In This Issue:
- Electronic Books
- Trojans (Troj/Kill98, Troj/Zelu, Troj/Feliz)
- File Infectors (W95/Spaces, W95/Esmeralda, W2K.Installer)
- Macro Viruses (W95/Love-998, WM97/Chantal-B, WM97/BackHand-A, WM97/Armagidon-A)
- Worms (VBS/Tune, W32/ExploreZipC, W32/P2000, W32/AntiQFX-A, VBS/Kak)
- MS Security
- Apple OS Vulnerable
- Microsoft Apple Update
- Credit Card Extortion
Electronic Books. Computer Knowledge has recently started a new freeware product line: E-books in Win95 Help format. Each book contains the full text of a public domain classic along with an annotated table of contents and added clip art. The files are free and available in either ZIP or EXE download format. There is no install routine, but all you have to do is decompress the download file into a directory/folder of your choice and then double click on the HLP file to start the book. To date, the following books are available: Around the World in 80 Days, The Art of War, Dracula, Strange Case of Dr. Jekyll and Mr. Hyde, A Tale of Two Cities, and Treasure Island. A Christmas Carol will be next on the list.
If interested, the E-books can be found via links from:
[Sorry, the E-books have been removed.]
Don’t forget our virus tutorial site.
- Troj/Kill98. A simple Trojan that, when run, tries to delete all C-drive files.
- Troj/Zelu. Another simple Trojan released as a Y2K fix. When run it either crashes or pretends to fix problems while overwriting the C: drive.
- Troj/Feliz. A Trojan that immediately deletes your registry files and a number of other important Windows files. It then displays an ugly bitmapped face and the words: “FELIZ ANO NOVO!!!” (Happy New Year).
- W95/Spaces. A virus that infects executable (EXE) files. It corrupts the Master Boot Record on June 1st. It has not been found in the wild.
- W95/Esmeralda. A virus that infects executable (EXE) files on Win95/98 (but not NT) computers. It has not been found in the wild.
- W2K.Installer. The first Windows 2000 virus. This is a concept virus that does no damage; it’s just a proof of concept that Windows 2000 is vulnerable. It could, however, be used as a template for future viruses. The virus embeds itself in Windows-format EXE files and spreads when the files are moved from computer to computer. This virus has not been found in the wild.
- W95/Love-998. A simple virus that spreads and plays a tune on the first day of any month after March, 2000.
- WM97/Chantal-B. A macro virus that drops a batch file virus and VBS Trojan. In 2000 this virus tries to delete all files in the current folder and the C:\ directory. Other batch files may be infected by the dropped batch file virus and the registered owner of Windows is changed to “Mae Koo V-Groups” with the version changed to “MKV-99”.
- WM97/BackHand-A. A Word macro virus reported but apparently not in the wild. It password-protects the current document using the password “Trim(Two)” on Friday the 13th, then displays a message box (other Fridays the virus displays a message telling you the document has been corrupted).
- WM97/Armagidon-A. On opening a document the virus writes out a temporary file (armagidon.bas) and then infects the NORMAL.DOT template file. The various macros in the virus have different payloads. One changes your Windows mouse pointer to the Red Cross symbol on May 8th (Red Cross day). Another makes character changes in the document.
- VBS/Tune. A VBS script that spreads by mailing itself using Microsoft Outlook Express and the Windows Scripting Host. As in most such beasts the subject and text of the message urges you to open the attachment (TUNE.VBS in this case). When you do you trigger the beast. Tune also attempts to spread via Internet Relay Chat (IRC).
- W32/ExploreZipC. An E-mail worm similar to W32/ExploreZip. Subject and text are “Oi” and “Eu recebi essa merda da uma olhada ai falou t++++ CYA!!” respectively. The attached file is DINHEIRO.EXE.
- W32/P2000. An E-mail worm that responds to unread mail indicating it is an autoresponder with the text “P2000 Mail auto-reply: I’ll try to reply as soon as possible. Take a look to the attachment and send me your opinion!”. The attachment can have one of a number of names programmed into the worm. If run the worm makes it seem like a zip self-extractor has malfunctioned while changing WIN.INI to run the worm on each reboot. There is also a pictorial payload that displays between 12am and 2am Wednesdays.
- W32/AntiQFX-A. A network worm that uses the name of the CD-ROM driver MSCDEX.EXE. It spreads by copying itself to other network computers when then run it when restarted. It will only work if the infected machine has write-access to sensitive directories on other machines on the network (which it should not have!).
- VBS/Kak. A script worm that writes out its code to files (Kak.HTA and Kak.HTM) along with another copy that is registered to run when Windows starts. The worm then sets itself to be sent out via outgoing E-mails. It also attempts to shut Windows down after the 17th hour on the first of the month.
MS Security. Microsoft has issued a new security bulletin this past month. Below is a summary (this is only a summary for Windows 95/98; it does not include NT or applications–see the Microsoft web site for a complete listing):
- A patch that removes a vulnerability in the operating system Rich Text Format (RTF) reader. The reader could cause E-mail programs to crash under certain conditions.
For this item and more please take a look at:
Apple OS Vulnerable. C|Net reports that Apple’s latest Macintosh operating system could be susceptible to denial of service attacks. The computer would have to be connected to one of the “always on” providers (e.g., DSL or cable). No reports of such an attack have been made; only the possibility as determined in the Computer Emergency Response Team (CERT) lab. A fix is reportedly available on the Apple Computer web site.
Microsoft Apple Update. Microsoft issued an Apple-related security bulletin and update the end of December. The update fixes an Outlook Express vulnerability that would allow HTML mail attachments to be automatically put onto a user’s computer and replaces some expiring digital certificates for the Apple version of Internet Explorer. For more info:
Items of Interest
Credit Card Extortion. In a new ploy a cracker broke into the credit card database for CD Universe and then attempted to extort the company by holding the numbers ransom for $100,000. The threat was the general release of the card numbers. The company refused to pay the ransom and the number were actually released on the internet for a short time until the web site they were posted on was shut down. If you ever did business with CD Universe be certain to check your credit card bills very closely–and, you might want to consider closing that account and getting another from your card provider.
In closing: Best to all in the New Year.