge you to encrypt sensitive information sent by email.
   Our public PGP key is available from
   If you prefer to use DES, please call the CERT hotline for more

Getting security information

   CERT publications and other security information are available from
   our web site

   To be added to our mailing list for advisories and bulletins, send
   email to and include SUBSCRIBE
   your-email-address in the subject of your message.

   Copyright 1999 Carnegie Mellon University.
   Conditions for use, disclaimers, and sponsorship information can be
   found in

   * "CERT" and "CERT Coordination Center" are registered in the U.S.
   Patent and Trademark Office

   Any material furnished by Carnegie Mellon University and the Software
   Engineering Institute is furnished on an "as is" basis. Carnegie
   Mellon University makes no warranties of any kind, either expressed or
   implied as to any matter including, but not limited to, warranty of
   fitness for a particular purpose or merchantability, exclusivity or
   results obtained from use of the material. Carnegie Mellon University
   does not make any warranty of any kind with respect to freedom from
   patent, trademark, or copyright infringement.

Version: 2.6.2


Previous message sorted by date: CERT Summary CS-99.01
Next message sorted by date: CERT Summary CS-99.03
Previous message sorted by thread: CERT Summary CS-99.01
Next message by thread: CERT Summary CS-99.03
Main Index
Thread Index

CSIM home pageWMailAccount managementCSIM LibraryNetwork test toolsSearch CSIM directories
Contact us: Olivier Nicole CSIM    SET    AIT Last update: Feb 2000