Computer Knowledge Newsletter – May 2000 Issue

In This Issue:

General Interest

New Privacy Concern. Tracking individual behavior on the web is becoming fairly common and, at the same time, is of greater concern to some. A new free ISP,, is the latest to come under fire with their adoption of a Predictive Networks product that tracks web use for the purpose of targeting ads. FreeAtLast promises that even though names will be collected they will not be associated with behavior (presumably users will be assigned a tracking number of some sort not associated with their name and it’s the tracking number that will be traced for ad targeting).

Why is this high on the agenda of web marketers? Customer draw is the simple answer. With so many web sites around, getting people to come to your site to buy things is worth money and commercial sites are willing to pay good money to snag new customers since it’s much easier to sell more things to a satisfied customer than it is to get a new customer.

Is this sort of tracking the end? Probably not. Predictive also has software that can track your keystrokes. So, when it senses you are on a search engine page it can monitor what you type for the question and serve up ads based on that! So far, we know of no actual implementation of this technology; but it, or other things like it, can’t be far away.

Should you worry? Only you can decide that. I, for example, use and recommend the AllAdvantage viewbar when I’m surfing the web. By its nature it tracks my use but, unlike some other solutions, I have the option of turning it off when I might not want it to be “watching.” So, since I have complete control, I’m not worried (your tolerance level may vary) and am free to make a few cents on the side :-). Interested? Please use the following URL:

[This program has been discontinued.]

General Security

Mstream. A new tool named “Mstream” has joined Trinoo, TFN3K, Stacheldraht, Shaft and others for new distributed denial of service (DDoS) attacks. And, unfortunately, this new tool is a refinement of and more powerful than those that go before it. So, once this new tool is fully developed, you can expect to see more powerful attacks similar to those that took down Yahoo (and others) in February. Sadly, the new tool allows these attacks to be performed by fewer computers so it does not have to spread so widely before becoming effective. Mstream not only hurts the target computer but also the network it’s attached to. It will be awhile before we see a fully-developed Mstream; but it won’t be much fun when we do.

Cookie Hole. There is a newly-discovered problem with Microsoft’s Internet Explorer browser which allows a web site to look into any visitor’s cookie files. The hole does not allow a site to browse your cookie files, just access a particular file if it exists. But, even so, since cookies can authenticate your identity and store data about your activities and purchases, giving others access to even one cookie might reveal more than you want known. Not only does the hole allow access to read a cookie, it would allow (re)writing the cookie. To be fair, you would have to actually visit a malicious web site to have this exploit work against you so if you are not exploring the “dark side” of the web it’s unlikely you will be affected by it. And, a patch is under development. To be absolutely safe until the patch is developed you can disable JavaScript as the exploit requires JavaScript to be active. Apparently only IE is affected.

UCITA Risk. The Uniform Computer Information Transactions Act (UCITA) which just passed in Virginia and is about to be signed into law in Maryland has the potential to be a serious security risk. UCITA is a law that the software makers have been pushing in order to give them significant rights. When they could not put it into the commercial code in the United States they decided to push it state by state (which they are doing now, starting on the East coast). Part of UCITA would allow software makers to have the right to remotely disable software if users violate a license agreement. The implication is that software makers will be allowed to legally put a back door into any product which could be remotely activated by some sort of code over the internet. Anyone who thinks that software makers can make a back door that hackers can’t find please stand up now. Nobody standing? I thought not.

Only two states have passed UCITA so far. Maybe you can help stop it in your state!

MS Security. Microsoft has issued a few new security bulletins this past month. Below is a summary (this is only a summary for Windows 95/98; it does not include NT–see the Microsoft web site for a complete listing):

  • Office 2000 UA Control Vulnerability. An Office 2000 ActiveX control is incorrectly marked “safe for scripting” and, if remotely activated, could allow a remote user to carry out Office functions on your computer through the “Show Me” function. Only Office 2000 products are affected.

For all of these items and more please take a look at: Link

Virus News

There are a number of new viruses described this month; The ILOVEYOU worm and its variants rose to the level needed to place it on the alerts page:

[Page taken down]

Don’t forget our virus tutorial site.

File Infectors. These important new file infectors have been reported recently:

  • JS/Unicle-A (or W32/RUNFTP.WORM.SCRIPT). A JavaScript virus that exploits security holes in the implementation of “Scriptlet.typelib”; primarily on systems using the Chinese version of Win95/98, IE5, and Windows Scripting Host. There is a Microsoft patch. See Microsoft Security Bulletin (MS99-032).
  • W32/Santa.1104. This virus hooks the “Change directory” system call. It has been reported in the wild in a file distributed as a cure for the W95/CIH-10xx virus.

Macro Viruses. A number of macro viruses have been announced this past month. Below is a summary of the more important ones:

  • WM97/Bablas-S. A Word macro virus in the wild. The virus module name could be considered obscene; it displays a message telling you to remove modules in the current document that are not part of the virus.
  • WM97/Class-EQ. An in-the-wild variant of the WM97/Class macro virus that displays a message box: “lA-cOsA tE eSPiA!”.
  • WM97/Claud-A. A simple macro virus reported in the wild.
  • WM97/Coldape-V. A variant of Coldape-A which drops and attempts to run a Visual Basic script which sends a sexy note from you to a former editor of the Virus Bulletin.
  • WM97/Ethan-BD. A simple macro virus that displays a File|Properties|Summary box titles Ethan Frome about a third of the time when a document closes. This virus can coexist with others to produce multiple infections of the same file.
  • WM97/Iseng-B. A variant that displays a message box telling you to reinstall Office and a nonsense message if you choose Help|About.
  • WM97/Marker-DU. Appends user information to documents on the 1st of the month and also attempts to transfer user details to an FTP site.
  • WM97/Melissa-AS. Yet another Melissa variant that sends yet another infected document to the first 100 addresses in your Outlook address book. Also, if the minute plus 2 equals the day of the month plus one your document will have spaces added to it.
  • WM97/Michael-C. A Word macro virus in the wild. It uses Office Assistant to display one of 21 messages at random. On Friday after the 23rd the virus will try to print a different document than you are working on.
  • WM97/Myna-N. A simple replicating virus reported in the wild.
  • WM97/Pathetic-B. A “pathetic” virus that simply closes Word as soon as it is opened any day in May.
  • WM97/Replog-A. This virus attempts to run I:\Eudora\Sys\Server.exe and appends the text “Active on” and date to the file I:\Rep.log.
  • WM97/Thursday-T. A simple macro variant of WM97/Thursday that has been found in the wild.
  • XM97/Divi-J. An Excel macro virus that creates BASE5874.XLS in the Excel template directory. It also adds a flag to each file opened so it knows if it already infected that file.
  • XM97/Laroux-MP. An Excel macro virus in the wild. Yet another variant of the original XM/Laroux virus.
  • XM97/Laroux-MV. Yet another of the original Laroux knockoffs.
  • XM97/Vcx-J. An Excel macro virus in the wild. It basically writes an infected XLSCAN.XLX into the startup folder and xxxxxx.vcx in the Windows System directory (xxxxxx = month, day, hour, minute, and second).

Worms. A number of worms have been announced this past month. Below is a summary of the more important ones:

  • ILOVEYOU. May 4th of this year a fast-spreading worm attacked computers around the world. It’s spread was fast, largely because many people simply ignored what they’ve been told over and over again: DO NOT OPEN ATTACHMENTS TO E-MAIL UNLESS YOU ARE CERTAIN OF WHAT’S IN THEM!!!

Basically, ILOVEYOU is like most of the Melissa-type worms. You are sent a message with an attachment that is, in one form or another, an executable file (in this case a Visual Basic Script file). The message may be from someone you know and the text and/or subject tries to entice you to click on and open the attachment. Once you do that it’s all over: the attachment runs and whatever it was programmed to do takes place.

In the case of ILOVEYOU the script sends itself to others in your Outlook address book then goes about its business on your system. The original worm’s main effect was to overwrite JPG image files with the virus (thus effectively erasing them from your system) and hiding MP2 and MP3 files, substituting the virus for visible copies. It did some other things but those were the most complained about. The only recovery for JPG files would be restore from backups. The worm also attempted to spread itself via chat but E-mail appeared to be the more common spreading method.

And, as you might expect with a worm that was so successful, it was followed quickly by a number of variants. Most had similar payloads, they varied in the “enticement” used to try to get you to execute the attachment. Probably the most opportunistic of the bunch was the “Mothers Day Order Confirmation” version where the message text said:

We have proceeded to charge your credit card for the amount of $326.92 for the mothers day diamond special. We have attached a detailed invoice to this email. Please print out the attachment and keep it in a safe place. Thanks Again and Have a Happy Mothers Day!

and the attachment with the worm inside was called: mothersday.vbs.

Probably the “funniest” side-effect of the ILOVEYOU worm was that in addition to E-mail systems, it “attacked” fax machines. Since the Outlook address book can store fax numbers as well as E-mail addresses the worm blindly sent itself out to these as well as the E-mail addresses. So, some computer users came to their fax machines and found page after page of VBScript waiting for them :-). Too bad there was no author’s signature.

What can you do? The best thing you can do is to use a pure-text E-mail program. No HTML, no scripts, just simple ASCII text. Attachments will be obvious and you can easily decide what to do with them. Lacking that, be certain to set your E-mail program to NOT automatically open attachments. Also, set it so that the entire file name of an attachment is shown (ILOVEYOU had an attachment that was named with a double extension that showed up as a text file in some programs; e.g., name.txt.vbs is an executable that will often show as name.txt if the full name is not displayed). If the VBScripting program is active on your computer you could disable it for further safety (although this may affect your web browsing for some sites). Of course, keep your anti-virus program up to date (check for updates at least weekly). And, most importantly, DO NOT OPEN ATTACHMENTS TO E-MAIL UNLESS YOU ARE CERTAIN OF WHAT’S IN THEM!!!

  • W32/SouthPark. A worm unrelated to the ILOVEYOU family. In this case the attachment to the E-mail is an EXE file and so does not require the Scripting Host to be installed or active. The message (in German) tells you the attached file (South Park.exe) is the game you were looking for. If run, the program will E-mail itself to your Outlook address book and copies itself to the root directory of every drive. It also copies itself to C:\WinGuard.exe and registers itself to start on each system boot. It isn’t sophisticated as it reruns the E-mail routine every time it runs. It also logs its activity into the two files: C:\Windowsstart.dll and C:\Windowssystem.dll. Additionally, the file C:\Windows\Swapfile.vxd is created and gradually fills with junk until the drive runs out of space.

For details on most of these viruses and worms please consult the Sophos information pages: Link

Oh yes, did we mention: Update your anti-virus software!!!