In This Issue:
- Egghead Cracked
- Fake eBay Mail
- Ramen Worm
- MS Security
- April 1 Windows Problem
- Internet Cleanup Day
- Trojans (Troj/KillCMOS-E)
- File Infectors (W32/Navidad-B)
- Macro Viruses (Variants; WM97/Chronic-A; WM97/Eight941-R; WM97/Ethan-DT; WM97/Footer-V; WM97/Hope-AA; WM97/Marker-CK; WM97/Marker-GA; WM97/Marker-GB; WM97/Media-A; WM97/Salim-A)
- Worms (VBS/Davinia-A; VBS/MBot-A; VBS/Mcon-B; VBS/Sheep-A; VBS/Tqll-A)
Computer Knowledge now has a web store for T-shirts and mugs. Please take a look at our store at:
[Store down for lack of interest.]
Thank you. Also, due to popular request I’ve started to convert my original DOS tutorial, first written in 1985 and updated until 1994, from its current form as a DOS program into a web-based tutorial. The original tutorials have been converted and, over time, the advanced DOS section that fully described each and every DOS command will also be converted and posted. I’ve not updated the information particularly but, in some cases, have added “more info” links. As time permits, more of these will be added. The tutorial has been described as a “minicourse in microcomputing.” Come visit the work in progress if interested…
http://www.cknow.com/cms/category/tutcom [Use link above on the menu bar.]
Egghead Cracked. As many as 3.7 million database records may have been stolen from the Egghead.com site by crackers. The data included credit card numbers. Credit card companies have been contacted and copies of those numbers provided to the companies as a precaution. There is no indication that any of the card number have been used. [Egghead has since indicated they believe the card numbers were not stolen; but did not issue an absolute statement.] If you’ve had business with Egghead over the past month keep an eye on your account statements.
Fake eBay Mail. If you receive an E-mail from eBay indicating a problem with your registration and asking for personal information DO NOT RESPOND and do not take the link provided in the E-mail. One in a series of such fake E-mails is presently circulating.
Ramen Worm. A self-spreading program similar to the Morris Worm of 1988 is spreading via unsecured Red Hat Linux servers. The worm is not particularly sophisticated but tends to swamp networks with searches for new hosts. Because of its fast searching techniques little other traffic gets through. The worm exploits flaws in the default installation of Red Hat versions 6.2 and 7.0. The same flaws exist in other versions of Linux but only Red Hat has been targeted. Interestingly enough, the worm actually fixes the security holes it exploits. The bandwidth use appears to be the main problem with the worm except that it could be used as a template for worse beasts.
MS Security. Microsoft has issued a a number of new security bulletins this past month. Their alerts are no longer in a format convenient to summarize and so won’t be included in the newsletter any longer. [Update: They changed their mind so future issues have this data.] Please see all current alerts at:
April 1 Windows Problem. Be careful on April 1, 2001. It’s possible some Windows (95, 98 and NT) applications could show incorrect time on that date. The Microsoft Visual C++ runtime library MSVCRT.DLL assumes daylight savings time starts 8 April instead of 1 April. This bug occurs whenever April 1 falls on a Sunday which occurs in 2001 and will again in 2007. The problem is reported in several places but a search of the Microsoft Knowledgebase turned up nothing.
Internet Cleanup Day. It’s that time again! As many of you know, each year the Internet must be shut down for 24 hours in order to allow it to be cleaned. The cleaning process, which eliminates dead E-mail and inactive FTP, WWW and gopher sites, allows for a better working and faster Internet.
This year, the cleaning process will take place from 12:01 a.m. GMT on February 27 until 12:01 a.m. GMT on February 28 (the time least likely to interfere with ongoing work). During that 24-hour period, five powerful Internet search engines situated around the world will search the Internet and delete any data that they find.
In order to protect your valuable data from deletion you should do the following:
1. Disconnect all terminals and local area networks from their Internet connections.
2. Shut down all Internet servers, or disconnect them from the Internet.
3. Disconnect all disks and hardrives from any connections to the Internet.
4. Refrain from connecting any computer to the Internet in any way.
Yes, this is inconvenient. However, any inconveniences will be more than made up for by the increased speed and efficiency of the Internet, once it has been cleared of electronic flotsam and jetsam. Thank you for your cooperation.
[OK, it’s a JOKE! But, some have actually believed this when they got it via E-mail.]
There are a number of new viruses described this month; none rose to the level needed to place it on the alerts page:
Don’t forget our virus tutorial site.
More complete descriptions of most of these viruses can be found at the Sophos or F-Secure web sites:
- Troj/KillCMOS-E. A Trojan, dropped by the macro virus WM97/Chronic-A (see below), that changes CMOS data by overwriting it.
- W32/Navidad-B. A Navidad variant worm that arrives as EMANUEL.EXE. When started a dialog containing “;)” opens and the worm tries to send itself to addressees of new messages received. It stores itself as WINTASK.EXE in the System directory and, when running, appears in the system tray. Various messages are displayed if you click on the icon.
- Variants. The following variants have been observed but generally carry no payload: WM97/Thus-CD
- WM97/Chronic-A. A macro virus with a complex payload. The simple trigger activates the payload every 25th time the virus runs. The payload monitors the day part of the date. When activated, the payload modifies the first 1020 bytes of specified files and appends the text “Karachi_y2k7” to the end of those files. The files affected depend on the day part of the date. See one of the AV links above for specific file names. If the day part of the date can be divided by 5 the virus will set a password on the current document; usually “1297307460”. If the day part can be divided 2, the virus will try to print up to 9 copies of the current document. On days divided by 4 or 6 the Trojan KillCMOS-E will be dropped (see above).
- WM97/Eight941-R. A virus that spreads but has no working payload.
- WM97/Ethan-DT. An Ethan variant that fixes some bugs in the original.
- WM97/Footer-V. A new virus created by merging WM97/Class-D and WM97/Footer-A.
- WM97/Hope-AA. A combination of three different macro viruses (WM97/Hope-S, WM97/Class-D and WM97/Story). The Hope-S portion is the only portion that works however. The virus has a number of errors.
- WM97/Marker-CK. A Marker variant. On document close a third of the time a File Summary box will display showing the document author as Ethan Frome.
- WM97/Marker-GA. A virus created by merging WM97/Marker-O and WM97/Myna-C.
- WM97/Marker-GB. A Marker variant. It creates C:\NETLDX.VXD, a file that instructs the computer to FTP a log file (C:\HSF?.SYS where ? = a number) that the virus also creates. The log file documents infections.
- WM97/Media-A. A Word macro virus that displays a dialog containing “Dat mediatheekmens SUCKS!!!” on infection.
- WM97/Salim-A. A macro virus and mIRC worm. It spreads to network drives and via mIRC. It overwrites macros in ThisDocument if “‘PIJAVICA” is not the first line of code and affects the document contents. It does not disable Word’s built-in protection. It also fails in an attempt to infect all open documents. The virus writes the current infected document to SALIM_SE.DOC and WIN32DRV.DOC in the C:\ directory. SALIM_SE.DOC is also copied to all mapped drives. If mIRC exists a script will send SALIM_SE.DOC out via mIRC. On the 5th of any month a dropped batch file displays a text message.
- VBS/Davinia-A. A worm that attempts to take advantage of the Office 2000 UA Control vulnerability that allows websites to run Word macros silently. The worm can attack either through browsing an “infected” website or reading HTML E-mail that directs you to browse an “infected” website. If allowed to run, the worm runs a script that overwrites files on local and network drives. Be certain to have all security updates for Office installed!
- VBS/MBot-A. An E-mail worm in the attachment MATRIXBOT.VBS coming via a message with the subject “NewsMatrixBot [Test Run only]”. The worm copies itself to two locations: WIN32DLL.VBS in the Windows directory and to MSKERNEL32.VBS and MATRIXBOT.VBS in the System directory. The registry is changed to make the first two run at system start and the IE start page is set to the URL http://www.ashoppe.net. The worm sends itself to your Outlook address book.
- VBS/Mcon-B. A worm that spreads using networking sharing and mIRC. It installs in the Fonts directory and is run at system start. It PINGs random addresses and can go into an infinite loop.
- VBS/Sheep-A. An mIRC worm in the file COUNTERSTRIKERP.TXT….VBS where … is 100 spaces in an attempt to hide the actual .VBS extension and make you think this is simply a text file. The worm hides as the file RP.TXT.VBS in your System folder and STARTUP§.VBS in the Startup folder. As a payload the worm tries to use COUNTERSTRIKERP.BMP as wallpaper on various days throughout the month.
- VBS/Tqll-A. A script worm that comes as the attachment happynewyear.txt.vbs in an E-mail with the subject “New Year!”. It will mail itself to your Outlook address book and also drops the Trojan Downloader.
In closing: Go solar if you’re in California!