Computer Knowledge Newsletter – April 2001 Issue

In This Issue:


So far I’ve tried book recommendations, advertising, and having a store for shirts, mugs, etc. in order to fund Computer Knowledge. While the advertising does bring in a few $$$ it’s not enough to cover costs. So, I’m resorting to begging :-). has a service that will collect voluntary payments. If you feel inclined to participate by making a payment toward upkeep please use this URL…

[Thank you. This is no longer necessary.]

Thank you.

General Security

Banning Attachments. Microsoft is apparently feeling the sting of their software being used so often to send viruses and worms via E-mail. To counter this, the Office XP version of Outlook (Outlook 2002) will, by default, reject as attachments about 30 different file types. The list includes all executables and even such things as photo CD images and Windows help files. The files will be allowed as attachments but Outlook will not open them by default. In the past, when specific malware was identified Microsoft would issue a patch that blocked that specific item (if it was “popular” enough). Now, they are going the next step and applying the broader brush. As reported, the default will be “nearly impossible for individuals and very difficult for corporations to disable.” [Note: I gather one has to manually edit the registry to overcome the default; you can therefore expect an almost immediate freeware release of tools to do this, making the “nearly impossible” claim rather hollow.] As you might expect, this move is not being universally applauded. Many feel that it’s nothing more than a simple Band-Aid over a more basic problem in Windows that allows malicious content to run at all.

Ads But No Cookies. The privacy groups are slowly having an effect. While it’s always been possible to serve ads without dropping one or more cookies on your system, this has not often been done because the cookies allow the collection of much more detailed information about a person’s activity on a site and between sites. But, recent passage of privacy laws, particularly those involving children, are forcing sites to reconsider their use of cookies. Without the ability to track a user through a site it is less likely the site will fall afoul of such laws as the Children’s On-line Privacy Protection Act (COPPA). And, even without the cookies, advertisers can still obtain significant information just from the calls for the ads. Data within the IP address can give your general geographic location and clickthroughs can evaluate how well any particular ad campaign worked.

MS Security. Microsoft has issued a a number of new security bulletins this past month. Please see all current alerts at: Link

  • Erroneous VeriSign-Issued Digital Certificates Pose Spoofing Hazard. In January 2001 VeriSign incorrectly issued two security certificates to someone claiming to be a Microsoft employee. These certificates can be used to certify files as coming from Microsoft (and thus presumed safe) while the content may be malicious. The certificates have been revoked, but a browser might not find the master list. A patch allows the certificates to be revoked on the local level. For more information: Link
  • Incorrect MIME Header Can Cause IE to Execute E-mail Attachment. HTML E-mails are basically web pages and IE, with the right settings, can render the page and execute any attached binaries automatically. Binary types are defined by a MIME header. A bug in the MIME header implementation could allow a malicious executable to run if settings allow this. A patch is available. For more information: Link
  • Passwords for Compressed Folders are Recoverable. The compression for folders in Plus! 98, an optional package that extends Win98/98SE with a data compression feature allowed password protection for compressed folders. The passwords are stored in a file on the system; consequently, anyone with physical access to a computer could find the passwords and access the folder(s). A patch is available. For more information: Link

General Interest

Hacking Costs. A recent study indicates that the cost to a company for a half hour penetration of their computers would likely cost from $2,000 (internal investigation) to $22,000 (consultant called in). Finding out what the intruder did might take up to 34 hours of work. Fixing a system usually adds to that cost in both time and money since software often needs to be both reinstalled and then patched to close the hole used by the hacker.

AOL Discs. If it’s still cold in the area of the world where you are consider saving all those AOL CDs you get and using them to scrape ice off the windshield. I used to use credit cards, but if they broke that was not particularly useful. With the CDs you were going to toss them anyhow so if they break there’s nothing lost. 🙂

Pyramid Toppled. One down and lots to go. PayLine, a pyramid scheme operating out of the Caribbean but with a mailbox in Florida, has been shut down by postal authorities. Via E-mail, PayLine promised that if you paid $200 and then sign up two new members you’d get a share of money obtained from future new members plus “thousands” of miles of free airline tickets. Apparently almost 300,000 people had fallen for this age-old scheme and some fraction of those actually sent in the $200. Those who did when the postal authorities seized the mailbox contents will likely get their money returned. Others may not be so lucky. Please just keep in mind that there is no “free lunch” and if something seems too good to be true then it likely is!

Virus News

The alerts page (current.htm) has been taken down. Other services provide this kind of information in a more timely manner.

Don’t forget our virus tutorial site.

More complete descriptions of most of these viruses can be found at the Sophos or F-Secure web sites: Link Link

Windows/Linux Virus. A proof of concept virus that is supposed to infect both Windows and Linux systems (and cross between them) has been released within the past month. Like most proofs of concept this beast doesn’t do much and contains bugs that limit its spread. But, as Linux becomes more popular and others work out the bugs, there is the possibility of future versions doing a better job of spreading and carrying nasty payloads. The W32.Winux (or W32/Lindose) virus is reported to have originated in the Czech Republic.

Logo Worm. A new proof of concept worm was found this past month (9 April). This one uses the Logo Programming Language; specifically, the SuperLogo language by Logotron. Logo is often used in educational environments. The worm is named LogoLogic-A. It spreads via MIRC chat and E-mail and assumes default installations on the computers it infects. The C:\MIRC\SCRIPT.INI file is overwritten with a propagation script that sends out LOGIC.LGP, the body of the worm. The script also announces itself on channel #gigavirii when it spreads. A STARTUP.VBS file is also dropped into the Windows startup directory. This program sends the worm to the first 80 addresses in the Outlook address book. The subject is “Hey friends!” and LOGIC.LGP is attached. WINSTART.BAT is overwritten so the message “You think Logo worms don’t exist? Think again!” is displayed. As with most proofs of concept, the worm is not presently spreading but may in the future as the beast is refined.

Trojans. This new Trojan appeared recently:

  • Troj/Futs. A Novell NetWare Trojan. It actually gives you options of what damage to do when run and even has a “boss screen” which presents a Borland 7.0 Pascal window on command. One of the options is to drop the BW-770-b DOS executable file virus [see below]. Speculation is that Futs was written by a pupil in school.

File Infectors. This new file infector has been reported recently:

  • BW-770-b. A DOS executable file virus dropped by Troj/Futs [see above]. The virus infects COM and EXE files and adds 770 bytes to their length. The payloads in the virus include: message display, try to format the hard drive, make the computer beep constantly. BW-770-b was created using the Biological Warfare virus construction kit.

Macro Viruses. A number of macro viruses have been announced this past month. Below is a summary of the more important ones:

  • Variants. The following variants have been observed but generally carry no payload: WM97/Myna-AL
  • Interactions. Various viruses are created by the combination of two other viruses. These are listed here: WM97/Ded-M (Created from WM97/Ded-B and WM97/Class).
  • WM97/Bablas-BK. A Bablas variant. Messages on the status bar are changed to non-English characters. Non-English messages are also displayed if Help|About is accessed on a Friday or Sunday before 9pm.
  • WM97/Bablas-BQ. A Bablas variant that, on Fridays, displays a message box containing non-English text.
  • WM97/Bottra-A. A Word virus that replicates only using the file C:\TK.MXC.
  • WM97/Buendia-B. A Word macro virus that, on the 28th of any month, displays two messages a minute apart. The messages are “HOY ES UN BUEN DIA” and “LUCY POR SIEMPRE TE RECORDARE atte: JAIRO”.
  • WM97/Doccopy-A. A Word virus that creates the infected file SAVER.DLL in the working directory and the directory DOC_COPY under the main Word directory. It uses this directory to store copies of infected files.
  • WM97/Flop-A. A Word macro virus that copies infected files from a floppy disk into the TEMP directory. The copied file has a random name with .TMP extension and is hidden, system, and read-only. The copy on the floppy is also infected.
  • WM97/Marker. Several Marker variants appeared this past month. -GN changes file summary information. -GW changes file summary info every third time a document is closed. -GX keeps a log of user addresses which could be sent via FTP on Sundays. -GY changes file summary info every third time a document is closed. -GZ keeps a log of infections in the file C:\PAGEFILE.LOG. -MR changes file summary info every third time a document is closed.
  • WM97/Opey-X. A Word virus that resets various user details in documents if the month is in the latter half of the year. The term “Crazy Man” appears most often in these changes. The Tools|Macro menu is also changed to display a message box saying you must kill the virus before you can access the macros.
  • WM97/Wrench-H. A minor Wrench variant with no malicious payload. It drops the virus code listing into ASCII.VXD in the root directory.
  • WM97/Wrench-L. A minor Wrench variant which displays the Office Assistant if the VB Editor is called, the font changed, or document printed. It drops the virus code listing into ASCII.VXD in the root directory.

Worms. A number of worms have been announced this past month. Below is a summary of the more important ones:

  • Linux/Adore. A Linux worm similar to Ramen and Lion. It uses vulnerabilities in several programs to gain root access. The worm tries to send confidential information to a site in China. A script inserted into the daily cron directory removes the worm at 4:02am when the defaults cron jobs are run. The worm spreads by probing IP addresses for vulnerabilities and exploiting those found. It’s therefore very important to download and install all known security patches for Linux. The vulnerabilities exploited by this worm are known.
  • Linux/Lion. A Linux worm similar to Linux/Ramen. It spreads via a remote exploit in the Bind name service daemon. If penetration is successful the worm replaces system binaries with Trojan versions designed to hide the worm and clean log files. It also adds itself to the startup sequence in order to survive system restarts.
  • VBS/Linda-A. A worm that spreads via E-mail, chat, and via networks. If run, it will reside in the Windows system directory in the file XMLDRIVER32.DLL.VBS. It searches the local and network drives for a wide variety of file types and, for each file found, copies itself to the original filename with .VBS added. The original file is deleted. The extension list is: VBS, VBE, JS, JSE, CSS, WSH, SCT, HTA, JPG, JPEG, MP3, MP2, XML, PHP3, HTM, WAV, BMP, DOC, RTF, XLS, PPT, WRI, MDB, ZIP, RAR, ARJ, PDF, MID, GIF, AVI, HLP, FRM, MP4, C, PL, PAS, PS, TIF, WPD, FM, MK5, ASP, TXT, CHM, GZ, TAR, WSC, MHT, HTT, LHA, LZH, PCX, PIF. The worm uses SCRIPT.INI to send itself over Internet Relay Chat (if found on the system) and E-mail to send itself with the subject: “Important message for <name>”. The attached, infected file can have any name.
  • VBS/Pleh-A. A VBS worm that spreads via Outlook. It arrives in an E-mail with the subject: “I hate you”. The message insists you open the attachment: HELP.VBS. If run, the worm creates the folder “LOOK HERE” under Windows and places YOUMUSTREAD.TXT into that directory. This text file chides you for allowing your computer to be infected. The worm itself copies to KERNEL.VBS in the Windows system directory and HTLP.VBS in the Windows directory. The registry is set to run the worm at system start. The Windows shutdown graphic (LOGOS.SYS) is deleted. There is a small chance your AUTOEXEC.BAT file will be overwritten with one that attempts to format the C: drive on boot. The WIN.INI file is also overwritten with a line that runs the virus on system start. You are then told to view the above-mentioned YOUMUSTREAD.TXT file. Behind this message box the worm searches for specific extensions on local and network drives and overwrites them with worm code. The extensions affected include: MP3, PWD, EXE, MP2, DOC, AVI, MPEG, and HTM. The worm then mails itself to the first 80 addresses in your Outlook address book.
  • VBS/Postcard. This is an HTML script that drops a worm and payload if allowed to run. The virus infects files in the Windows temporary and system directories and will spread via E-mail and mapped network drives. On initial contact, if your security settings are set to reject unsafe ActiveX objects the virus will tell you ActiveX needs to be active in order to view the postcard. This warning will continue until you either accept the code or shut the browser down. If accepted the virus will greet you and then modify the registry so that unsafe scripts will run automatically. Your home page will then be reset to the virus which now resides in the Windows temporary directory. The virus also drops itself or copies itself to several other locations on your system, including the file [DB.GT].WSF in the Windows system directory. The worm part sends itself to your address book via Outlook. The virus then infects all HTML, SHTML, HTM, and ASP files in several directories. The final spreading technique causes the virus to copy itself to all connected network drives. The payload is in the file C:\WINDOWS\SYSTEM\PAYL0AD.VBE. The payload disables the mouse and keyboard, then opens WordPad with a message.
  • VBS/Staple-A. A worm that uses Outlook to spread. It arrives in your mailbox attached to a message that asks you if you sent the “attached message.” The attachment (INJUSTICE.TXT.VBS) contains the worm. If executed, the worm sends itself to up to 50 addresses in your Outlook address book as well as a list of other addresses in the worm. It also opens multiple instances of IE with different URLs in each. The Web sites are basically pro-Palestinian. It’s final action is to display a message box about the Palestine situation.
  • VBS/VBSWG-V. A pornographic worm with the subject: “Check out this preteen pic!!”. The worm is in the attached file: CINDY12YR.VBS.
  • W32/Badtrans-A. A MAPI E-mail worm that comes in a message urging you to “Take a look to the attachment”. The attachment may be one of 16 programmed into the worm; it will be either an SCR or PIF file. If run, the attachment claims to be corrupt while it copies itself into INETD.EXE in the Windows directory. WIN.INI is set to run that file on the next system start. As new E-mail is received, the worm responds with an infected attachment. Finally, the worm drops KERN32.EXE into the Windows system directory and makes it run at system start via a registry entry. This is the Trojan Keylog-C which is a password-stealing Trojan.

In closing: Remember, you can help keep Computer Knowledge going. See…

[Removed. The ads now fund the site.]