In This Issue:
- Macro Viruses (WM97/Melissa-AA, WM97/Iseng, WM97/Broken, WM97/Marker-AZ, WM97/Verlor-A)
- Worms (W32/MyPics, W32/Icq_greets, W32/Video, W32/NewApt)
- Virus Effects
- MS Security
- Y2K Patent Lawsuits
- Psychic Cons
- Elf Bowling
There are a number of new viruses described this month; one rose to the height necessary to require a change to our alerts page (Prilissa):
[Page taken down]
Don’t forget our virus tutorial site.
Prilissa. This is a Melissa knockoff that originally was deemed not very important; but, recently, it has been found on three continents and spreading rapidly. Like Melissa, Prilissa comes as an attachment to an E-mail message. The subject of the message is “Message from [your name]” and the body of the message contains “This document is very important and you’ve GOT to read this!!” The virus is in the attached document. When you open the document and allow the macro to run, the virus disables your virus protection settings and other Word settings. It then sends itself to the first 50 addresses in your Outlook address book with the format described above (it only does this once). Prilissa, unlike Melissa, has a destructive payload. If run on Christmas day (25 December) the virus displays a dialog box, distorts the open document and modifies the AUTOEXEC.BAT file to format the C: drive the next time the system is started. Prilissa is easy enough to defeat by simply not opening attachments. And, all anti-virus software vendors have issued updates.
I put this one on the alerts page when it looked like it was starting to spread. It did not, however, reach the Melissa level since some anti-virus software detected it as something else and so alerted users.
Babylonia. This is a new kind of beast that has characteristics of a virus and worm in addition to being able to have components added to it remotely. When running, the virus will look for an active internet connection and, if found, will search an internet set in Japan (since shut down) every minute looking for extension files designed to plug into the basic virus and provide it will added capability (extensions initially available include greet.dat, ircworm.dat, dropper.dat, and poll.dat).
- Greetz.dat looks for a specific date and time and then adds a greeting to the start of your autoexec.bat file.
- Dropper.dat creates the hidden file instalar.exe and then executes it. That program then drops the basic virus to both the root directory and Windows\System directory (under different names) and registers one to run on Windows start.
- Ircworm.dat attempts to send Babylonia to chat users under the guise of a Y2K fix.
- Poll.dat sends E-mail to a Hotmail account as a way of counting infections.
Any future plug-in could easily have far more drastic consequences. And, even though the master site has been shut down there is no guarantee some future virus might not look for an existing infection in order to “enhance” it.
The virus is often found in an E-mail attachment called x-mas.exe. When run, the executable displays two error message boxes in succession: “API not found!” and “Windows NT required. This program will be terminated””.
ExplorezipB. A compressed version of Explorezip; an E-mail worm that mails itself via the Outlook address book indicating you received the recipient’s E-mail and will reply shortly; however in the meantime the recipient should run the attached zipped_files.exe file (don’t this is the worm). If run, the worm installs itself as explore.exe in Windows\System and changes win.ini so this file runs on each Windows start. Explorezip also searches out and zeros files with various named extensions.
Explorezip was originally described in CK Newsletter 03-06, June 1999.
- WM97/Melissa-AA. Yet another Melissa copy that tries to send itself to 1000 addresses. The subject is “Duhalde Presidente” and message text is “Programa de gobierno 1999 – 2004” along with an attached file that carries the virus.
- WM97/Iseng. A Word macro virus that looks for attempts to look at its source and, when spotted, displays an error message that makes it look like your Visual Basic Editor is not properly installed.
- WM97/Broken. A Word macro virus apparently produced using the VMPCK1 macro virus generator (reportedly in the wild). When infected, if you pick Help|About Microsoft Word a message box displays: “CAPut! by -=|| N|c0t|N ||=- (c) 1998”. The comment field in document properties is also changed to “JU$t bEEn CAPuted!”. The message “Word Basic Err =7” appears if the Word Visual Basic Editor is started. And, there is a very small probability the virus will globally change “19” with “CAPut” and disable the replace and undo menu items.
- WM97/Marker-AZ. A macro virus apparently written to disinfect other variants of the Marker macro virus. It doesn’t always work.
- WM97/Verlor-A. A Word macro virus that attempts to hide itself. If, for example, you attempt to open the Word Visual Basic Editor to look at the virus it will write itself out to files names overlord.b.vbs and overlord.b.dll along with instructions in the win.ini file to run the overlord.b.vbs file the next time Windows is started. The virus then removes itself from Word and all infected documents, recording the deletions in c:\himem.sys. Once this is done, the Visual Basic Editor does not see the virus. But, on the next Windows restart, the overlord.b.vbs file will reinfect everything. The virus also renames your computer’s owner to “the Overlord”.
- W32/MyPics. A worm that forwards itself via E-mail. There is no subject; the message text contains “Here’s some pictures for you!”; and, there is an attached file: pics4you.exe. When run the executable attempts to send itself to others in your Outlook address book. Internet Explorer is also reset so its home page brings up a pornographic site. Additionally, in 2000 the virus attempts to corrupt your CMOS configuration memory (it just messes up the checksum–entering the BIOS setup will reset the checksum). The autoexec.bat file is also changed in an attempt to reformat your hard drives. This one was written in Visual Basic and won’t run if the VB5 system file is not already on your computer.
- W32/Icq_greets. A worm that forwards itself via E-mail. There is no subject or message; just the attached file: icq_greetings.exe. When run the executable attempts to send itself to others in your Outlook address book. This one was written in Visual Basic and won’t run if the VB5 system file is not already on your computer. The worm is supposed to attempt to format your computer’s drives on 1 January 2000.
- W32/Video. For this worm the subject line will be blank, arrive from someone you may know, and have the following text in the message: “Here’s a digital video for you”. A file called video.exe will be attached. If run, the worm will be copied to the file C:\zip01.exe which will then be executed on subsequent boots due to a registry change. When running, the worm will mail itself to various entries in your Outlook address book. After the 16th of any month the worm will delete files of the form *.c*, *.o*, and *.i* in several preset directories.
- W32/NewApt. An E-mail worm that forwards itself as an attachment. If executed the program displays an error message of the form:
“The dinamic link library giface.dll could not be found in specified path C:\NV;.;C:\WINDOWS\SYSTEM;;C:\WINDOWS;C:\WINDOWS\COMMAND;C:\BIN;C:\BAT””
Laroux-KX. An Excel Macro virus variant of the original Laroux macro virus. The virus has multiple payloads with varying probabilities of executing. Chart objects may be deleted (1 in 150); Help files (*.hlp) will be deleted (1 in 75); files of the form *.b* will be deleted (1 in 300); files of the form *.c* will be deleted (1 in 150); or all DLL files (*.dll) will be deleted (1 in 50). If Laroux is detected, be certain to scan again after removal as multiple versions can run in some environments.
Virus Effects. Because I list a wide variety of viruses here you might get the idea that these exist in a vacuum and nobody is really affected by them since they become known, everybody updates, and all is well with the world. Not the case.
In mid-November Reuters reported that the Irish Dell Computer factory had to shut down for two days because its systems had become infected with FunLove (CK Newsletter 03-11, November 1999).
These beasts are spreading faster and faster so you need to keep your anti-virus software up to date often; can’t say it often enough.
MS Security. Microsoft has issued a few new security bulletins this past month. Below is a summary (this is only a summary for Windows 95/98; it does not include NT or applications–see the Microsoft web site for a complete listing):
- Legacy Credential Caching Vulnerability. This patch fixes an operating system problem that allows a plaintext network password to be obtained from cache. (Note: If you obtained this patch when the bulletin was first issued you ought to go back and get a new version; the original fix was uploaded wrong by Microsoft personnel and a later bulletin issued to announce this.)
- WPAD Spoofing Vulnerability. An Internet Explorer vulnerability that allows proxy settings to be sent to web clients in another network.
- Server-side Page Reference Redirect Vulnerability. A patch for a vulnerability that would allow a web site operator to view a file on a visitor’s computer (so long as the operator knew the specific file directory and name.
For all of these items and more please take a look at:
Items of Interest
Y2K Patent Lawsuits. When you thought you heard it all and expected it all, the legal system is bound to send you a surprise. In the latest case, it’s the sudden appearance of legal action relating to some of the approximately 30 patents issued by the U.S. Patent and Trademark Office (PTO) relating to Y2K fixes.
One of the patent holders (for a process known as windowing) has recently contacted major companies believed to have implemented this process demanding an up-front fee and royalties (or legal action). Most companies are still deciding how to respond. Many feel that windowing is an old technology and the new patent could be overturned in court; but so far nobody appears willing to fund the court fight necessary to prove that.
Many are watching to see what happens fearing that if this instance is successful other patent holders will suddenly appear with last-minute, unwelcome demands. Fees and court costs for such an event have been estimated to be in the billions.
Psychic Cons. A fellow member of the Association of Shareware Professionals markets “psychic” software (strictly for entertainment–not to even pretend to be a real psychic). She has, however, collected much information about cons working in the psychic field and has collected the information into a scams web page. You might want to take a look at it if the situation warrants:
Elf Bowling. Many people have been receiving an Elf Bowling game via E-mail. The game has Santa using elves as bowling pins and its release has generated a spate of hoax messages about a virus being housed in the file. To date, no virus has been found in any version sent to any of the anti-virus companies; but we’ve warned before about the possibility in any executable file sent via E-mail.
Elf Bowling is not completely benign, however. According to its creator (NVision) it is a test of a new marketing method. When the game is started, the first thing it does is to try to make a connection to NVision over the internet. This connection is not necessary to the game and it will play without the connection but the connection is made nonetheless and users are not told about it. NVision claims the connection tests a new technology for remote software updates but that it’s only a test and not actually used in Elf Bowling.
Now that you have all the facts, you decide if you want to run this program if you receive it.
In closing: I’d like to wish all a very happy holiday season and best in the year 2000.