Microsoft has completed the investigation into a public report of a vulnerability. Microsoft has issued a security bulletin to address this issue. For more information about this issue, including download links for an available security update, please review the security bulletin.

Get the security update for the Windows Meta File (WMF) vulnerability from Microsoft Update.

For more information please visit ARNIT Security Centre or use ARNIT Discussion forum to get answers to your questions immediately.

• Microsoft FrontPage 2000
• Microsoft FrontPage 2002
• Microsoft FrontPage 2003
• Microsoft Office 2000
• Microsoft Office 2003
• Microsoft Office XP
• Microsoft Publisher 2000
• Microsoft Publisher 2002
• Microsoft Publisher 2003
• Microsoft Word 2000
• Microsoft Word 2002
• Microsoft Word 2003
• Microsoft Works Suite 2001
• Microsoft Works Suite 2002
• Microsoft Works Suite 2003
• Microsoft Works Suite 2004

Description:

This remote code execution vulnerability could allow a malicious user or a malware to take complete control of the affected system if the affected user is currently logged on with administrative privileges. The malicious user or malware can execute code on the system giving them the ability to install or run programs and view or edit data with full privileges. Thus, this vulnerability can conceivably be used by a malware for replication purposes.

The vulnerability is caused by an unchecked buffer in the Microsoft Office WordPerfect Converter.

The Microsoft Office WordPerfect converter helps users convert documents from Corel WordPerfect file formats to Microsoft Word file formats. The WordPerfect converter is included in all versions of Office and is also available separately in the Microsoft Office Converter Pack.

This vulnerability can be exploited by a remote malicious attacker or a malware by:

• Web-based attack scenario:

  An attacker would have to host a Web site that contai ..]]> http://www.arnit.net/security/blog/post/index/30/MS04027-Vulnerability-in-WordPerfect-Converter-Could-Allow-Code-Executi Fri, 19 Aug 2005 11:34:30 +0000 General http://www.arnit.net/security/blog/post/index/30/MS04027-Vulnerability-in-WordPerfect-Converter-Could-Allow-Code-Executi#cmt Zotob.A, Zotob.B, Zotob.C, IRCbot.ES, IRCbot.ET, IRCbot.EX, Bozori.A, Bozori.B, Rbot.YN, SDbot.ADB, Codbot
  
  Affected Operating systems: Microsoft Windows 2000, XP, 2003
  
  Solution: You should immediately patch your operating system with the latest security patch released by microsoft ( http://update.microsoft.com/windowsupdate/v6/default.aspx ). You may also scan your computer for infections using ARNIT IT CENTRE FREE online virus scanner at http://www.arnit.net/security/tplarnit.php?page=vscan. ]]> http://www.arnit.net/security/blog/post/index/29/ZotobA-B-C-and-varients Thu, 18 Aug 2005 09:54:25 +0000 General http://www.arnit.net/security/blog/post/index/29/ZotobA-B-C-and-varients#cmt W32.Opanki.B is an IRC threat that may spread through AOL Instant Messenger.
  
  Also Known As: IRC Trojan, IM-Worm.Win32.Opanki.d [Kaspersky Lab], W32/Opanki.worm.gen [McAfee]
  
  Type: Worm
  
  Infection Length: 3,973 bytes
  
  Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP
  
  Removal Instructions:
   

  You can scan your computer for Opanki.B and other types of viruses and trojans for FREE with ARNIT Online Virus Scanner athttp://www.arnit.net/security/tplarnit.php?page=vscan

  Or you may read the following manual removal instructions:

  The following instructions pertain to all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.
  
  1. Disable System Restore (Windows Me/XP).
  2. Update the virus definitions.
  3. Run a full system scan and delete all the files detected.
  4. Delete any values added to the registry.
  
  For specific details on each of these steps, read the following instructions.
  
  1. To disable System Restore (Windows Me/XP)
  If you are running Windows Me or Windows XP, we recommend that you temporarily turn off System Restore. Windows Me/XP uses this feature, which is enabled by default, to restore the files on your computer in case they become damaged. If a virus, worm, or Trojan infects a computer, System Restore may back up the virus, worm, or Trojan on the computer.
  
  Windows prevents outside programs, including antivirus programs, from modifying System Restore. Therefore, antivirus programs or tools cannot remove threats in the System Restore folder. As a re ..]]> http://www.arnit.net/security/blog/post/index/28/W32OpankiB Thu, 21 Jul 2005 09:59:50 +0000 General http://www.arnit.net/security/blog/post/index/28/W32OpankiB#cmt Malware type: Worm
  Aliases: W32.Mytob.GP@mm, W32/Mytob.gen@MM
  In the wild: Yes
  Destructive: No
  Language: English
  Platform: Windows 2000, XP
  Encrypted: No
  Characteristics: Propagates via email

  ---

  Description: 
  
  Like other MYTOB variants, this memory-resident worm propagates by sending a copy of itself as an attachment to an email message, which it sends to target recipients using its own Simple Mail Transfer Protocol (SMTP) engine.

  < ..]]> http://www.arnit.net/security/blog/post/index/27/WORMMYTOBGB Sun, 3 Jul 2005 13:00:15 +0000 General http://www.arnit.net/security/blog/post/index/27/WORMMYTOBGB#cmt
  Malware type: Worm
  Aliases: W32.Sober.O@mm W32/Sober.p@MM W32/Sober-N Sober.P Email-Worm.Win32.Sober.p
  In the wild: Yes
  Destructive: No
  Language: English
  Platform: Windows 98, ME, NT, 2000, XP
  Encrypted: No
  Characteristics: Propagates via email
  
  Description:
  
  This worm spreads by mass-mailing copies of itself using its own SMTP (Simple Mail Transfer Protocol) engine. It gathers its target recipients from files with certain extensions names. Notably, it avoids sending messages to addresses that contain specific strings.
  
  Using social engineering techniques, it sends out an email supposedly sent by the soccer organization FIFA, informing recipients that they won tickets for the upcoming FIFA World Cup 2006 in Germany. It also sends email messages in English or in German, depending on the country-level domains of the gathered addresses.
  
  Social engineering, a propagation technique that is widely utilized by most worm programs, invests largely on computer users' instinctive tendency to open email messages, execute attachments that are enticing and apparently harmless, and download and unknowingly open attractively named files.
  
  For a complete system scan, virus detection and removal, please check out ARNIT FREE Online Virus Scanner at: http://www.arnit.net/security/tplarnit.php?page=vscan]]> http://www.arnit.net/security/blog/post/index/11/WORMSOBERS Thu, 5 May 2005 16:11:55 +0000 General http://www.arnit.net/security/blog/post/index/11/WORMSOBERS#cmt
  Technical Details:
  
  Common characteristics of the W32.Randex family include:
  
      * Spreading through network shares
      * Attacking randomly generated IP addresses
      * Using default credentials or weak username/password pairs to connect to a remote target system
      * Opening backdoor ports
      * Opening connections to predetermined IRC servers and waiting for commands from an attacker
      * Performing Denial of Service (DoS) attacks
      * Some recent variants exploit the Mydoom backdoor on TCP port 3127 to spread to remote systems
  
  
  For a complete system scan, virus detection and removal, please check out ARNIT FREE Online Virus Scanner at: http://www.arnit.net/security/tplarnit.php?page=vscan
  
  For removal instruction please check out ARNIT Security Advisories at: http://www.arnit.net/security/sectips.php?platform=windows]]> http://www.arnit.net/security/blog/post/index/23/W32Randex-family Tue, 26 Apr 2005 13:40:54 +0000 General http://www.arnit.net/security/blog/post/index/23/W32Randex-family#cmt
  winapa.exe description:
  File winapa.exe is related to trojan WootBot Trojan.
  
  Files related to winapa.exe:
  navsys32.exe, svcshost.exe, elite.exe, winssv.exe, lsass2.exe, pomedsrv.exe, ctfnom.exe, symantec32.exe, syshelper.exe, mqguard.exe
  
  File winapa.exe removal:
  WARNING!!! File winapa.exe is related to spyware. This is serious violation of your privacy, your system is under security threat.
  We advice you to scan your computer and eliminate possible threats.
  
  You can also visit ARNIT Online scanner to scan your computer for free!
  http://www.arnit.net/security/tplarnit.php?page=vscan]]> http://www.arnit.net/security/blog/post/index/26/Winapaexe-definition-relationships-removal Fri, 25 Mar 2005 21:24:54 +0000 General http://www.arnit.net/security/blog/post/index/26/Winapaexe-definition-relationships-removal#cmt
  
  
  Backdoor.IRC.Aladinz.G is a backdoor Trojan horse that uses malicious scripts in mIRC client software, allowing unauthorized remote access.
  
  Also Known As: Worm.Win32.Randon.o [Kaspersky]
      
  Type: Trojan Horse
  
  Infection Length: varies
      
  Systems Affected:     Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP
  
  Systems Not Affected: DOS, Linux, Macintosh, OS/2, UNIX
  
  Technical Details:
  When Backdoor.IRC.Aladinz.G is executed, it performs the following actions:
  
     1. Creates the folder %Program Files%\Common Files\OOBE\DivX Player 7.0, and drops the following files into the folder:
            * sample.bin (detected as Backdoor.Trojan)
            * DivXinstall.bat (detected as Trojan Horse)
            * DecodeDivX.exe (detected as Hacktool.DoS)
            * nacs.exe (detected as Hacktool)
            * DrDivXRegistration.exe (detected as Hacktool.HideWindow.)
            * Dr.DivX.exe (mIRC client software. It is detected as IRC.Backdoor.Trojan.)
            * DelDivX.exe (Process viewer. This utility is not viral by itself.)
            * Divx.exe (Remote execution utility. It is not viral by itself)
            * helptoo.txt (Text file that includes username.It is not malicious itself. )
    & ..]]> http://www.arnit.net/security/blog/post/index/25/BackdoorIRCAladinzG Fri, 25 Mar 2005 21:22:30 +0000 General http://www.arnit.net/security/blog/post/index/25/BackdoorIRCAladinzG#cmt