In This Issue:
- Trojans (Troj/Plage2000.A, Troj/Sub7Gold.21);
- Macro Viruses (WM97/Marker-BU, XM97/Divi-A, WM97/SMAC-D, WM97/Db-A, WM97/Myna-C, WM97/Lupi-A, WM97/Goober-B, WM97/1960-A, Variants)
- Worms (VBS/Kakworm, W95/WinExt, W95/Haiku)
- Visio Viruses
- MS Security
- RealName Database Exposed
- DDoS Attacks
- Napster Security Hole
- Win2000 Security Patch
- CERT Scripting Advisory
- Solar Storms
- Hardware Diagnosis
The newest E-books released are:
A Christmas Carol by Charles Dickens
If interested, the E-books can be found via links from:
[Sorry, E-books removed.]
Don’t forget our virus tutorial site.
- Troj/Plage2000.A. When run, this beast pretends to be a Winzip file. While showing the Winzip dialog the registry or WIN.INI file are modified to make the Trojan resident on each system start. As messages come in the Trojan replies to them and attaches itself to the reply.
- Troj/Sub7Gold.21. An executable file that installs itself on a computer and provides a backdoor for crackers to get into the computer and collect information that might be stored there and/or control the computer.
- WM97/Marker-BU. Set to activate between 23 and 31 July, the virus will change the caption from “Microsoft Word” to “Happy Birthday Shankar-25th July. The world may Forget but not me”. A box then asks if you cursed Shankar on his birthday and gives two different answers depending on if you answer click yes or no. Changes are also made to the document summary. (There is a WM97/Marker-BP variant that has a somewhat different payload.)
- XM97/Divi-A. An Excel macro virus that infects other spreadsheets through a template file called BASE5874.XLS.
- WM97/SMAC-D. A Word macro virus that displays a foreign-language dialog box when you close an infected document on 2 September or when you close Word on the 13th of any month.
- WM97/Db-A. This Word macro virus modifies document comments from 6 November and 6 December to the end of the respective months.
- WM97/Myna-C. A simple replicate-only Word macro virus.
- WM97/Lupi-A. This virus tries to overwrite other viruses.
- WM97/Goober-B. A Word macro virus that attempts to “correct” damage done by the WM97/Goober-A virus. (Correcting the work of one virus by using another is not particularly recommended!)
- WM97/1960-A. On Mondays this virus will change AUTOEXEC.BAT to display political propaganda.
- Variants. Several Melissa (Word) and Laroux (Excel) variants have appeared recently. Also seen are an Ethan (Word), Marker (Word), and Thursday (Word).
- VBS/Kakworm. This worm attacks Internet Explorer and Outlook. Non-Microsoft mail management programs and browsers are not attacked. The attack is similar to the BubbleBoy worm. Microsoft has released a patch to counter this beast. The worm comes as part of an HTML E-mail signature. In addition to sending itself to others it also shuts Windows down after 5 p.m. on the 1st of any month.
- W95/WinExt. A worm contained in an attached E-mailed file called TRYIT.EXE. When run the worm becomes resident and checks for new mail hourly. When found, it replies with a mix of phrases and a copy of itself attached to the message. The file WINEXT.DAT is used to keep a log of the worm’s activity. It also sends a message to a French address between 11 and 31 July.
- W95/Haiku. This worm uses a new technique to collect E-mail addresses to send itself to. Instead of using the Outlook address book, the work will search for files with extensions of: .DOC, .EML, .HTM, .HTML, .RTF and .TXT. It will search each of these files for E-mail addresses and collect them for its use. To each it will send a message with the subject line “Fw: Compose your own haikus!”, will have a description of what a haiku is, and the file HAIKU.EXE will be attached. A payload that randomly triggers downloads a file named HAIKU.WAV, then plays it and displays the haiku:
Did you know
The smallest box may hold
The biggest treasure?
Visio Viruses. While not in the wild, two concept viruses that attack Visio 5 and Visio 2000 have been reported at anti-virus labs. V5M/Radiant and V5M/Unstable are not destructive but do spread. V5M/Unstable spreads through the main Visio template file (similar to NORMAL.DOT in Word).
MS Security. Microsoft has issued a few new security bulletins this past month. Below is a summary (this is only a summary for Windows 95/98; it does not include NT or applications–see the Microsoft web site for a complete listing):
- Malformed Conversion Data. There is a security vulnerability in a utility that converts Word 5 documents in Japanese, Korean, and Chinese to more-recent formats. Arbitrary code could be run via this vulnerability.
- Image Source Redirect. It’s possible for a browser to make local files accessible for a very short time during a redirect in IE 4 and 5. This patch closes that hole.
For all of these items and more please take a look at:
RealName Database Exposed. If you have done business with RealNames, a service that allows simple words to substitute for complicated web addresses, your credit card information may have been compromised. (You should have gotten a notice from the company via E-mail; this is just a backup alert.) The attack happened Wednesday, 9 Feb 2000. In addition, some of the simplified addresses were redirected to a government site in the People’s Republic of China (it’s not clear that the PRC was actually involved, however).
DDoS Attacks. As you probably know if you’ve seen any national news recently, several high-profile sites were effectively taken down for short periods by distributed denial of service attacks recently. Using “zombie” computers, one or more crackers were able to bombard the sites with much more traffic than they could handle (up to a gigabyte per second), thus effectively bringing them down. The zombie computers were scattered around the internet; some even in the local California area apparently. At some time in the past the cracker(s) placed one of the DDoS programs onto the zombie computers and then, when an attack was desired, all that was needed was a command sent over the internet to the zombies who then initiated the DDoS attack. As of this writing, the cracker(s) have not been found; but, the FBI and other hackers are looking for them–the FBI to arrest them and other hackers because the attacks were so unsophisticated.
Napster Security Hole. If you use Napster’s software to trade digital music files you may have exposed your IP address. About a third of the time an IP address can be traced back to an individual. Napster is working on the problem. Why worry? Primarily, it’s a privacy concern. By exposing the IP address when you trade music files someone looking in could determine your likes and dislikes. And, if the music happens to be an illegal copy it will be easier to find you (hopefully, nobody reading this newsletter would be affected by that).
Win2000 Security Patch. In an ironic twist, Microsoft, at the end of January, released its first security patch for Windows 2000; about three weeks before the product was even released for sale. The problems were in the Microsoft Index Server and Internet Information Server and would allow someone to find and read administrative files (but not modify them). This might make sensitive information (e.g., passwords embedded in scripts on web pages) available to crackers.
This is not something new; it’s a problem that’s been around for some time. It just made it to national press level due the the advisory (and, likely, the coincidence with the internet attacks that made internet stuff “news”).
Basically, web browsers typically can interpret and run “scripts” it finds embedded into the web page text it gets from the server. If the site allows input from others to be shown on pages served to you without some filtering of that input you can find malicious code in the page you receive. Text received via a message board would be one example of the type of situation described in the advisory.
What needs to happen is that the software that receives the input must screen it, looking for scripting tags (e.g., <SCRIPT>, <APPLET>, <EMBED>, and others) and filter them, and the material they surround, out of the input before saving it for posting to others.
There are other, not so obvious ways to accomplish the same kind of attack, however. Scripts can be part of a link you are enticed to click on. There are other tags that can be abused as well (see the advisory for full information–it’s quite complete).
The best solution to these concerns rests with the web site developer. The only fairly complete solution a user can institute would be to turn off scripting in their browser. Unfortunately, so many sites rely on scripts to present material now this solution typically results in viewing problems for users.
The bottom line is: be careful when visiting new sites you know nothing about.
Items of Interest
Solar Storms. We are nearing the maximum in the 11-year solar storm cycle. The last time this happened there were some large-scale power outages due to solar activity disrupting the power grid in one area with the resulting surges affecting a much larger section of the grid. The power companies say they’ve solved this problem with better monitoring, but, at least consider the possibility of power problems during the next few months. Also, we are much more dependent upon communications satellites now than we were 11 years ago. It’s possible there may be some degradation in the space-based part of the communications network during solar storms. (Since this cycle is well-known this is not a prediction of any sort of catastrophe; just a note telling you to look at critical systems relative to their dependence on power and spaced-based assets.)
Hardware Diagnosis. If you are using Windows 98 and are having hardware problems there is a program on your system that might help. It is a hardware diagnostic program that is largely undocumented. To access the program, click on Start|Run and then type “hwinfo.exe /ui” (without the quotes and don’t forget the “/ui”) into the dialog box, then click on OK. The program will run a diagnostic on your system and display a very long list of diagnostic material. In that display you just may find the clue to your hardware problem; look for the red items. (People not experiencing problems may find it useful to run the program and save the result as a text file just for reference.)
In closing: We’re finally getting some rain on the California coast but because of the mild winter the strawberries are already starting to come in. May all have such good luck!