Microsoft to release out-of-band security update 11/23 that impacts Windows. Exploit code must either be out there or close to it. *gulp*

Received from Trend Micro...
7/16/2007 6:53:15 PM - Proactive Notification on TSPY_KOLLAH.H - EXECUTIVE SUMMARY
Trend Micro has received several reports of a ransomware infecting systems in the North America region that we will detect as TSPY_KOLLAH.F. Ransomware is software that, when executed, encrypts word-processing, spreadsheet, and other documents for the purposes of extortion.
MITIGATING STRATEGIES
§ Trend Micro has control pattern 4.600.01 available for download at http://www.trendmicro.com/download/pattern-cpr.asp
§ Trend Micro is releasing official pattern 4.599.00 to detect this. The ETA for this to be uploaded to our ActiveUpdate servers is 7:00 PM Pacific Time
§ Please visit our virus description for updated information on this crimeware
RELATED LINKS
http://www.trendmicro.com/vinfo/grayware/ve_graywareDetails.asp?GNAME=TSPY_KOLLAH.F
http://us.trendmicro.com/us/threats/home-user/common-threats/crimeware/

So there is a new virus/worm going around. It's an email that says you've gotten a virus or worm, and to encourage you to open a ZIP file that says it's a patch.

Please, do yourself a favor, and don't open that file.

Trend Micro: http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?vname=worm_nuwar.aok

SANS info:
We've received a bunch of emails in the past few minutes indicating the possible presence of a new Worm.

We are being told that it is a "Nuwar/Zhelatin" virus with Virtual Machine detection capabilities.

Apparently it indicates itself as a "Patch" for the "New worm" that is going around (whatever that may be, there are just so many I could choose from!)

The Subject of the email (that we have seen so far) say:
"Worm Alert!"
"Worm Detected"
"Virus Alert"
"ATTN!"
"Trojan Detected!"
"Worm Activity Detected!"
"Spyware Detected!"
"Dream of You"
"Virus Activity Detected!"

It has two attachments, one being an image with 'panic-worded text', and the other is a password protected zip file, whose password is revealed in the image.

The zip file appears to be named "patch-.zip".

Is anyone else suddenly getting a larger number of emails with ZIP and EXE files? Specifically Update-KBnnnn-x86.exe?

EDIT: Yup, I was right. Symantec called it W32.Stration.EC@mm. Sophos calls is W32/Stration-BQ. CA calls it Win32/Stration Family. Trend Micro calls is TROJ_STRAT.GG.

Be especially careful of emails with .ZIP or .EXE files attached. That seems to be how these things are getting through email.

This is FYI at this time, in case this escalates.

Here's what I've gotten so far - Word XP and 2003 vulnerable to a zero day exploit. User must open malicious .doc file. "When the .doc attachment is opened, it exploits a previously unknown vulnerability in Microsoft Word and infects a fully patched Windows system. The exploit functioned as a dropper, extracting and launching a Trojan that immediately overwrites the original Word document with a "clean," uninfected copy."

References:
http://blogs.technet.com/msrc/archive/2006/05/19/429353.aspx
http://isc.sans.org/diary.php?storyid=1345
http://www.eweek.com/article2/0,1895,1965042,00.asp

AV vendors:
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?vname=w97m_mdropper.ab
http://securityresponse.symantec.com/avcenter/venc/data/trojan.mdropper.h.html
http://www.sophos.com/virusinfo/analyses/trojmdropama.html

In case you haven't heard, there are now several different viruses in the wild that are using the MS05-309 vulnerability to infect and propagate. Two of these viruses -- WORM_RBOT.CBQ and WORM_ZOTOB.D -- went in the wild today, and causes infected systems to reboot. This is similar to the Sasser and Blaster worms.

Some companies have not been successful in protecting their environment. CNN is reporting that "Among those [companies] hit were offices on Capitol Hill, which is in the midst of August recess, and media organizations, including CNN, ABC and The New York Times. The Caterpillar Co. in Peoria, Illinois, reportedly also had problems." I have unofficial information that the County of San Diego and Small Business Association in Los Angeles were also impacted.

So, what can you do? If you support your own systems for security updates, help us protect the computing environment and apply the MS05-039 update to your systems as soon as possible. I can not emphasize enough how critical this. The last thing that we want is a viral infection impacting our clients, clogging up our network, and preventing business from continuing. The simplest way to keep our enviroment safe from these viruses is to apply the MS05-039 patch.

References:
MS05-039 Security Bulletin
WORM_RBOT.CBQ
WORM_ZOTOB.D
CNN Story
MSNBC Story

Found out the MS05-039, which just came out Tuesday, is being exploited in the wild. Folks, if you run Windows, please test and patch.

EDIT: That was a knee-jerk reaction to many things I scanned. Details have emerged now... The worm impacts only Windows 2000, but there is also already a variant of the worm. I still strongly suggest that you test and patch your Windows system with MS05-039 - and that includes Windows XP systems!

jelly_doughnut, since you just changed your default on your phone posts to WAV, you should check out the post on news.

Anyone else who ever dreamt of a permanent account should also see the post on news.

Caught a commercial yesterday for This is Your Life on DVD. I thought you should know.

Fracking new viruses that came out this morning has effectively spammed my rialtus.com domain to the tune of about 20 virused email messages. Punks.

June 3 is Doughnut Day. Mmmmm.... doughnuts...

Deep Throat confirmed to have been the #2 man at the FBI. Fascinating.

EDIT: Frienditto and Narcopolo are both up and running again. Great. More drah-ma ensues.

We just got a case of friggin' NIMDA in the company because we had a client using his desktop as an IIS web server, and refused to put any security updates on it because he thought it was compromise his ability to do work.

Where is my BFT? I need to go a-thwappin'...