Computer Knowledge Newsletter – April 1999 Issue

In This Issue:

Virus News

Melissa. Now that the panic has passed, let’s take a closer look at the only virus that caused me to issue a special alert to my readers in the two+ years I’ve been doing this newsletter.

Melissa is a Word macro virus. Some have called it a worm because of its action to spread itself; but it clearly infects Word documents and can be spread from person to person simply by passing infected documents. The E-mail payload is not necessary for spread of the virus.

The macro is active in Word 8 and 9 (Office97 and Office2000). When running in Word 9 the virus sets to minimum that version’s macro security features (this assumes you let the macro run the first time if security was set to high). On opening, the virus infects the global macro area (NORMAL.DOT) and infects other documents when they are closed. On activation, the virus uses VisualBasic to gain access to Microsoft Outlook. It uses Outlook to mail a message to the first 50 addresses in the Outlook database. The message has a subject that says it’s an “Important Message From [UserName]” where UserName is your name as defined in Outlook. The body of the message further indicates the message is something requested and includes a copy of the infected document currently open (a list of porno web sites if the original infected document is being sent–but it could be anything). The virus only does this once because it places a marker in the registry to tell itself it has already activated. Further, if, when activated, the current day number equals the current minute setting on the clock, the following text is placed into the current document: “Twenty-two points, plus triple-word-score, plus fifty points for using all my letters. Game’s over. I’m outta here.”

The E-mail payload was the worst part of Melissa since most people organize their address database to place mailing lists at the top. This means that Melissa usually didn’t send just 50 messages but potentially thousands. Some companies reported massive mail server disruption. This sort of attack is not new; Melissa is similar to Share Fun, a virus that appeared in March 1997 but did not spread widely because of bugs.

So much for the details about the virus itself. Because of its massive attack it was quickly found and notices were sent to affected people (indeed, some say the notices had as much effect on the mail system as the virus).

But, the virus itself is really the boring part of the Melissa story. The interesting thing is the search for the virus writer. First came the identification of the original virus posting. By careful search of the Dejanews archive the first posting of the infected file to a sex newsgroup was found. The posting was traced to an AOL account and the Microsoft ID information in the Word document (remember, we talked about that ID info last month!) was confirmed to be the same as that found in some past macro viruses. The next step identified the AOL account-holder but this turned out to be a dead end; it became clear that the AOL account had been stolen some time ago and the real account holder did not know this. He even indicated he had plans to cancel that account (and has likely done so by now). Using AOL logs and phone records, the real call posting the message was identified and the posting traced to a Matawan, New Jersey man: David L. Smith. Smith has been charged with interrupting public communication, conspiracy to commit the offense, and the attempt to commit the offense. He was also charged with theft of computer service and wrongful access to computer systems. These were all New Jersey charges; federal charges may be pending. (Note: Did you know that information about virtually all calls, local or long-distance are recorded in phone company databases that are kept for at least seven years and often longer? You know now; the only problem is finding the information you might be looking for–rather like the needle in a haystack.)

There is no clear indication that the ID found in the document will be of any use as it’s believed that Smith is not the person who wrote the other viruses carrying that ID. And, virus writers have caught on to the ID and have been replacing it (usually with 666).

Finally, there is the legacy of Melissa. There are at least eight variants of the Word virus and one or more that have been migrated to Excel and PowerPoint.

All I can advise is to keep your anti-virus software up to date and if you receive an attachment, even from someone you know and trust, be certain you expected that attachment.

Help File Super Virus. Is it any wonder people don’t take many virus warnings seriously. One company, on 22 March, sent out a press release with the following lead: “Central Command announces the discovery of new SUPER virus that cross infects DOS, Windows 95, Windows 98, and Windows Help files.” Interestingly enough, the company that makes the anti-virus program Central Command markets issued the following statement on the same day: “Virus infects Windows HLP files. The devil is not so terrible as he is painted…The end of this year’s winter brought another surprise both to all Microsoft Windows users and anti-virus experts. Another Windows virus named Win95.SK besides infecting executable files contained an unusual subroutine: the virus was able to put its code into Windows HLP files.”

So, who do we believe? I choose the anti-virus lab, not the marketing company.

Let’s be clear, Win95.SK is a prototype with the potential for future problems. It’s designed to be polymorphic (changes its form), infects Windows executable files, can add itself to popular archive formats (e.g., ZIP, ARJ, and others), can add itself to Windows Help (HLP) files as a self-executing macro, and, when resident, operates in real time in the background and hidden from user notice. (Infecting HLP files has been a theoretical possibility for some time now. There have been some HLP Trojans before but this appears to be the first viral HLP infection.)

On the good side, this virus appears to only be a test prototype. It rarely infects because it requires specific system conditions. It also contains bugs. Its payload erases all files on disks C: through Z:, including the virus itself. And, its HLP infection only works on computers with Russian language support installed.

Don’t worry about this “super” virus right now; but, remain on guard.

Aptiva Virus. IBM has announced that Aptiva models 240, 301, 520, and 580 made between March 5 and March 17, 1999 and sold in the United States may be carrying the CIH computer virus. Most customers should have been contacted but just in case, if your new computer falls into the class above (the Underwriters Laboratory sticker will carry one of the codes MFG DATE: AM909, AM910, or AM911) contact your dealer or IBM.

Virus Info Sources. There is no single naming source for viruses. While most anti-virus companies try to align their names over time, it often just doesn’t happen. So, if you are looking for info on a specific virus first find all its various aliases using VGrep: Link

Once you have the various names, here are the URLs for some of the more comprehensive virus encyclopedias. Link LinkWeb Link Link Link

General Security

Satellite Tracks Parolees. In an interesting turn of the military to civilian use, satellites are now being used to monitor prison parolees (as well as being available to guide nuclear missiles). GPS satellites are presently being used to track 100 people in nine states. ComTrak (Advanced Business Sciences, Inc. from Omaha), which provides the system, reportedly charges $12.50 per day. A bracelet, personal tracking unit, and battery charger/base unit make up the system. The bracelet must remain within 50 feet of the tracking unit or an alarm is broadcast. The system can be programmed for specific zones (e.g., bars may be made off limits to people convicted of driving while intoxicated). If an exclusion zone is violated an alert is sent to the monitoring station for followup. The tracking unit charges overnight and, while charging, also downloads all of the person’s movements throughout the day to the monitoring center.

Anyone think that George Orwell just had the year wrong?

Hotmail Requires Cookies. Microsoft’s Hotmail has been authenticating users using either a cookie or by checking a user’s IP address. For those using the IP address on a public terminal, subsequent users could gain access to the prior user’s account. To solve this, Hotmail will be switching solely to cookies and users, who have had the option all along, should switch to cookie verification now if it’s not already set.

Freeware Steals Passwords. MSNBC reported on March 23 that a free E-mail program named ProMail is really a Trojan that sends user names and passwords to a NetAddress account. ProMail is a fully-functional program that does what it says; it just has this nasty side effect. The leads to the author in the program’s contact info are all blind alleys.

Notes Bug Decrypts Messages. A bug in Lotus Notes versions 4.5 and 4.6 can, under some circumstances, allow encrypted mail to actually cross the network in the clear and get stored in the clear on a mail server. IBM is working on the bug and apparently Release 5 is free of it. The problem occurs when Notes sends the encrypted message to the receiver but an unencrypted version to the Sent Mail folder. This latter version can be read using a network traffic analyzer. A fix should be available by the time you read this and a workaround would be to pick the option “Encrypt Saved Mail” in the preferences area each time you send an encrypted message.

Pentium III Privacy. Much as been made of the Pentium III ID number in recent weeks. But, just how bad is such a thing? Basically, the argument is between privacy advocates and corporate interests (although the rhetoric would have you think it’s much more basic). The Pentium III has a 96-bit serial number. It’s directly encoded into the hardware. It was designed to provide one layer of protection for electronic transactions and as a help for companies to track assets. Privacy interests are concerned that the number can also track users across the internet. They also contend that the number could be stolen and used against users.

It’s clear the number can be stolen. Intel provided systems with the number serving function turned off and industrious programmers almost immediately provided a program that could defeat that and get the number. But, is this a problem?

As designed, a web site wanting to use the number would ask for specific user information and then provide an applet for the user to download. The applet would obtain the chip ID and “hash code” it. So the web site never actually gets the number; it gets a code that represents the number. Each web site would use a different routine to hash the number so each web site, in theory, would know users by a different ID. Other layers of encryption are used to further hide the real number. Privacy advocates postulate that there is no guarantee web sites will use this technique and the lazy webmasters will just send the number in the clear.

But, again, even if the number (or a particular hash code) were obtained, sites using this number will virtually always ask for additional information if not to protect the user, to protect themselves. So, the number will be only one stage in the identification process. Also, since confirming transactions are encrypted differently, crackers will have a very difficult time completing a transaction, even if they have the number and the additional information.

Of course, nothing is impossible. But, given the layers upon layers needed to even use the serial number correctly, it seems like its misuse will be rare and easily determined. Indeed, many companies already use serial numbers and the like for registration purposes and these are far easier to crack than the chip ID.

But, all this is theory. It will be some time (and many experiments) before the full implications of the chip ID become known.

Items of Interest

“Know Your Customer” Stopped. For now, it appears that a flood of negative mail (mostly E-mail) has stopped Federal bank regulators from implementing a plan that had become known as “Know Your Customer.” Under this plan banks would have had to profile each customer and report any transactions that did not fit the plan. While dead for now, other such plans will crop up in the future as bureaucrats find things to do in order to keep their jobs. Keep your eyes open.

Y2K Lawsuits a Growing Business. The Gartner Group reports Y2K-related suits have jumped from three in Jan 1998 to 80 now with many more pending as seen from demand letters sent out. Concentration so far is on software suppliers but hardware and insurance companies are likely to be the next targets (particularly since insurance companies are saying they are not going to cover Y2K problems). This will start to become important later this year as it’s predicted at least a third of the Y2K problems will actually occur in the last half of 1999 with only about half happening in 2000 and the remainder in 2001. And, every problem that does happen is a source for a potential lawsuit. Make certain your systems are not affected!

Y2K Baby. If you’re trying for one of the prizes being offered for the first baby born 1/1/2000 by the time you get this you’re late. Best time for a normal delivery would have been somewhere around April 9th (give or take a few days). Believe it or not, there has been at least one news report about one couple who will travel to one of the isolated Pacific islands and have a C-section even though there is no hospital or medical facilities there!

Cat in The Ladle. I receive Urban Legend updates now and again from the website. Most are interesting; many are funny. A recent update featured the myth about Chinese restaurants serving cats as entrees. The debunking page contained a really funny RealAudio song about this. I enjoyed it very much; you can too:

In closing: Please support the advertisers through our links.