In This Issue:
It was a busy month for nasty software in the past thirty days. Even so, I did not send out any alerts. There are two reasons: first, it’s not the purpose of this newsletter to be an alert service. That requires a higher level of involvement than I can devote. Second, all of the most current nasties used transmission techniques similar to Melissa. I would hope readers of this newsletter would, by now, be alert to E-mail transmission of attachments and check them out; even attachments from friends.
In general, all of these new attacks use Microsoft web software; although other maker’s programs are not completely immune.
BackDoor-G. This is a Trojan that, like others of its class, will allow others to gain remote access to your computer via a network. When run it starts a background task that turns your computer into a remote client. The Trojan is difficult to detect because it is able to change its name. This makes simple searches for it more difficult.
The Trojan has been reported to be distributed in the form of a screensaver and as an update to a computer game.
PrettyPark. This one is a French E-mail worm. When run the worm opens a custom IRC channel. Anyone on that channel can then obtain information from your computer and use it for whatever purpose they desire.
The worm is distributed as an E-mail attachment called PrettyPark.EXE which displays the Windows 3D pipe screen saver while it uses your address book to send itself to people in your E-mail address book. As mentioned, it also connects to the customer IRC channel.
Fortunately, this one appears to be a bit buggy and so did not generate a world-wide problem.
Worm.ExploreZip. This one is the nastiest of the recent lot. It not only spreads but has a particularly nasty payload. As its name implies, this is yet another worm. It is spread largely by E-mail attachment (it can be spread by file transfer as well).
When run, this worm establishes itself in the system and monitors your E-mail inbox. As messages come in it forms an immediate response that uses the same subject as the incoming message and includes the text “Got your email. I’ll reply ASAP. Until then, here’s the zipped documents.” It then attaches a copy of itself as the file “zip_files.exe” to the message and sends it off. It does all this using Mail Application Programming Interface (MAPI) commands so, in theory, can exploit any application that uses MAPI.
If that’s all it did, the worm would be another Melissa. Unfortunately, this one also searches all hard disks (C through Z) on your system for files with extensions: .doc, .xls, .ppt, .c, .cpp, .h, or .asm (basically Word, Excel, PowerPoint, and programming source code files). When found, it uses a file create command to overlay a new file with the same name over the old file. This destroys the pointer to the old file in the directory (unlike the delete command which simply marks the file for potential reuse). Without the original pointer to the file it is extremely difficult to recover. So, while this worm spreads more slowly than Melissa did, it has the potential to do far more damage.
The “Malformed Favorites Icon” problem relates to version 5. In IE5 when you set a site into the Favorites list the browser searches for a “favicon.ico” file. If found, the browser reads the file and uses the graphic as part of the listing in the Favorites menu. The length of the file is not checked, however, and unchecked buffers like that can allow arbitrary code to be loaded and run. See Microsoft Knowledge Base article Q231450 for more information.
The “Legacy ActiveX Control” problem allows an ActiveX control to be misused to read your local hard drive. This problem affects both versions 4 and 5 of the browser. See Microsoft Knowledge Base article Q231452 for more information.
The patch for these problems can be found at:
Items of Interest
Aesop. Long-term readers may remember awhile back when each newsletter ended with a section that described projects in work. One of those projects was creation of (yet another) web version of Aesop’s Fables. The project kept getting pushed back further and further and was subsequently dropped from the listing (as was the listing as it eventually smacked of vaporware). Well, for those who were wanting: rejoice. The major part of the Aesop project is complete and has been posted. You can find the collection at:
I’ve yet to do the correlation with a collection of proverbs, but eventually…. 🙂 [Note: It’s 2013 and still have not.]
and its companion site:
At callwave.com you can sign up for a free incoming fax service. You are assigned a phone number. You use that number for incoming faxes. Any faxes received at that number are saved to a form of TIFF file and E-mailed to any E-mail address you specify when you sign up. All you need is a viewer (and there are many free viewers–you likely had one installed with Windows) to open the file, read it on screen and/or print it out. This is a great way to have a number people can send faxes to and a unique way for folks out of the US to obtain a US fax number that won’t cost them anything.
At fax4free.com you can sign up for an account that allows you to compose faxes on-line and send them to any US fax machine without cost. The catch? Along both sides of the the cover sheet and all fax pages the receiver will find advertising. Maybe not something you’d want to use for business communications but for casual communications it can’t be beat. When you sign up you will be asked a couple of questions I usually object to (e.g., how much do you make) but there is no reason to select the correct option from the menu. 🙂 [Note: These services may have changed since this was published.]
In closing: Be suspicious; be very suspicious!