Computer Knowledge Newsletter – February 1999 Issue

In This Issue:

Virus News

Happy99 Worm. Message attachments named Happy99.exe (expect other names) have been showing up regularly in newsgroup postings and in E-mail. If you see one of these do NOT run it; it is a worm. (Aside: There is some disagreement on the exact classification; most call it a worm, a few a Trojan, and some even a virus because of the DLL modification it performs.)

If you do run it you’ll see a 1999 new year greeting with fireworks; but, while that is displaying the program copies itself to a file named SKA.EXE and extracts from itself a DLL called SKA.DLL which is placed into the Windows System directory. The program also changes the WSOCK32.DLL in the Windows System directory (the original is saved to WSOCK32.SKA in a polite gesture).

Since WSOCK32.DLL controls your connection to the internet, the modified version has control whenever you go online. When you connect to E-mail or a news server the modified program will create a new message with Happy99.exe attached and send it off under your name. This is how the worm transfers to other users who then run that attachment.

Anti-virus programs are being updated to detect the worm, but it can be removed manually. Delete \WINDOWS\SYSTEM\SKA.EXE and \WINDOWS\SYSTEM\SKA.DLL, and replace WINDOWS\SYSTEM\WSOCK32.DLL with a renamed copy of WINDOWS\SYSTEM\WSOCK32.SKA. Also, be certain to delete any downloaded copies of HAPPY99.EXE.

Word Macro: Footprint. The Energy Department reports a new Word macro virus that overwrites footers of all open documents. Existing footers are attacked and any existing macros attached to the document will be deleted.

When discovered, the virus was not detected by anti-virus software; by now, most should have an update. The virus can be detected by looking for the files footprint.$$$ and footprint.$$1 on the C: drive of the computer.

Once more, for effect: Keep your anti-virus program up to date (and don’t forget the boot disk to use with it for recovery).

General Security

Outlook98 Bug. When Outlook98 users reply to an encrypted message from a server other than Microsoft Exchange, Outlook tells you the recipient cannot read an encrypted message. You then get an option to send in the clear or just cancel the reply. This problem is limited to the corporate/workgroup configuration of Outlook98 and will be fixed in the Outlook2000 version.

Pentium III ID. Each new Pentium III produced will have a unique ID in the chip. This ID would be available to software and therefore could be included in transmissions over the web (as one example that’s been played up in the news). Privacy groups objected strongly and threatened a boycott of the chip unless Intel changed their policy. Intel responded by indicating that in all future shipments of the Pentium III the ID code will be set to “off” be default. Users will still have the option of turning it “on” if they desire.

Tracking a specific user’s travels over the web has been given media attention, but consider the ID could also be used to track stolen systems and/or provide unique user verification for electronic commerce. The choice will be yours; consider all options when you decide.

Browser Bugs. Microsoft’s IE4 has a fairly major security hole called the Cross Frame Navigate Vulnerability (we’ve discussed it before). While it has not been exploited in any major manner the hole allows one site to hijack a second browser window on a victim’s computer. Once hijacked, this second window can be used to access files on a victim’s hard drive. It also gives the exploiter the opportunity to present what looks like trusted data to the victim; including what looks like secure pages so a victim may send passwords, credit card data, or other personal information. Two different “fixes” have been posted to close this hole, but new discoveries show that only frames were fixed, not entire windows. So, the hole continues open.

The workaround is to disable scripting (via IE’s zone security feature) or, at a minimum, have the browser warn you before a script runs.

But, that’s not all for IE.

Another IE problem involves Hypertext Transfer Protocol (HTTP) 1.0. When a server responds supporting HTTP 1.1, the 1.0 connection rules are ignored. Since 1.1 supports persistent connections and 1.0 does not, connection resources are wasted.

Yet another IE problem involves privacy. As part of its housekeeping activities, IE saves some URLs in a hidden file that can be accessed even after the browser cache and history are cleared.

The browser Opera also reports a privacy problem. If a user has a window open to a password-protected site and has selected “save windows settings” and then closes the browser; another user can come along, restart the browser and get the password information. This bug is supposed to be fixed in version 3.52.

Hotmail E-mail Bug. A bug that may affect all web-based E-mail providers has been fixed by Hotmail (at least). The bug allows E-mail to be sent under another person’s name. Unlike header forgery, however, which is fairly common and relatively easy to do, this bug causes a trace (which fails in a forgery) to track right back to a victim’s computer. As you might imagine, this could put a user in legal jeopardy if the forgery involves something illegal like a death threat.

The bug involves causing a user to visit a web page that captures their IP address which then is used as part of the forgery. JavaScript is part of the exploit. Nobody is explaining further for obvious reasons.

Cookie Compromise. A few vendors have noted inappropriate information in their web logs; information apparently from cookies not sent by those vendors. Cookies are only supposed to be read by companies that send them.

Netscape, in investigating the problem, found that it was not a browser bug, but, more likely, a problem caused by users with corrupted cookie files. The cookies (in Netscape) are kept in a single file; one cookie to a line. Some cookie files did not have the line feed and/or carriage return characters at the end of some cookies (LF and/or CR indicate the end of a line in a file). The cause of the corruption is not known, but it’s likely the files became corrupted when systems crashed or users shut their computer’s off without shutting the operating system down first.

It’s very important that you shut your computer down “gracefully” and not just turn it off. If you just hit the power switch without first closing all files and the operating system then you may be causing problems (and not just with the cookie file).

Items of Interest

Mac Not Y2K Immune. Contrary to Apple’s Super Bowl ads, the Macintosh computer is not necessarily immune to Y2K problems. While the Macintosh is better insulated from Y2K than most PCs, a Canadian company points out a programming routine in the Mac operating system, if used improperly, may yield bad date information. Documentation points out the potential for problems, but there is no guarantee every programmer has read and/or heeded the warnings.

In answer, Apple points out the Macintosh can correctly handle dates up to year 29,940 if the software is correctly designed according to published guidelines.

In closing: Spring has largely sprung on the central coast of California. The hills are green and the crops growing nicely. Four to six weeks to fresh strawberries at the roadside stands again!