Last month viruses and worms continued to try to make their way into the Lab, but the VirusWall continued to do an outstanding job in detecting and deleting them. The most frequently found worms and viruses once again target Windows systems, with major Klez variants being most prevalent with over 6,400 total instances found and stopped by the Lab's VirusWall. Klez continues to cause massive confusion by infecting systems, copying the user addresses from address books it locates, and then sending infected messages using the user addresses both as recipients and apparent senders. More information regarding Klez.

The Frethem Worm came in second place with 545 instances of this malicious program found and eradicated. Like Klez, it uses address books in infected systems to find recipients of infected messages it creates. Unlike Klez, however, it does not spoof the user address of the sender. It can plant a backdoor Trojan horse program that allows an attacker to remotely take over an infected machine. More information concerning Frethem.

A total of 498 instances of the Yaha worm were discovered and eradicated by the LBNL VirusWall, putting Yaha in third place last month. Yaha arrives as an email attachment with a message subject such as "Melt the Heart of your Valentine with this Screen saver" or "Fw: Melt the Heart of your Valentine with this beautiful Screen saver." The name of the attachment is normally "valentin.scr." Yaha gleans user addresses not only from address books, but also from any files with extensions that begin with "ht." It then sends itself to addresses it has found, forging senders' addresses. More information about this worm.

With worms and viruses such as Klez, Frethem, and Yaha all over the Internet, updating anti-virus software and avoiding opening attachments from suspicious origins are more important than ever.

OpenSSH Package Has Been Trojaned

The most significant security-related event last month was the modification of copies of the source code for the OpenSSH package (available at ftp.openssh.com, ftp.openbsd.org, and their mirror sites). The modified version includes a Trojan horse program that, when the source code is compiled and the executable run, connects to a remote host via TCP port 6667 and then opens a shell. The following files at the OpenSSH site were affected: openssh-3.4p1.tar.gz, openssh-3.4.tgz, and openssh-3.2.2p1.tar.gz. The known dates that Trojan versions of the OpenSSH package were distributed are July 30 and 31. A Trojan-free package became available at 5 a.m. PDT on August 1.

The LBNL Computer Protection Program strongly urges everyone whose systems are running these versions of OpenSSH, but especially those who upgraded their systems' OpenSSH packages on July 30 orJuly 31, to check the integrity of their OpenSSH version 3.4 packages. The best method is to compare an MD5 hash computed on one's OpenSSH source code to the MD5 hash values available at the indicated sites--any discrepancy shows that OpenSSH has been altered.

For more information, visit: http://www.openssh.com/txt/trojan.adv.