In This Issue:
- Windows AOL Instant Messenger Vulnerability
- ATM Skimming
- MS Security (Unchecked Buffer in Universal Plug and Play can Lead to System Compromise)
- Java and XP
- Advanced Encryption Standard
- Trojans (JS/Seeker-E; Troj/Download-A; Troj/Palukka; Troj/Sub7-21-I)
- File Infectors (SWF/LFM-926)
- Macro Viruses (Interactions; WM97/Marker-JY; WM97/Opey-AX; XM97/Bdoc2-A)
- Worms (JS/CoolSite-A; JS/Gigger-A; VBS/Dismissed-A; VBS/Dismissed-B; VBS/Haptime-Fam; VBS/Grate-B; VBS/RTF-Senecs and Troj/Sub7-21-I; W32/Donut-A; W32/GOP-A; W32/Lohack-A; W32/Maldal-D; W32/Maldal-G; W32/Shatrix-A; W32/Sheer-A; W32/Shoho-A; W32/Zacker-C)
New acronyms/definitions added to CKNOW.COM this past month.
- [Removed. CKnow no longer catalogs acronyms/definitions]
Most of the time spent this past month (and probably several months to come) has been in cleaning up existing definitions. In reviewing a few of them I noted some things that could be expressed better and, in one or two rare cases, wrong information. So, I’ve taken on the task of going through each and every entry and fixing any errors found. So far, I’ve finished through “H”.
Windows AOL Instant Messenger Vulnerability. A vulnerability was found that could allow a person to write a worm that could spread via a victim’s “buddy list.” If left open, this vulnerability could have allowed a worm to effectively transit the entire AOL network of folks who signed up for Instant Messaging (about 100 million). The hole exploits an AIM feature that allows others to use your buddy list to play on-line games. Game requests could be formed to overflow a buffer. AOL will fix the hole via a patch as well as install filters on servers to prevent exploits. If you are a software developer take note; this is yet another example of an unchecked buffer. Never allow that to happen in your software.
ClickTillUWin. Three popular file-swapping programs (peer-to-peer networking programs) were, for some time infected with a Trojan. The networking programs are KaZaA, Grokster, and LimeWire. The Trojan was in an on-line lottery client called ClickTillUWin. KaZaA distributed the Trojan for about a week in December and Grokster distributed it for about three weeks. LimeWire distributed it until the first of the year. ClickTillUWin installed even if bundled applications were not installed with the distributed software. The ClickTillUWin program DLDER.EXE would download a file EXPLORER.EXE that, when run, sent an ID and your IP address to a Web site. That Web site has been shut down and the program did nothing else so there is no longer any problem with the Trojan. The only major consideration for users is that there is a genuine Windows file called EXPLORER.EXE. It is located in the \WINDOWS directory. The downloaded Trojan EXPLORER.EXE would be located in \WINDOWS\EXPLORER\ directory. Be careful if you look for EXPLORER.EXE on your system and want to delete it. Make certain it’s the right one!
ATM Skimming. Thieves have developed a way to obtain not only your ATM card number but also your PIN number. The skimming is not widespread but technically possible. It involves fitting the ATM machines with small devices that read the card stripe as well as the keypad. The keypad is read via an overlay. The data are stored in a memory module for later retrieval. It is then encoded onto blank cards for the thieves to use and pretend to be you. But, this is but the latest in a variety of scams of ATM users.
In another, thieves would jam the card slot so the ATM would hold onto the card, once inserted. While the user struggles with the machine the thief would approach and suggest that the user enter the PIN number multiple times to recover the card. When this did not work the user would leave and the thief would then recover the card and, knowing the PIN, would access the account.
Scams and skims like these typically take place at stand-alone ATMs because they typically don’t have the network of cameras bank ATMs have. Protect yourself…
- Keep your PIN safe. Don’t give it to anyone, ever!
- Watch out for people who try to “help” you at an ATM.
- Look at the ATM before using it. If it doesn’t look right, don’t use it.
- If your card is not returned IMMEDIATELY call the bank and put a stop order on the account.
- Check statements regularly; if you have on-line access, check them daily. Report any and all suspicious activity.
- Unchecked Buffer in Universal Plug and Play can Lead to System Compromise.
Universal Plug and Play (UPnP) allows computers to discover devices, including network devices, and automatically install them. There are two vulnerabilities in UPnP implementations. The first is the old standby buffer overrun. A modified NOTIFY directive could cause code to run with the UPnP security settings and potentially take over the computer. The second vulnerability also involves the NOTIFY directive. By making the device description reside on a network computer denial of service attacks can be generated. In one case the DoS attack could be a continuous echo of a device description request. In the other, the DoS attack could flood other machines with bogus requests. Generally, vulnerability will only affect XP systems but can affect other systems if the XP Internet Connection Sharing Client had been installed. A patch is available at the above URL.
Java and XP. If you’ve upgraded to XP you might have noticed that there are no Java components installed. As you might recall, Microsoft and Sun have had a Java battle in court and basically Sun won. Generous winner that they are, Microsoft simply removed Java components from XP. So, you’ll have to go to Sun to get them. Use this URL…
Advanced Encryption Standard. The old Data Encryption Standard for the U.S. Government has finally been replaced. DES will give way to AES by May 29th if the order from the Commerce Department is followed (hmmm, just when did the Government meet a deadline?). AES is a 128-bit algorithm that is quite secure on today’s computers (but will likely be outdated in ten years or so given hardware progress and the fact that some desktops are now like early Crays). If you are in a business that now uses DES for the Government be aware you will have to covert to AES soon.
There are a number of new viruses described this month. They are listed below.
- Here’s what we might learn from these various attacks:
- Never open any attachment from anyone you don’t know.
- Don’t even open attachments from people you know if you are not expecting them.
- If you are using Outlook or Outlook Express or any E-mail software that uses Microsoft components turn off the preview pane or use of the Microsoft components.
- While RTF files are safe from macros they can still contain malicious software as included objects; don’t open such objects unless you are absolutely certain of what’s in them–and remember the object icons can be altered to look “friendly.”
- Things not previously attacked (e.g., Flash movies) might be in the future.
- There are a number of people with questionable ethics who have far too much time on their hands. 🙁
Don’t forget our virus tutorial site.
More complete descriptions of most of these viruses can be found at the Sophos or F-Secure web sites:
- JS/Seeker-E. A script Trojan that exploits a Microsoft vulnerability described at:
The Trojan will modify IE settings to generally point to porn sites by changing the registry.
- Troj/Download-A. A Trojan with two components: DLDER.EXE and EXPLORER.EXE. DLDER.EXE is the component that is distributed. When run, DLDER.EXE will create a hidden Windows\EXPLORER folder and then download EXPLORER.EXE from the Internet. That file is saved to the created hidden directory and the registry is changed to cause that file to run at system start. EXPLORER then sends info about you over the Internet, finds and copies DLDER.EXE to the Windows directory and sets the registry to run that file at system start so if you find and delete EXPLORER.EXE, DLDER.EXE will go out and get it again.
- Troj/Palukka. A backdoor Trojan that allows a remote user to control your computer over IRC channels. It uses various file names and sets the registry so the file name picked will run at system start. IRC or E-mail is used to notify the “community” that it is running.
- Troj/Sub7-21-I. See VBS/RTF-Senecs and Troj/Sub7-21-I below.
- SWF/LFM-926. Here you have the first virus that infects Shockwave Flash (.SWF) files. You see these mainly as animations on Web sites; they are fairly common. The virus gets its name from the message it displays while it is infecting other .SWF files it finds: “Loading.Flash.Movie…”. This is really a hybrid in that the virus uses scripts in the Flash file to run a debug script that creates the file V.COM and then run that file. It’s V.COM that infects other .SWF files. This is largely a proof-of-concept virus but it demonstrates that .SWF files are vulnerable to exploits and should be watched.
- Interactions. Various viruses are created by the combination of two other viruses. These are listed here: WM97/Ded-V (combines WM97/Ded-B and WM97/Class)
- WM97/Marker-JY. A Word macro virus that uses C:\HIMEM.SYS for its replication code (although that file itself is not infected). If you attempt to edit macros in an infected document you’ll get an error message telling you to reinstall Word.
- WM97/Opey-AX. A Word macro virus that basically plays several pranks. It changes Word’s user information and file properties. Both contain “OPEY A.” as well as other text. The Customize option for Macro and Tools is hidden. And, on 1 Jan, 9 Sept, and 1 Oct the virus will change AUTOEXEC.BAT to display a message wishing you Happy Birthday from Carlo O. You’ll need to press the space bar to clear the message.
- XM97/Bdoc2-A. An Excel macro virus that uses the file AUTORUN.XLA to spread. It has two payloads: one will display a message on 26 April, the other will end the current Windows session if the day is a multiple of five (e.g., 5th, 10th, 15th,… of the month).
- VBS/Dismissed-A. This beast spreads via mIRC and network shares. If run you’ll find ROL.VBS on your system and your IE home page changed. The worm tries to delete anti-virus products. It also copies itself to all files with extensions LNK, ZIP, JPG, JPEG, MPG, MPEG, DOC, XLS, MDB, TXT, PPT, PPS, RAM, RM, MP3, MDB, and SWF and then adds the second extension VBS. Files with HTM, HTML, and ASP extensions are changed with added code to point to a page with the VBS/Dismissed-B worm on it. This would be run each time time page is accessed. After doing all this, the worm shows a message and tries to shut the system down.
- VBS/Dismissed-B. An “advanced” version of Dismissed-A that adds E-mail capability. In addition to doing all of the above when executed, this version sends E-mail using Outlook. The subject is “Very important !!!” The body points to a page infected with Dismissed-B.
- VBS/Haptime-Fam. An E-mail worm that uses Outlook Express 5 to spread. It attacks files with extensions VBS, HTML, HTM, HTT and ASP. If the month number and date add up to 13 (e.g., 1 December) the worm will try to delete .EXE and .DLL files on an infected system.
- VBS/Grate-B. An E-mail worm with the subject “Merry Christmas!!!” and an empty message. The attachment is GREETINGS.TXT.VBS. If run, the worm installs itself in the Windows\Cursors directory and mails itself to your Outlook address book. Additionally, your .PWL (password) files are sent to an address in Poland.
- VBS/RTF-Senecs and Troj/Sub7-21-I. The VBS worm arrives in the file SCENES.ZIP attached to a message about a “Scene from last weekend”. Looking into the zip file you see an Rich Text Format (RTF) document called SCENES.WRI. While RTF files are generally safe, they can contain embedded objects that are not. This one is an example of that. There are two embedded objects with image file icons. But, they are not images, they are Trojan executables. One (Troj/Senecs) will drop a VBS file that sends SCENES.ZIP to your Outlook address book. It also drops two other Trojans: Troj/Optix-03-C and Troj/WebDL-E. The second (Troj/Sub7-21-I) is a backdoor that, when run, exposes the contents of your computer to remote attacks and/or control. One of the dropped Trojans (Troj/Optix-03-C) is also a backdoor that will allow a remote users to control your computer. This one sets the registry to run itself on system start. The other (Troj/WebDL-E) tries to download and run yet another Trojan (Troj/Sub7-21-I) from a Web site. If successful it sends a notice over ICQ and deletes itself.
- W32/Donut-A. Another first; a worm that attacks .NET files. These are executable files used for Microsoft’s .NET initiative. You may see a message above infection in Windows XP. Under Windows 2000 this worm creates many copies of attacked files, each with spaces added between the root name and extension so it’s easy to see it in the system (an error that will likely be corrected in future versions). Like most “firsts” consider this a proof of concept.
- W32/GOP-A. An E-mail worm that arrives as an attachment with a double extension (the second being executable). If run, the worm creates two files in Windows\System: IMEKERNEL32.SYS and KERNELSYS32.EXE. The registry is changed to cause IMEKERNEL32.SYS to run at system start. The worm spreads itself via E-mail and tries to steal ICQ passwords.
- W32/Lohack-A. An E-mail worm that sends itself out using a MAPI client (e.g., Outlook or Outlook Express). It arrives in the guise of a course in computer hacking and the file is HACKING.EXE. If you run the file it searches for files with the extensions TXT, HTM, EML, MSG, DBX, MDX, NCH or IDX and, if found, searches these files for mail addresses in “<>” brackets. It sends itself to those addresses. It only runs when you command it to.
- W32/Maldal-D. An E-mail worm that arrives with the subject and attachment root name being the same and the name of the computer that sent the worm. The message text varies as it is taken from a list in the worm. If run, the worm displays an error message (Run time error ’71’). While you read the message the worm copies itself to WIN.EXE in the Windows\System folder and adds a registry entry to run that file on system start. The worm then attacks various anti-virus and security software by searching for common folder names and deleting files in those folders. It also deletes files with these common extensions: HTM, PHP, HTML, COM, BAT, MDB, XLS, DOC, LNK, PPT, JPG, MPEG, INI, DAT, ZIP, and TXT. As a final insult, the computer’s name is changed to ZaCker.
- W32/Maldal-G. See the above write-up for Maldal-D. This worm is the same except that the incoming subject and attachment are named ZaCker and ZaCker.exe.
- W32/Shatrix-A. An E-mail worm that arrives in a message with the subject “FW:Shake a little” and the attachment SHAKE.EXE. The worm copies itself to Windows\System with a random name and sets the registry to run that file on system start. It shows itself as a window moving around the screen. It also searches in \INETPUB\WWWROOT for .HTM, .HTML, and .ASP files which are changed to include messages about “MatriX.”
- W32/Sheer-A. A worm that exploits a Microsoft vulnerability described at:
- W32/Shoho-A. A worm that exploits a Microsoft vulnerability described at:
The arriving E-mail has the subject “Welcome to Yahoo! Mail” with an attachment the might look like README.TXT but has many spaces after the .TXT and .PIF behind that making the file executable. The worm drops the file WIN10G0N.EXE into Windows and Windows\System and sets the registry to run these on system start. It uses various techniques to find addresses to send itself to and deletes random files from the directory it is running in (if that is Windows or Windows\System then your system may experience random problems). A number of Shoho versions have popped up to create a family. All operate in a similar manner.
- W32/Zacker-C (W32/Reeezak.A@mm). A worm that uses Outlook or MS Messenger to spread. The subject is “Happy New Year” and the attachment is CHRISTMAS.EXE. The body wishes you a Happy New Year. If run, the attachment copies itself to the Windows folder and changes the registry to run that file on system start. The registry entries setting the computer’s name and browser home page are also changed and the worm tries to disable the keyboard.
In closing: Have a safe new year.