Computer Knowledge Newsletter – February 2001 Issue

In This Issue:

  • BIND Vulnerability
  • Experts Fooled
  • OnTheFly Arrested
  • WEP Hacked
  • MS Security (Hotfix Packaging Anomalies; Invalid RDP Data Vulnerability; Windows Media Player Skins File Download Vulnerability; Network DDE Agent Request Vulnerability; PowerPoint File Parsing Vulnerability)
  • Trojans (APSTrojan)
  • File Infectors (VBS/LoveLet-CD; VBS/LoveLet-I; VBS/San-A; VBS/SST-A; VBS/Valentin-A; W32/Demig-A; W32/Hybris-Drop)
  • Macro Viruses (Variants; Melissa-X; WM97/Bleck-A; WM97/Class-FE; WM97/Ethan-EA; WM97/FF-H; WM97/Story-AD; WM97/Surround-C; WM97/Vmpck1-DZ; WM97/Wrench-I; XM97/Barisada-N; XM97/Reten-B; XM97/Slacker-B)
  • Worms (W32/Hybris-D; W32/Navidad-C)


Computer Knowledge now has a web store for T-shirts and mugs. Please take a look at our store at:

[Store removed due to lack of interest.]

Thank you.

I’ve also started a new personal site directed specifically toward a series of trips I plan to take to visit all of the California missions. You can follow along at: Link


General Security

BIND Vulnerability. A flaw was discovered in the widely-used Berkeley Internet Name Domain (BIND) software used to run many Domain Name System (DNS) servers. If exploited via Transaction Signatures (TSig), the flaw could allow a cracker to perhaps shut down any site or, even worse, redirect calls to that site to the cracker’s site which could be set up to look like the real site and then steal information as users log in. The flaw is in BIND versions 4 and 8 (but not version 9). A patch has been released and all BIND users should obtain and apply the patch or upgrade to BIND, version 9.

Experts Fooled. Even the experts can have a bad day. In an action related to the BIND vulnerability (see just above), Bugtraq posted code that appeared to test for the BIND vulnerability to its security list (about 37,000 people). Unfortunately, the code was not properly tested and it turned out that it did not test for the BIND vulnerability but, instead, sent out internet code to one server associated with the company that had done much of the research on the BIND problem: Network Associates. This was a clear attempt to attack Network Associates with a denial-of-service attack.

OnTheFly Arrested. A hacker known as OnTheFly was arrested recently by Dutch police. The 20-year-old claims to have written the worm that says it is a picture of tennis star Anna Kournikova. If convicted, he could serve up to four years for the crime, which he says was simply a prank. He was released to his home in Sneek and his case should be heard in a few weeks. (Note: This worm was created with a virus creation program using just a few mouse clicks and a graphical interface. You no longer have to be a savvy programmer to create a virus/worm, but it helps to know to change all the defaults instead of just the one or two that can lead the authorities to you–which OnTheFly didn’t do.)

WEP Hacked. Researchers have reported there are serious holes in the Wired Equivalency Privacy (WEP) protocol. This protocol is used to implement security portions of 802.11 (or Wi-Fi) networks. The flaws could allow hackers to steal data, modify data, just eavesdrop, or bring down the entire network. There is no quick fix in sight so if you use wireless networks be certain to include several layers of authentication outside the network itself for any critical data.

MS Security. Microsoft has issued a a number of new security bulletins this past month. Not all are described here. Please see all current alerts at: Link

  • Hotfix Packaging Anomalies. Windows 2000 security patches are distributed in digitally signed files. A production error in one of the files could, potentially, cause a system to revert to an insecure state. This would be rare. See: Link
  • Invalid RDP Data Vulnerability. A particular series of data packets can’t be correctly handled by the Windows 2000 Remote Data Protocol (RDP). This could cause a server to fail with loss of data. A patch is available. See: Link
  • Windows Media Player Skins File Download Vulnerability. Skins allow one to customize the look/feel of the Windows Media Player. A malicious skins file (extension .WMZ) might contain Java code that could be deployed and then later run under local context via a script and thus have more control than it should have. A patch is available. See: Link
  • Network DDE Agent Request Vulnerability. Network Dynamic Data Exchange (DDE) is a data sharing technology for applications. A fault in the Windows 2000 implementation might allow an attacker to cause the Network DDE in Local System context in order to gain control of the entire computer. A patch is available. See: Link
  • PowerPoint File Parsing Vulnerability. A buffer overrun condition can exist in PowerPoint 2000. This could allow a file to be created which, when run, could either cause PowerPoint to fail or cause unapproved code to run on your computer. See: Link

Virus News

There are a number of new viruses described this month; none rose to the level needed to place it on the alerts page:

[Page taken down.]

[Note: I’ll be taking the current.htm page down within the next month. It is therefore not linked here.]

Don’t forget our virus tutorial site.

More complete descriptions of most of these viruses can be found at the Sophos or F-Secure web sites: Link Link

Trojans. These important new Trojans appeared recently:

  • APSTrojan. This old beast has made a reappearance recently. It is a Trojan designed to steal AOL passwords. It then sends itself to the AOL “buddy list” (address book).

File Infectors. These important new file infectors have been reported recently:

  • VBS/LoveLet-CD. A LoveLetter variant. It resides in the System directory as CARTOLINA.VBS. When active it attempt to send itself to your Outlook address book. The subject is: “una cartolina per te!”.
  • VBS/LoveLet-I. A minor LoveLetter variant.
  • VBS/San-A. A script worm that exploits the Outlook Scriptlet Typelib and Eyedog vulnerability in order to execute the worm as soon as the E-mail is viewed. A Microsoft patch for Outlook is available to close this hole and should be applied. If the patch is not applied, this worm drops LOVEDAY14-B.HTA into the StartUp directory. The worm resets your home page to a site that contains the VBS/Valentin-A worm (since shut down) and drops MAIN.HTML into the System directory. It then embeds itself into a blank message and sends itself to your Outlook address book. It further attempts to send text messages to random numbers on a Spanish mobile phone network. It also attempts to send itself via mIRC if that software is found on your system. On various days it also tries to overwrite files on local and network drives with Spanish text.
  • VBS/SST-A. This is the beast the press has been calling the Anna Kournikova virus. It arrives attached to an E-mail with the subject “Here you have, ;0)” and the attached file ANNAKOURNIKOVA.JPG.VBS. When activated the worm sends itself to the Outlook address book. It also creates the registry entry “HKCU\software\OnTheFly”. On 26 January the worm tries to contact the Netherlands site: (Note: See article above about the capture of the author of this beast.)
  • VBS/Valentin-A. A script worm that exploits the Outlook Scriptlet Typelib and Eyedog vulnerability in order to execute the worm as soon as the E-mail is viewed. A Microsoft patch for Outlook is available to close this hole and should be applied. If the patch is not applied, this worm drops LOVEDAY14-A.HTA into the StartUp directory. This file drops INDEX.HTML into the Windows folder and sets Outlook so this becomes the default signature. On various days during the month the worm tris to delete all C-drive files and appends “happysanvalentin” to every folder name.
  • W32/Demig-A. When the virus runs, KERNEL32.DLL is copied from System to Windows and is infected. Excel, if found, is “infected” via the file DEMIURG.XLS dropped into the XLSTARTUP directory. On the next system start the virus goes into memory via KERNEL32.DLL and infects all EXE, COM, and BAT files. The Excel module infects all worksheets and drops C:\DEMIURG.EXE which, itself, is a virus dropper.
  • W32/Hybris-Drop. An executable file that drops the Hybris worm. This is an example of a program created using an upgrade component developed for Hybris.

Macro Viruses. A number of macro viruses have been announced this past month. Below is a summary of the more important ones:

  • Variants. The following variants have been observed but generally carry no payload: WM97/Eight941-H, WM97/Eight941-T, WM97/Footer-W, WM97/InAdd-E, WM97/Marker-GF, WM97/Marker-GJ, WM97/Myna-AF, WM97/Nsi-F, WM97/Thus-CL, WM97/Titch-H, XM97/Barisada-P.
  • Melissa-X. A variant of the original Melissa virus/worm that came about when a Macintosh Office 2000 user opened a WM97/Melissa-X infected file. Office upconverted the virus and saved it in a new form (Office 2000 on the Mac or Office 2001 on PCs). Like Melissa, the new variant sends a message with itself attached to the first 50 addresses in the Outlook address book. The subject is “Important Message From <you>” and the message indicates the attachment is “…that document you asked for…don’t show anyone else ;-)”. If, when run, the minute and day are equal (e.g., 7:01 on 1 May), the virus will insert text in the document: “twenty-two, plus triple-word-score, plus fifty points for using all my letters. Game’s over. I’m outta here.”
  • WM97/Bleck-A. A macro virus that activates on 31 August. When activated, it clears the current document are replaces it with: A CURSE FROM BLACKROSE TO SOMEONE HE HATES. HIJADIPUTA KANG HAYUP KA! BURAY MO, SAKA BURAY NI INA MO! HAYUP KA! SAYANG KA, HAYUP KA! HAYUP KA TALAGA! WORD97/BLACKCURSE VIRGOBLACKROSE Virus Development Libmanan Camarines Sur”.
  • WM97/Class-FE. On 26 January a message box displays the following message 15 times: “ReT}{@SoFt Inc Lda 87/99”.
  • WM97/Ethan-EA. Another Ethan variant. File properties are changed to: Title: “Creap school”, Author: “fpschoolanarchist”, and Keywords: “fpanarchist”.
  • WM97/FF-H. A macro virus created by the merger of two other viruses (WM97/Class-D and WM97/FF-A).
  • WM97/Story-AD. A Story variant. It looks for mIRC and, if found, writes a new SCRIPT.INI file. The Word document will be infected and stored as C:\WINDOWS\STORY.DOC then sent to the currently-connected IRC channel. Finally, the virus sends messages to several E-mail addresses.
  • WM97/Surround-C. A macro virus that attempts to strip documents of user-defined macros and other macro viruses.
  • WM97/Vmpck1-DZ. When run all Word templates in the Office Startup and Template folders are deleted.
  • WM97/Wrench-I. When active, any attempt to access the Visual Basic Editor will result in the Office Assistant popping up with the infection routine running in the background.
  • XM97/Barisada-N. The virus stores itself in HD.XLS. When executed on the 25th of the month a question about Hyundai Unicorns pops up. Pick “yes” and you are allowed to proceed. If you pick “no” you are given another chance. A “no” answer to that question and the virus tells you your file will be deleted; and all workbook entries are cleared.
  • XM97/Reten-B. An Excel virus that activates on the 26th of any month. When active, it displays a message box with text about how Excel has “Protected your system” and displays your registered name.
  • XM97/Slacker-B. An Excel virus that tries to delete C: drive files.

Worms. A number of worms have been announced this past month. Below is a summary of the more important ones:

  • W32/Hybris-D. A Hybris variant. Hybris comes as a base module and modules that can be updated via the Internet. WSOCK32.DLL is affected by the worm which tries to send itself to all sending you mail. The worm has various other effects which vary depending on the component(s) installed. The message sent out has a subject that generally talks about Snow White. The worm updates itself via a website (which can change via further updates) or via plug-ins posted to alt.comp.virus by other instances of the worm. [PLEASE get rid of this beast as it’s really making alt.comp.virus a nasty place to be right now.] The worm further displays a spiral on the screen on 24 September or 59 minutes after the hour any day in 2001.
  • W32/Navidad-C. A Navidad variant that, in addition to the original Navidad, carries the W32/Demig-A virus.

In closing: Save data often, particularly in California where power might be turned off at a moment’s notice!