CERT Warns Of Mother's Day VirusCERT Warns Of Mother's Day Virus

An Internet security clearinghouse is warning computer users to beware of a potentially destructive Trojan horse timed to coincide with another holiday.

You guessed it: Hunker down for the Mother's Day Virus.

The CERT Coordination Center said Thursday that it has received reports that an in-the-wild Trojan horse known as Peido-B, VBS/Inor.B, or the Mother's Day Virus, was making the rounds. CERT is a federally funded research and development organization located at Carnegie Mellon University.

Like most Trojan horses, Mother's Day includes an executable file attachment that, when opened, downloads and runs on the victim's machine. The Mother's Day message masquerades as an undeliverable message, but if the recipient opens the attached file, the sender may be able to gain control of the computer.

CERT has released an updated edition of a handbook that outlines steps companies and organizations can take to create a computer security incident response team (CSIRT).

The second edition of the guide, which debuted five years ago, includes refreshed content, newer examples, and expanded descriptions of CSIRT planning and implementation, said Georgia Killcrece, one of the authors of the handbook and a leader for CERT's CSIRT Development Team.

A CSIRT, she said, is more than a threat assessment team. It also plans detection and protection policies, and analyzes and responds to security events that break on the Internet.

"Anyone who has a network connected to the Internet will benefit from the Handbook," Killcrece said.

The guide, which lays out the issues that companies need to consider as they form a CSIRT, is aimed at managers, IT administrators, CIOs, and project leaders who've been tasked to implement a team, or who are interested in preparing their enterprise to handle security events, Killcrece said.

Later this year, CERT will roll out additional documents to model a variety of CSIRT organizational frameworks or templates. "Not all organizations have the same need," Killcrece noted. "Among the models, we'll have ones that outline a distributed team, a coordinated center, and even an ad hoc team."

The CSIRT handbook is available in PDF format from the CERT/CC Web site. The organizational models will appear during 2003 in the CSIRT Development section on CERT's site.

Also, Microsoft acknowledged that two older versions of its popular Windows Media Player share a vulnerability caused by downloading new "skins."

Windows Media Player 7.1 and 8.0 (the version included in Windows XP) sport a flaw in the way they handle skin downloads, said Microsoft in a security advisory posted on its TechNet site.

Attackers exploiting this vulnerability could post code disguised as a skin on a Web site; users who download it would introduce a possibly malicious executable to their machine.

The fake skin could also be delivered via E-mail. Users of Outlook 2002 and Outlook Express 6.0 (as well as Outlook 98 and 2000 when patched with the Outlook Email Security Update) are not at risk, but others are. An attacker could plant a masquerading skin on the computer even if the recipient didn't click the embedded URL in the E-mail message.

Judged "critical" by Microsoft--the second-highest warning in Microsoft's four-level threat assessment scale--Player's security hole can be plugged by downloading and installing patches from Microsoft's site. The most current Player, version 9.0, is not affected.