Weekly report on viruses and intruders
Virus Alerts, by Panda Software (http://www.pandasoftware.com)

Madrid, February 11, 2005 - This week's report looks at four vulnerabilities
and a worm called Mydoom.AK.

First we will take a look at the main characteristics of the four security
problems, for which Microsoft has released patches. Users of affected
systems are advised to install the patches.

- Server Message Block -SMB- problem. This affects Windows 2000, Windows XP
and Windows Server 2003 and allows code to be executed. Ways of exploiting
it include creating special network packets and sending them to a vulnerable
computer, generating an email message with a link to a web page and using a
program that passes parameters to the vulnerable SMB component.

- License Logging vulnerability. This affects Windows NT Server 4.0 (SP6a
and Terminal Server Edition SP6), Windows 2000 Server SP4 and SP3 and
Windows Server 2003. It could permit remote execution of code and could be
exploited through a specially crafted network packet sent to the vulnerable
computer.

If a hacker successfully exploited this problem he could take control of the
computer with the same privileges as the user that started the session. If
the user had administrator rights, the hacker could take control of the
entire system (and therefore create, modify or delete files; install
programs; create new user accounts, etc.). In computers with Windows 2003
Server it could allow a denial of service attack (DoS).

- Security problem in the processing of PNG (Portable Network Graphic)
files. This affects applications such as Windows Media Player 9.0 (when run
on Windows 2000, Windows XP Service Pack 1 and Windows Server 2003),
Microsoft Windows Messenger version 5.0, Microsoft MSN Messenger 6.1 and
Microsoft MSN Messenger 6.2. It could be used by viruses to rapidly infect
computers via malformed real PNG images which, when processed by one of the
affected products, could cause the computer to crash.

- Vulnerability in Microsoft Office XP. This affects Office XP, Word 2002,
PowerPoint 2002, Project 2002, Visio 2002, Works 2002, Works 2003 and Works
2004. This could allow a buffer overflow, which if exploited by a hacker,
could give control over the computer with the same privileges as the user
that started the session.

Mydoom.AK, is a worm with variable characteristics that spreads via email.
The subject field sometimes includes messages referring to Valentine's Day,
such as "Happy Valentine's day".

Mydoom.AK terminates active processes belonging to certain antivirus
products, firewalls and other security programs. For this reason, this worm
can leave computers vulnerable to attack from other malware.

Mydoom.AK searches for email addresses in the affected computer in files
with the following extensions: ADB, ASP, DBX, DOC, EML, FPT, HTM, HTML, INB,
MBX, OFT, PAB, PHP, PL, PMR, SHT, TBB, TXT, UIN and XLS-. It then sends
itself out to them -other than those that contain certain text strings-,
using its own SMTP engine.