Computer Knowledge Newsletter – June 2001 Issue

In This Issue:

  • Hoaxes Dangerous
  • Remote Keyboard/Mouse Snooping
  • Maintaining Privacy
  • I Surrender
  • Social Engineering
  • MS Security (Flaws in Web Server Certificate Validation Could Enable Spoofing; HyperTerminal Buffer Overflow Vulnerability; Predictable Name Pipes Could Enable Privilege Elevation via Telnet; RTF Document Linked to Template Can Run Macros Without Warning)
  • Phone Bug
  • Trojans (SubSeven in McVeigh Video; Goga)
  • Macro Viruses (Variants; WM97/Bleck-B; WM97/Marker-HJ; WM97/Opey-AU; WM97/Thus-EN; WM97/Wrench-N; XM97/Barisada-Y; XM97/Laroux-OC)
  • Worms (AplS/Simpsons-A; Linux/Cheese; VBS/Lovelet-CE; VBS/Lovelet-CM [Jennifer Lopez]; VBS/VBSWG-Z; W32/Choke; W32/Fever; W32/Matcher-B; W32/MissWorld; W32/Weather)

General Security

Hoaxes Dangerous. It had to happen… In the past hoaxes were largely just that, meaningless pranks that clogged up the wires. Now, the latest are actually dangerous in that they are saying real system files are time-delayed viruses and that you should delete them from your system to prevent damage. The most “popular” such message references the file SULFNBK.EXE. DON’T FALL FOR IT! This file is actually a valid system file used to restore long file names. Adding to the confusion is that some people have been forwarding a copy of the file to people in case they accidentally deleted it and this copy is actually infected with the Magistr virus!

As in all cases. Keep you anti-virus software up-to-date and trust it. Generally ignore warnings that have been forwarded multiple times and are laced with all caps to draw attention to themselves. If in doubt, go to a known anti-virus site and check there for notice or the latest hoax. Or, go directly to the VMyths site at… Link

Most certainly do NOT forward the message to a bunch of other people and spread the hoax further. If you got it from a known source, consider sending a note back to them after you debunk it so they don’t spread it further. Nip these things in the bud.

If you fell for the hoax and actually deleted SULFNBK.EXE do NOT just copy the file from another user and most certainly do NOT install a copy you received from anyone via E-mail. Instructions for recovery of the file (it is an optional Windows file so it’s not absolutely necessary to recover it) are at… Link

Remote Keyboard/Mouse Snooping. Way back when I was in the military we had a program called TEMPEST which produced hardened electronic equipment. The hardening was necessary because the stray radiation from such equipment could, under the right circumstances, be picked up at some distance from the device and recorded; thus revealing, for example, what was on the computer screen. Generally, devices today are fairly low emission and with control of the physical security of the location around the device it’s not as necessary to have a TEMPEST device to process secure information as it used to be.

But, along comes the wireless keyboard and mouse…

Logitech, for example, markets a wireless keyboard and mouse that operates in a known frequency band and with a known clear-text protocol. With the right equipment, a snooper can relatively easily force a reset of the connection between a user’s keyboard and PC and then monitor and capture that connection. With the link, the snooper can either just sit and “listen” to all the keystrokes, capturing logins, passwords, etc. or, in the extreme, take over the computer.

This is not a major problem as this type of attack requires a specific one-on-one attack with directional equipment. Also the snooper has to be fairly close as the power output is low for the connection.

But, this type of attack is a real possibility. So, if you are processing sensitive data using a wireless keyboard/mouse, you might want to just consider going back to a wired configuration; at least until such connections are encrypted.

Maintaining Privacy. Identity theft continues to be a major problem so protecting those things that make identity theft easy is something to consider. Here are a few random ideas…

  • Minimize the number of credit cards you carry. This point should be fairly obvious; but many people maintain and carry large numbers of cards. This is simply foolish. Also, since the numbers for all your cards are in your credit report if that report is compromised you are giving the identity thief just that much more info.
  • Photocopy all your credit cards (front and back) and keep these copies and contact numbers for the companies in a safe place away from the cards themselves. This way, if a problem should arise where your card(s) are stolen you have all the information the credit card company will be asking for on hand. (Obviously, don’t store these copies anywhere someone can easily get to them!)
  • Check your credit reports each year for inaccurate info (there are three major credit companies to get reports from).
  • When developing a PIN or password DON’T USE SOMETHING OBVIOUS. I know they are hard to remember; but using your birthday, your name, or even consecutive numbers is really easy to guess. And, once you have them, REMEMBER THEM; don’t write them down–and particularly don’t write them down on the card they apply to!
  • Protect your Social Security Number (SSN). Don’t write it on anything not absolutely necessary (e.g., tax form). If somebody wants it, ask if you can provide an alternate number of some sort. And, if an institution is currently using it for ID on an account, badger them to change that policy. Don’t let merchants write the SSN or credit card numbers on checks. Checks pass through too many hands to be secure. (Also, in California, at least, Civil Code 1725 makes writing a credit card number on a check illegal.)
  • Don’t give out your mother’s maiden name. It’s often the key to your bank accounts. I’ve been asked at a number of internet merchants for my mother’s maiden name. She would be surprised at what it was in my answer[Smile]. On a related note, don’t post a bunch of genealogical information on your Web site or in some genealogical forum. It’s really easy to just move up the tree a branch or so to find your mother’s maiden name there.
  • Review all bills for unauthorized entries. And, I mean ALL bills; not just credit card statements.
  • Keep your canceled checks in a safe place. If you ignored some of the advise above a treasure trove of information can be found on them.

It’s a shame measures like the above have to be taken. But, if you don’t you make yourself more vulnerable. Crooks basically like to take the easiest route so if you make it easy for them you are the one they will attack instead of someone who makes it hard.

I Surrender. Recently, Steve Gibson posted the following on his site: “I surrender right now, completely and unconditionally.” This was as a result of a distributed denial of service attack against him. The story behind the attack, his initial response, and the followup attacks is riveting. It’s a long read, but well worth the time. See… Link

And, the surrender notice is at…

[Link 404]

Social Engineering. While there are still lots of viruses, the latest is the refinement of social engineering techniques that are designed to make you click on an E-mail attachment. Initially, the simplest technique was used: the message was made to come from someone the receiver knew and had corresponded with. The idea here was to make the receiver comfortable. The technique involved sending the worm/virus/Trojan to various people in the infected person’s address book. The content and format of these message was usually fairly crude.

While the same basic transmission technique continues in the latest transmissions, the message has been refined a bit. Some of the latest techniques involve:

  • An appeal to sex. A long-time favorite, an appeal to sex still seems to work. One of the latest circulating messages teases you with the thought that you can see Miss World in the attachment.
  • An appeal to the unavailable. Apple users recently got included in the worm frenzy with a message that tempted receivers with access to unshown episodes of the Simpsons.
  • An appeal to the forbidden. Similar to the above, this one was a message that touted the availability of a video of the McVeigh execution. Despite the fact that the TV link was heavily encrypted and secure, the thought of the forbidden fruit was still a strong lure.

And, it’s only going to get worse so put away your curiosity and just ignore these sorts of appeals. After all, what is the probability that your co-worker/friend is actually going to get his/her hands on one of these forbidden fruits?

MS Security. Microsoft has issued a a number of new security bulletins this past month. Here is a selection. Please see all current alerts at: Link

General Interest

Phone Bug. Some Internet-enabled phones in Japan seem to have a bug that allows a malicious user to insert code into an E-mail that, when the E-mail is opened (the bug is in the E-mail text, not an attachment), causes that code to execute and take over the phone’s “Call” and “Mail” functions. The bug affects roughly 13 and a quarter million phones (that’s right, 13,250,000). One of the malicious messages causes the phone to dial Japan’s emergency number (110). Other messages cause the phone to mass-dial randomly or freeze the phone’s functions. Users should be careful and request a software upgrade software as problems are found. No recall is planned. Affected phones are Internet-enabled (i-mode) models made by NEC, Fujitsu, Mitsubishi Electric, Sony and Matsushita.

Virus News

There are a number of new viruses described this month. They are listed below.

Don’t forget our virus tutorial site.

More complete descriptions of most of these viruses can be found at the Sophos or F-Secure web sites: Link Link

Trojans. These important new Trojans appeared recently:

  • SubSeven in McVeigh Video. A booby-trapped Web page showed up shortly after the McVeigh execution. The invitation to view the page indicated it contained a video of the execution. Instead of that, the page contained code that installed an executable on user systems (assuming the user allowed it). The executable contained the SubSeven Trojan. SubSeven basically allows attackers to take over a user’s computer and either monitor what’s going on or actually control the computer by remote control. Yet another case of social engineering.
  • Goga. A flaw in Word allows a Trojan distributed in a Rich Text File (RTF) format to attack a system on which the RTF file is edited. The flaw allows the RTF file to link to a template on a remote (Russian) Web site (the link is allowed because Word seems to think that because the macro is running on your computer you automatically say it’s OK to perform the link). The template contains a macro that steals and sends information about you to a different site. This beast is not widespread and does not spread on its own; however, many people believe that RTF files are completely benign and will click on one where they might not click on a DOC file. This beast just shows that no attachment can be assumed safe; they have to be examined/tested. (See the Microsoft security section above for a patch.)

Macro Viruses. A number of macro viruses have been announced this past month. Below is a summary of the more important ones:

  • Variants. The following variants have been observed but generally carry no payload: WM97/Marker-HL, WM97/Myna-AR
  • WM97/Bleck-B. A Bleck variant which activates on 31 August. On that date the virus inserts text at the start of a Word document: “A CURSE FROM BLACKROSE TO SOMEONE HE HATES. HIJADIPUTA KANG HAYUP KA! BURAY MO, SAKA BURAY NI INA MO! HAYUP KA! SAYANG KA, HAYUP KA! HAYUP KA TALAGA! VIRGOBLACKROSE Virus Development Libmanan Camarines Sur”
  • WM97/Marker-HJ. A Marker variant that takes the file’s summary info and tries to send it to Codebreakers via FTP. The info is added to the end of the macro as well.
  • WM97/Opey-AU. A complex macro virus that removes Macros from the Tools menu and disables the Visual Basic Editor. The Word User Information is also changed to include: “eUgEnE ” and “Ghostfighter Certified”. There are five payloads that are date sensitive. November you are questioned about what a work-avoider is called. Answer “slacker” or “slackers” and you can continue; anything else re-asks the question and closes Word after three wrong answers. On 27 February you’ll see the message: “Happy B-DAY to ROSE MOLINA and MIRSA MERZA”. A different message containing such text as “UERMMMC” and “pa-coffee naman kayo dyan” pops up 16 October. 3 October brings up a birthday greeting to the virus’ author and 27 July brings up a birthday greeting to the author’s “one and only Rica M.”.
  • WM97/Thus-EN. Pops up an Office Assistant message containing “PEPO PUNDA” and “hallo this little VIRUS is a little harmless”.
  • WM97/Wrench-N. A Wrench variant. The payload macro is defective and does not work. The code that spreads is in ASCII.VXD in the root directory.
  • XM97/Barisada-Y. A Barisada variant that spreads via KHM.XLS in the XLSTART directory. This variant does not display the common message box series usually seen with Barisada.
  • XM97/Laroux-OC. A Laroux variant that spreads via BINV.XLS in XLSTART.

Worms. A number of worms have been announced this past month. Below is a summary of the more important ones:

  • AplS/Simpsons-A. The first AppleScript worm. It uses Outlook Express or Entourage on the Macintosh to spread via E-mail to your address book entries. While sending the mails your browser is directed to display a site about the TV show “The Simpsons.” The social engineering “hook” that is used to get you to click on the attachment is the promise of seeing “Hundreds of Simpsons episodes…just secretly produced and sent out on the internet.” One of the attachments to the E-mail is the worm script which installs into the Startup Items folder and runs at system start.
  • Linux/Cheese. A worm that claims to be a “good virus” and claims to be able to remove Linux/Lion from infected systems. It doesn’t. If run, it will install to /tmp/.cheese. Lines containing /bin/sh are then removed from /etc/inetd.conf. Finally, it looks for other machines with Linux/Lion backdoors to which to spread.
  • VBS/Lovelet-CE. One of many LoveLetter variants. It arrives in the attachment NEWSMAIL.VBS to a message with the subject “News Email Beta Run1.01”. If run it copies itself to MSKERNEL32.VBS with a safety copy in NEWSMAIL.VBS, both in the Windows System directory as well as WIN32DLL.VBS in the Windows directory. These files are set to run on system start. It tries to send itself to your address book.
  • VBS/Lovelet-CM (Jennifer Lopez). An E-mail worm that spreads via the attachment JENNIFERLOPEZ_NAKED.JPG.VBS. The message indicates this is a naked picture of Jennifer Lopez on the beach (read the social engineering article above if you have not already). If run, the worm searches for and replaces files with the following extensions: .VBS, .VBE, .JS, .JSE, .CSS, .WSH, .SCT, .HTA, JPG, .JPEG, .MP2 and .MP3. The registry is changed to indicate the virus is present and it is also caused to run on system start. It sends itself to all entries in your address book. It also drops and runs a W95/CIH (Chernobyl) variant. Basically, a nasty beast.
  • VBS/VBSWG-Z. An E-mail worm that spreads through the attachment MAWANELLA.VBS. The message indicates the attachment concerns a Sri Lanka Muslim Village. When run, a message box tells you to forward the message to others (a sort of “manual” worm) and then shows a burning house with a message about how portions of the village were destroyed.
  • W32/Choke. A worm that spreads via the MSN Messenger instant messaging program. When run it sets the registry to cause it to run at system start. It then displays two dialog boxes. One says “This program needs Flash 6.5 to run!” and the other “Cannot run program!, Quitting”. The worm also creates ABOUT.TXT in C:\. It contains a poem I won’t repeat here.
  • W32/Fever. A worm that installs itself as GP32.EXE in the Windows System directory and sets the registry so this file runs at system start. Once run, it attaches itself to outgoing E-mails.
  • W32/Matcher-B. An E-mail worm in the attachment MATCHER.EXE. The message prods you to run the attachment in order to find your “love mates.” If run, the program changes the registry so the attachment runs at each system start and then sends itself to your address book. The AUTOEXEC.BAT file is also changed with the added lines:


  • W32/MissWorld. An E-mail worm that spreads via the attached file MISWORLD.EXE (or some variation like MWLD.EXE or MWRLD.EXE). The message indicates the file contains Miss World pictures. If executed, a Flash program shows a birthday cake with a message about falling in love below. Pictures of “Miss World” are then displayed; however, these are cartoon figures, not real. AUTOEXEC.BAT is also changed to show “This Everything for my Girl Friend………, (CatEyes, KRSSL, SS Hostel)” on the next system start. Following this a format of the C: drive is attempted and the file C:\WINDOWS\SYSTEM.DAT is deleted.
  • W32/Weather. A worm with script and mIRC components. It spreads in a message about weather getting better with the attached file WEATHER.TXT.EXE. If executed, the worm drops C:\MIRC\SCRIPT.INI, C:\MIRC\SCRIPT.INI, and C:\MAIL.VBS. The attachment is copied as WEATHER.TXT.EXE to Windows and root directories. The MAIL.VBS script is then run and it mails the worm to everyone in your address book. Your AUTOEXEC.BAT file is also sent via E-mail to a site in the UK.

In closing: Some sources are reporting that Microsoft’s new operating system, XP, is only going to make things worse from a security standpoint, not better. Sighhh.