Computer Knowledge Newsletter – August 2001 Issue

In This Issue:

  • Security Tools
  • Code Red
  • MS Security (NNTP Service in Windows NT 4.0 and Windows 2000 Contains Memory Leak; Windows Media Player .NSC Processor Contains Unchecked Buffer)
  • Sneaky Survey
  • Trojans (W32/CodeRed-II)
  • Macro Viruses (Variants; WM97/Cruson-A; WM97/Marker-C; WM97/Marker-GT/GU; WM97/Quiet-F)
  • Worms (VBS/European-A; VBS/Haptime-A; VBS/LoveLet-CZ; VBS/PeachyPDF-A; VBS/Potok-A; W32/Choke; W32/Hybris-F; W32/Linong-A; W32/Parrot-A; W32/Petik-K; W32/Sircam-A)

General Security

Security Tools. The Center of Internet Security, a large consortium, has started to release security tools in cookbook form in order to help IT managers secure their systems. IT managers often don’t have to take the time to study all the changes that must be made to systems in order to secure them from the default install state of the vendor. Vendors don’t usually distribute systems in a secure state. Knowing this, the consortium has decided to release cookbook tools to help IT managers. The first available is for Sun Solaris. Other tools should be coming out for Windows NT/2000, Linux and other versions of UNIX. Keep in eye on for availability.

Code Red. There is really little to say at this point. Code Red is a worm that attacks Microsoft Internet Information Servers (IIS) and takes advantage of a security hole to install itself, find other servers to infect, and then, at a programmed time, launch a coordinated denial of service attack. The second version of Code Red drops a Trojan as well (see below). But, the reason there is little else to say is that a patch for the hole Code Red takes advantage of has been available from Microsoft since June. With all the press about Code Red there is *no* excuse for someone running IIS to not have obtained and installed the patch. None.

For more info on the patch see: Link

I guess the bottom line is that because Code Red still exists in the wild we can conclude that people running servers just don’t care about security. And, that’s the real shame and lesson from Code Red.

MS Security. Microsoft has issued a a number of new security bulletins this past month. Please see all current alerts at: Link

  • NNTP Service in Windows NT 4.0 and Windows 2000 Contains Memory Leak. Messages posted to a Network News Transport Protocol (NNTP) server running on either Windows NT 4.0 or Windows 2000 may cause a memory leak (in processing the message the NNTP server makes a small amount of memory unavailable). The attack against this would be the sending of a large number of such messages so that resources in the computer disappear and it ceases to work. A patch is available. For more info: Link
  • Windows Media Player .NSC Processor Contains Unchecked Buffer. An unchecked buffer has been found in the Windows Media Player. Through .NSC configuration files this could be exploited to allow unauthorized code to run on your computer. A patch is available. For more info: Link

General Interest

Sneaky Survey. Since I mentioned privacy in past newsletters I thought it would be interesting for you to know about the latest sneaky way someone has tried to pry personal information out of me. A high-named association sent me a survey to fill out. The survey results were to be compiled and sent to Congress. The first four or five questions were of the type that fit that description, but as you read down the survey you found questions about income, renting vs. buying a house, and other personal data that would be of no use to such a survey. Then, at the very end, they wanted your phone number. A reply envelope was included; but it did not go to anyone in Congress, it went to the “association” instead. Beware of such data collection schemes! (They got the envelope back–empty.)

Virus News

There are a number of new viruses described this month. They are listed below.

Don’t forget our virus tutorial site.

(Note: The virus tutorial is being revised and updated and the updated version [no major changes, just many corrections and a format change] should be up soon.)

More complete descriptions of most of these viruses can be found at the Sophos or F-Secure web sites: Link Link

Trojans. These important new Trojans appeared recently:

  • W32/CodeRed-II. This is the Trojan dropped by the Code Red II worm. It appears as the file C:\EXPLORER.EXE and runs automatically when someone logs onto that computer. When run, the Trojan calls the original EXPLORER.EXE and sets the registry to disable the System File Cache. It also sets registry keys such that root.exe can be run in various directories and commands to be issued to the remote machine. Programs on the C: and D: drive can also be executed remotely after these settings. If you run an IIS server it’s *very* important that you install all security patches to stop Code Red and Code Red II from running. For more info: Link

Macro Viruses. A number of macro viruses have been announced this past month. Below is a summary of the more important ones:

  • Variants. The following variants have been observed but generally carry no payload: WM97/Thus-EP; WM97/Thus-EZ
  • WM97/Cruson-A. An E-mail Word virus that sends the active document as an infected file to your address book. The message tells you this is a “very, very important document” and that you should “Look in attachment.”
  • WM97/Marker-C. A Marker variant which tries to FTP info to the Codebreakers hacking group site. The info is also tacked onto the end of the macro.
  • WM97/Marker-GT/GU. Corrupted Marker variants which try to FTP info to the Codebreakers hacking group site. The info is also tacked onto the end of the macro.
  • WM97/Quiet-F. A Word virus that infects document and the global NORMAL.DOT template. There is no payload.

Worms. A number of worms have been announced this past month (actually, a large number!). Below is a summary of the more important ones:

  • VBS/European-A. An E-mail worm that, when activated, stores itself in the directory C:\STARTUP as a file with the extension .BLL. The registry is changed so that .BLL is executed as a Visual Basic Script file and so that the worm is run on system start. The worm attempts to infect files with the following extensions: .HTML, .HTA, .OCX, .DLL, .BAT, .EXE, .VBS, or .VBE. It used Outlook to spread via E-mail to your address book. The worm will be in an attachment with one of three file names: README.TXT???.VBS, SECURE.JPG???.VBS, or MYDILDO.JPG???.VBS (??? = 1 to 3 spaces). The subject and message text are chosen from a variety of texts embedded in the worm; the common thread is that you should open the attachment for a variety of reasons from curiosity to vulgar. As something of an insult, the worm also opens ten copies of Notepad just to let you know it’s there.
  • VBS/Haptime-A. An E-mail worm that infects files with the extensions .VBS, .HTML, .HTM, .HTT and .ASP. Its payload will delete .EXE and .DLL files whenever month+day=13 (e.g., 4 September or 1 December).
  • VBS/LoveLet-CZ. A Loveletter variant which arrives as either a random string or a subject that implies the attachment reveals FBI and/or Presidential secrets. If run, the worm creates a copy of itself in the Windows System directory with one of the following three extensions: .BMP.VBS, .ASF.VBS, or .JPG.VBS. This file is mailed to the Outlook address book. If network drives (E: through Z:) are present, they will be disconnected. And, on 17 September the worm displays a message box with a dedication enclosed.
  • VBS/PeachyPDF-A. This is the first worm that uses the Adobe Acrobat PDF file format to spread. Before you panic, however, be aware of something that’s not often stated in the press about this worm: it only spreads via the *full* version of Acrobat; the free reader program is immune and will not run the worm as it does not execute the macros in the worm. The PDF file arrives via E-mail in a message that talks about finding a peach. If you open the PDF in the full version of Acrobat and click where instructed then the worm will run and use Outlook to mail itself out to others in the background. Again, remember, this only affects the full version of Acrobat; but keep in the back of your mind that if Adobe ever updates the reader to run macros then it, too, could be vulnerable.
  • VBS/Potok-A. An E-mail worm that sends itself to 50 addresses in the address book using Outlook. The subject is: “New Generation of drivers”. The body talks about a new Microsoft video driver and urges you to run the VBS attachment (you may have trouble seeing the .VBS extension as there are 46 spaces between the DRIVER.DOC portion of the file name and the .VBS extension). This worm is a bit different in that on NTFS systems it will store part of its code in the Alternate Data Stream associated with the file ODBC.INI. Computer Knowledge has a discussion of ADS at: [If I don’t remember to change this please use the Site Map link above to find the page.]
  • W32/Choke. A worm that spreads through the MSN messenger instant messaging program. Worm filenames vary but include CHOKE.EXE and names that suggest violence to President Bush. If run, it installs itself as C:\CHOKE.EXE and sets the registry to run that file on system start. It also displays two dialog boxes; one which indicates it needs Flash 6.5 to run and the other says it can’t run and is quitting (both are wrong). It also creates the file C:\ABOUT.TXT which contains rambling text.
  • W32/Hybris-F. A Hybris worm variant. As with other Hybris versions it is capable of updating itself over the Internet. It sends a copy of itself each time an E-mail is sent out. Its behavior can vary depending on the extra components it has downloaded and is running. One of the components searches for .ZIP and .RAR archives. When found, it opens the archive and searches for .EXE files. If found, they are renames .EX$ and a copy of the worm is inserted using the original filename. Its message is the standard Hybris “Snow White” text in various languages. Another component encrypts the worm before E-mailing. This changes its form as an attempt to defeat anti-virus products.
  • W32/Linong-A. An E-mail worm that sends itself out in a message with a variable subject line (the subject is picked from a list of subjects in the worm). The attached file is likewise named from a list in the worm. The worm sends itself to the entire Outlook address book. When run, the worm creates 501 directories in C:\. Each is named “Linong I Love U So Much Linong For ever My Love???” where ??? is a number (0-500). Message boxes are displayed on 25 June (a birthday message), 22 July (a love message), and 14 November (a good-bye message).
  • W32/Parrot-A. An E-mail worm and companion virus. The worm arrives in an E-mail about a Parrot Screensaver with the attached file PARROT.SCR. If run, the worm sends itself to the Outlook address book as well as establishing a script that will send C:\PARROT.SCR to mIRC users if mIRC chat is installed. The virus portion of the beast renames .EXE files in the Windows directory to .PRT files and then copies the worm to the original .EXE filename. It’s a busy worm in that it also drops an audio file which is played when the virus is executed. A VBS file also opens a dialog with offensive text in it. Finally, the registry is changed so the audio file and VBS file are run on system start.
  • W32/Petik-K. An E-mail worm that appears to be associated with the French TV show Loft Story. It resides in the files LOFT_STORY.EXE in Windows and LOFT.EXE in the System directory. The WIN.INI file is changed so that the worm runs on system start. A message box about Loft Story is also displayed. The worm waits for an Internet connection and, when detected, will search for E-mail addresses in *.HTM* files on the local computer and send itself to those addresses. The messages have to do with Loft Story. On the 28th of the month registry keys for the IE home page and others are reset to Loft Story defaults. The worm also attempts to download a VBS script from
  • W32/Sircam-A. A network worm that can spread via E-mail or network drives. E-mail messages have random subjects (though usually related to the attachment name); the text is a greeting and request for help; the attached file is from the infected user’s system and the extension is always double with the last one able to execute. The worm copies itself to two places: Windows System directory as SCAM32.EXE and the Recycle Bin as hidden file SIRC32.EXE. The registry is changed so the worm runs on system start (before any other executable). If an open network drive is found and the worm finds RUNDLL32.EXE there it will rename the file to RUN32.EXE then copy itself to RUNDLL32.EXE. That computer’s AUTOEXEC.BAT file is changed to run this file on the next system start. Using its own code, the worm sends E-mail messages to the Outlook address book and any mail addresses found in the temporary internet directory. [Personal note: I really wish that all the folks who visited my Web site actually *read* all the caveats there about running attachments and checking them carefully. I stopped counting the number of these beasts I received at the address. Got so bad I had to change the settings in my E-mail program to keep from downloading these files, which were usually 200K+ each, just to save time and bandwidth; not to mention the continuous stream of anti-virus program alerts. I did not check the return addresses against the newsletter subscription list–I trust you folks. Don’t let me down.] Sircam also introduces a second concern in that the files it picks up from an infected user’s computer may already be infected with something else and so you will be sent a double-infected file. Some anti-virus software can’t handle this and will clean one but not the other, leaving you with an infected attachment but no warning. There are several cases of this happening already on record. Since you have no business prying into other people’s files don’t play with them; delete them if you downloaded them in the first place.

In closing: Worms are “popular” right now. Watch out for any and all attachments and treat them with care.