Computer Knowledge Newsletter – May 2001 Issue

In This Issue:

  • Don’t Click
  • ZoneAlarm Attack
  • Security News Portal
  • MS Security
  • Trojans (Troj/Unite-C)
  • Macro Viruses (Variants; Interactions; WM97/Bablas-BW; WM97/Goober-E; WM97/Hope-AC; WM97/Replog-D; WM97/Thirty4-A; WM97/Thus-EF; XM97/Divi-AB; XM97/Divi-AH; XM97/Laroux-NY; XM97/Pinkpick-A)
  • Worms (Unix/SadMind; VBS/Haptime-A; VBS/Hard-A; VBS/LoveLet-CL; VBS/San-B; VBS/VBSWG-X [HomePage]; VBS/VBSWG-Z [Mawanella]; W32/FunnyFile-A; W32/Matcher)


A short issue this month I’m afraid. A number of things happened that took up all the extra time. The long and short of it is that there is now yet another domain in the Computer Knowledge stable ( Link). This domain is basically a replacement for the single file extension page that used to be in the acronym section. If you bookmarked that page you will be automatically taken to the new domain. The need came about because the file extension page was getting to be very popular and hits to that page alone were starting to drive me over my bandwidth limit for the entire account! By splitting up the page into alphabetical sections I’m hoping that people won’t be looking at the entire list and so use less bandwidth. That transition (plus some other things) took up most of the newsletter time.

General Security

Don’t Click. Probably the single best thing you can do (besides updating your anti-virus software) to defeat the extreme number of worms going around is to THINK before clicking on any attachment. The worm writers are getting ever more clever, not in what they write, but how it’s presented. This is social engineering in practice. To borrow a phrase from the Reagan years: Just say no! (to attachments you have not double and triple checked to know they are “real”).

In the latest try for your trust, one of the recent worms even emulated a Norton anti-virus alert about a spreading worm! Another, fast spreading worm, looked like someone’s attached home page.

Think before you click and you’ll miss all the current beasts!

ZoneAlarm Attack. Malicious code designed to detect and shut down ZoneAlarm, the most popular software firewall in use today, has been found. The code would only work under Windows 9x, but that’s still a significant number of users. The code not only deactivates ZA but replaces the visible icon so you think the program is still active. Called ZA Killer, the code is not presently known to be circulating but it could easily be attached to a Trojan. Use care and maybe periodically (especially after running new software) bring up the full ZA interface (if you use the program) to make certain it’s still active.

Security News Portal. If you like to follow computer security in a more real-time manner, here is another link you can use:

[Link 404]

MS Security. Microsoft has issued a a number of new security bulletins this past month. Please see all current alerts at: Link

Virus News

There are a number of new viruses described this month. They are listed below.

Don’t forget our virus tutorial site.

More complete descriptions of most of these viruses can be found at the Sophos or F-Secure web sites: Link Link

Trojans. These important new Trojans appeared recently:

  • Troj/Unite-C. A password-stealing Trojan from Russia. Various features of this Trojan can be reconfigured, including the name of the file. It will either run constantly in memory or just run once on each boot. The Trojan will try to send stolen passwords out via a TCP port.

Macro Viruses. A number of macro viruses have been announced this past month. Below is a summary of the more important ones:

  • Variants. The following variants have been observed but generally carry no payload: WM97/Metys-F; WM97/Myna-AB; WM97/Myna-AP; WM97/Thus-DB
  • WM97/Bablas-BW. A Bablas variant. During infection the application caption in Word is changed to some variant of “Selamat datang di GRATIA COMPUTER”. Attempting to use Tools|Macro or File|Templates results in a message from the virus; as does exiting Word.
  • WM97/Goober-E. A Goober variant that replaces “ShiThe!” or “shithe” with “The” and “the” as appropriate. The file C:\G00BER.SYS is created during replication.
  • WM97/Hope-AC. A basic Word macro virus that removes the options “Macros” and “Options” from the Tools menu.
  • WM97/Replog-D. A Word macro virus that tries to run I:\EUDORA\SYS\SERVER.EXE and adds the text “Active on” to the log file I:\REP.LOG.
  • WM97/Thirty4-A. A polymorphic macro virus that tries to contact Brazil on the 28th of the month and displays the message “JOSYE SUA AUTA!!!” on 5 March.
  • WM97/Thus-EF. This Thus variant displays the message “Attention! Do everything, your computer tells you!” on the 13th or 26th of each month. You are then asked for your name and told you are a “stupid lamer.” Additionally, on 13 August or during December the virus will close Windows when you close a document in Word.
  • XM97/Divi-AB. A Divi variant. The infecting file is named BASE5874.XLS and the infection flag is the variable IVID plus a hexadecimal number.
  • XM97/Divi-AH. A Divi variant. The infecting file is named BASE5874.XLS.
  • XM97/Laroux-NY. A Laroux variant that creates VERA.XLS as the viral startup worksheet. File properties may be changed to show Title=”Fraouk”, Subject=”SIMULATION GEOSTATISTIQUE”, and Author=”GEOLOGIE”.
  • XM97/Pinkpick-A. An Excel virus that creates the file B00K1.XLS to spread.

Worms. A number of worms have been announced this past month. Below is a summary of the more important ones:

  • Unix/SadMind. An Internet worm that exploits a buffer overrun on Solaris systems’ sadmind program. This is part of the Solstice AdminSuite. The worm adds “+ +” to .rhosts in the root. The worm is copied to a new machine and extracted in /dev/cuc. The file /etc/rc.d/s71rpc is altered to cause the worm to run on system start. While running, the worm searches connected networks for vulnerable machines. It also looks for Microsoft IIS servers and defaces the front page. After 2000 infections, the worm changes all INDEX.HTML files on the server to display an offensive message. Both Microsoft and Sun Microsystems have patches available: Link

[Link 404]

  • VBS/Haptime-A. A combination virus and worm that spreads via Outlook Express (5.0). The virus portion infects files with extensions VBS, HTML, HTM, HTT and ASP. The payload tries to delete EXE and DLL files when the number of the month and date added together equals 13 (e.g., 1 December).
  • VBS/Hard-A. An Outlook worm that emulates a Symantec Anti-Virus warning. It comes with the subject “FW: Symantec Anti-Virus Warning” and appears to come from The text letter is “signed” by F. Jones. There is an attachment called WWW.SYMANTEC.COM.VBS which is in immediate tipoff since Symantec never sends up warnings in this manner. If you happen to open the attachment a page formatted like a Symantec info page regarding the worm “VBS.AmericanHistoryX_II@mm” (does not actually exist) is presented. The worm then sends itself to your Outlook Express address book. On 24 November the worm also displays a box giving you a “…warning about your stupidity…”
  • VBS/LoveLet-CL. A LovLet (Love Bug) variant. It makes two copies of itself (COMMAND.VBS and WINVXD.VBS) which run on system start. The worm will send itself to your entire Outlook address book. The subject will be “!!!” and attached file ECHELON.VBS. As the name of the attachment implies, this worm is directed specifically at the Echelon Internet monitoring system. On your system and all attached network drives, files with the following extensions are overwritten with the worm and extension changed to VBS: VBS, VBE, JS, JSE, CSS, WSH, SCT or HTA. JPG (JPEG) files are overwritten but the VBS extension is added to the name instead of replacing the original extension. MP2 or MP3 music files appear to be overwritten but are saved in original form as hidden files.
  • VBS/San-B. A San variant that spreads via LOVEDAY14-C.HTA instead of LOVEDAY14-B.HTA.
  • VBS/VBSWG-X (HomePage). An Outlook-based E-mail worm derived from the VBSWG virus writing kit. The subject is “Homepage”, the attached worm is HOMEPAGE.HTML.VBS and the message text simply tells you the page is “really cool” and you should see it (implying you should click on the attachment). The worm saves itself to your TEMP directory and sends itself to everyone in your Address Book. It then sets a flag in the registry to prevent it from sending itself out again. Finally, it opens your Web browser to one of four adult-oriented Web sites. This worm spreads very fast if the people involved actually click on the attachment.
  • VBS/VBSWG-Z (Mawanella). Another worm developed using the VBSWG virus writing kit. This one copies itself to MAWANELLA.VBS in the Windows System directory and forwards itself to everyone in your Outlook address book. The message looks like a description of an attack on “Sri Lanka’s Muslim Village.”
  • W32/FunnyFile-A. A worm based on Microsoft’s MSN Messenger. If run on a system with MSM Messenger the worm displays what appears to be an error message: Run-time Error ’91’. Object variable or With block variable not set As messages come in or new contacts entered the worm sends itself to that entry with the message body “i have a file for u. its real funny.”
  • W32/Matcher. An E-mail worm with the subject “Matcher”. The text talks about finding a love mate and the attached program, MATCHER.EXE, is supposed to help. If run, the worm copies itself to Windows system and temp and changes the registry to run the worm on system start. It then starts to send itself to others in your Outlook address book. The worm also changes the AUTOEXEC.BAT file to add the following lines:

@echo off
echo from: Bugger pause

In closing: Just say NO to attachments!