Computer Knowledge Newsletter – November 2001 Issue

In This Issue:

General Security

Simple Security. The FBI (National Infrastructure Protection Center) has settled on seven simple measures to help secure your computer in today’s environment. They are listed here:

  • Use strong passwords. A good password is difficult to guess and, if the system allows, typically includes both upper and lower case letters plus one or more numbers or characters. Much as it’s a PITA to maintain, also try to use a different password for every account where one is needed. If you don’t then once someone has one they have them all.
  • Make regular backups of critical data. Plan on an incremental backup each day with a weekly full backup. And, don’t forget to verify the backup monthly. Further, make certain you have the restore software stored in a form it can be used to restore the backup if needed. And, for really critical data, consider storing some of your backups off-site (e.g., safe-deposit box).
  • Use virus protection software. “Use” means having the software running all the time, checking regularly (daily if possible but no longer than weekly) for updates and installing them. Finally, monthly scan all files on your computer with the latest version just to make certain something did not slip through.
  • Use a firewall as a gatekeeper between your computer and the Internet. Your firewall can be either hardware or software and should be considered mandatory even if you only dial into the Internet for access. Zone Alarm makes a useful individual firewall.
  • Do not keep computers on-line when not in use. Physically disconnect the Internet connection when your computer is unattended.
  • Do not open E-mail attachments from strangers, regardless of how enticing the Subject Line or attachment may be. Be suspicious of any unexpected E-mail attachment from someone you do know because it may have been sent without that person’s knowledge from an infected machine.
  • Regularly download security patches from your software and operating system vendors.

Moving to Apache? After Nimda struck a number of groups recommended that companies move away from Microsoft’s Internet server and adopt the Apache server running under a version of UNIX. It just might be happening. Netcraft does a survey of 33 million Web servers and their September survey showed that the number of IIS servers decreased by 300,000 between August and September. In that same time 130,000 of these sites moved to Apache. Additionally, the survey found that about 11% of the IIS servers visited were either infected or unprotected from infection and exploitation. Bottom line: If you are running a Web server (or associated with a provider who runs one for you) then make certain you or your provider have all the latest security patches in place. It is important to keep up to date.

Powerpuff With FunLove. The Powerpuff Girls disc “Meet the Beat Alls” was accidentally released with three files (one being the installer) infected with the FunLove virus. The disc has been recalled and Warner Home Video believes all infected discs were found and have been destroyed. But, other companies have released software with FunLove on the discs. So, make certain your anti-virus software is running when you get new software (FunLove is a 1999 virus so all anti-virus software should detect it).

MS Security. Microsoft has issued a a number of new security bulletins this past month. Please see all current alerts at: Link

  • Cookie Data in IE Can Be Exposed or Altered Through Script Injection. A vulnerability exists in IE that would allow a malicious user to build a URL that would allow a site to gain unauthorized access to cookies and maybe even modify them. Cookies can contain personal information so this vulnerability can potentially expose that information to capture. There is no present patch but one is being developed. In the meantime if you want to avoid this potential problem you’ll have to disable active scripting. For more info: Link
  • Downloaded Applications Can Execute on Mac IE 5.1 for OS X. An error in the automatic downloading and decoding of BinHex and MacBinary files. The error would allow encoded programs to automatically run after download and decoding. A temporary fix would be to turn off automatic decoding. A patch is available. For more info: Link

General Interest

RIAA Tries End Run. After 11 Sept. Congress went sort of wild with various legislation. That’s to be expected given the circumstances. But, sadly, organizations like the RIAA tried to piggyback onto anti-terrorism legislation to press their own agenda. In this case, they attempted to attach amendments that would actually allow them to hack into anyone’s computers, without any penalty, and delete “illegally copied” files. Only when called on it by privacy and consumer groups did they back off of their original request. But, be assured, they will try again. The organization has proven that it wants to do by legislation what it should be doing (and doing better!) by coming up with innovative marketing techniques.

Anti-spam State Problem. For now, with no federal anti-spam laws, states have free rein to fight spam with laws of their own. This past month the U.S. Supreme Court declared that a tough Washington state anti-spam law can stand. This law was enacted in 1998 and sets standards and levies stiff fines. A trial in Washington has been on hold pending an appeal to the Supreme Court on grounds that the law violates the interstate commerce clause and, also, violates free speech. The Supreme Court refused to hear the appeal. This basically allows the Washington law to stand and the trial to go forward. Other states will certainly take note. Basically, the Washington law bans transmission of E-mail that includes a false header, misleading subject line or a fraudulent originating address.

Upgrade? Windows XP is out now; should you upgrade? You’ll have to decide, but here are three rules I’ve tried to follow over the years when it comes to upgrades. I’ll present them here for your consideration:

  • Rule one. NEVER upgrade an operating system until it’s absolutely necessary.
  • Rule two. NEVER upgrade unless you get new hardware as well.
  • Rule three. NEVER be among the first to upgrade if you ignore rules one and two!

One of the things that makes me bring this up is that XP has a feature that defaults to a search of several Web sites when a user clicks on a file that has no association with a program. One of the sites presented is my site. This has, as you might expect, led to a fairly large increase in traffic at that site (I even had to move it to a provider with better bandwidth limits) and, as a side effect, a fair number of “clueless” questions about problems during the XP upgrade. Since I follow the above rules I’ve not upgraded to XP and so I’ll just quote here what I have to send back in response: “I’ve gotten a number of inquiries like yours and the best I can say is to contact the maker of the application that created the file(s) and/or Microsoft since one or both of those folks are to blame for your problem.”

Presented for your consideration…

Virus News

There are a number of new viruses described this month. They are listed below.

Don’t forget our virus tutorial site.

More complete descriptions of most of these viruses can be found at the Sophos or F-Secure web sites: Link Link

Trojans. These important new Trojans appeared recently:

  • Troj/Septer. A credit card number harvesting Trojan. Septer shows a realistic-looking form pretending to be an American Red Cross donation program; hoping to prey off the generosity shown after 9/11. Information requested includes your name/full address, credit card info, phone number, and E-mail address. Any information collected is sent via E-mail to a site that has nothing to do with the Red Cross.
  • Troj/JS_Seeker-W. A JS_Seeker variant that changes the IE startup page to a porno site. It has no other payload.

File Infectors. These important new file infectors have been reported recently:

  • W98/Elkern. A cavity virus that only works under Win98/Me. It establishes itself as the hidden file WQK.EXE in the Windows System folder and sets the registry so that file runs at system start. The virus is dropped by the W32/Klez worm.
    For info about cavity viruses see the Computer Knowledge Virus Tutorial.

Macro Viruses. A number of macro viruses have been announced this past month. Below is a summary of the more important ones:

  • Variants. The following variants have been observed but generally carry no payload: WM97/Ded-K; WM97/Myna-AY; WM97/Myna-AZ; WM97/Myna-BA; WM97/Goodday-C
  • WM97/Footer-AB. Basically, this Word macro virus creates two files in the root directory; each is a copy of the virus: FOOTER.$$$ and FOOTER.$$1.
  • WM97/Marker-FP. A Marker variant that changes username to “JonMMx2000”, user initials to “MeMeX” and user address to “”. Each Monday the virus will create the harmless poetry file JOH.HTML in the Windows directory.
  • WM97/Marker-JP. A Marker variant with bugs in the code. 33% of the time the document title could be changed to “Ethan Frome.”
  • WM97/Marker-JQ. A Marker variant with bugs in the code. 33% of the time the document title could be changed to “Ethan Frome.”
  • WM97/Marker-JT. A Marker variant with bugs in the code. 33% of the time the document title could be changed to “Ethan Frome.”
  • WM97/Thus-FB. A Thus variant that displays a message on the 12th of any month: “It’s TOO much violence in this world! Have MOT to stop it!”.
  • WM97/Wrench-Q and WM97/Wrench-T. A Wrench variant which drops the virus code ASCII.VXD in the root directory. When run, if you attempt to open the VB Editor, change the document font, or print the document the Office Assistant will pop up.
  • XM97/Divi-AN. A Divi variant that uses BOOK1.XLS in XLSTART to spread.
  • XM97/Divi-R. A Divi variant that uses BOOK1.XLS in XLSTART to spread.
  • XM97/Laroux-OH. A Laroux variant. The viral macros are AUTO_OPEN and CK_FILES (I object strongly to the latter!). These macros are inserted into RESULTS.XLS in the XLSTART folder.
  • XM97/Slacker-E. A defective Excel macro virus whose payload would create .DLL files with random names in various locations. The payload is never called, however so all the virus does is replicate.

Worms. A number of worms have been announced this past month. Below is a summary of the more important ones:

  • W32/Anset. A worm that says it’s a German Trojan scanner. It comes in the file ANTS3SET.EXE in a message with the subject “ANTS Version 3.0”. A several-paragraph message text explains how the attached program scans for Trojans. The message is in both German and English. If you run the attachment the worm will copy itself into the Windows folder with a random name which name is then added to the registry so the worm starts when the system starts. The worm finds addresses to send itself to by looking in your address book as well as searching for files with the extensions .CGI, .HTM, .SHTM, .PHP and .PL. There are “B” and “C” variants with changes in the message text.
  • W32/Finaldo-B. Like Nimda, Finaldo spreads via infected files, web pages, and via E-mail as an attachment. An infected file, when run, will drop the hidden library FINALDOOM.DLL into the temporary folder. This is then run and infects .EXE, .SCR, and .OCX files found. Malicious JavaScript is added to all .HTM, .HTML, and .ASP files found. If a Web page with attached Finaldo JavaScript in it is viewed, the script will automatically download the file FINALDOOM.EML and, via a MIME header vulnerability that Microsoft has a patch to fix, that is run to infect the computer. The worm searches for E-mail addresses on the system and mails itself to those addresses using the same MIME exploit so on unpatched systems it will run without you having to click on the attachment. Get the Microsoft patch at: Link.
  • W32/Hai. A worm that spreads across shared network drives. It copies itself as a random name into any \WINDOWS folder and edits the WIN.INI file so that file is run each time Windows starts.
  • W32/Klez. A worm which also contains a copy of the W98/Elkern virus which is dropped and executed by the worm. It uses the address book to find addresses to send itself to and picks one of 15 different subjects for the message. The worm itself is given a random filename for the attachment and the “from:” header is a random name made to look like one of the free mail services:,, or The body of the message asks for help as the sender has to “support my parents.” The worm further attempts to exploit a MIME setting vulnerability that Microsoft has issued a patch for in order to run automatically when the message is viewed or previewed. If run, the worm also copies itself to other machines via open shares (random filenames are used). It further copies itself to KRN132.EXE in the Windows System folder and sets the registry to run that file on system start. The Microsoft patch can be found at: Link
  • W32/Klez-B/C/D. Minor Klez variants.
  • W32/Nimda-D. A Nimda variant which spreads via E-mail, network shares and Web sites. All versions of Windows can be infected. E-mail versions of the worm have the attachment SAMPLE.EXE and the above-mentioned MIME vulnerability is used to try to have the file automatically run when the message is viewed. The rest of the worm operates like the original Nimda worm described as part of the Computer Knowledge Virus Tutorial. References to Microsoft fixes for various vulnerabilities are also found on this page.
  • W32/Redesi-A. An Outlook E-mail worm. A number of possible subjects are encoded into the worm and one is picked at random for each message. The body of the message always contains: “heh. I tell ya this is nuts ! You gotta check it out !”. The attachment also changes names to one of: REDO.EXE, SI.EXE, COMMON.EXE, USERCONF.EXE or DISK.EXE. When run, the worm copies itself to those filenames in the C: root directory. It then mimics an error message by showing the text “FILENAME is not a valid Win32 application” (where FILENAME is the currently running version).
  • W32/Redesi-B. A variant of the above worm. It acts in much the same way with random E-mail subjects but the message body simulates a Microsoft security alert with an attachment (which Microsoft NEVER sends out with their alerts). The random worm names are: COMMON.EXE, REDE.EXE, SI.EXE, USERCONF.EXE and DISK.EXE. The message box displayed contains: “Your Windows update has been successful”. It sets the registry so the worm runs on Windows start and, on 11 November, it changes AUTOEXEC.BAT to format the C: drive on the next system restart.
  • W32/Redesi-H. Another Redesi variant. This one uses both Outlook for E-mail and mIRC to spread via chat channels. A number of possible subjects are encoded into the worm and one is picked at random for each message. The message body also changes to various apologetic or “come on” messages. The messages have two attachments: ERICA.JPG (an image) and an infected file of varying names. When run the worm sends itself to the Outlook address book, sets the registry so the worm runs on system start, and attempts to spread via an mIRC script. On Friday the text “Erica, what sunshine is to flowers, your smiles are to happiness” is displayed.
  • W32/Toal-A. An E-mail worm in the attachment BINLADEN_BRASIL.EXE. The subject will have something to do with 9/11 events. The body is blank. The worm attempts to use the MIME exploit mentioned above and described on the referenced Nimda page. If executed, the worm drops the file INVICTUS.DLL into the Windows folder and drops itself into the Windows System folder with a random 3-character name drawn from the letters between “A” and “O”. File attributes are set to hidden and read-only. A second copy may also be dropped into the C: root directory. The worm changes the SYSTEM.INI file so the worm runs on system start. It also makes the C: drive shareable. It infects both EXPLORER.EXE and HH.EXE in the Windows directory (and possibly other files). Thus, whenever Windows Explorer is run the virus will run (a backup to the SYSTEM.INI changes). The worm further attempts to terminate various anti-virus programs as well as firewalls such as Zone Alarm. Infrequently (1:159 times) the worm will display “colorful” slogans and a message box about BinLaden and Bush. Finally, the worm, if it can, connects to an ICQ site and collects information about users there; it then E-mails itself to those users or any E-mail address found. The worm runs for up to ten minutes at a time.
  • W32/Yarik. An E-mail work with the subject “Please make peace not war” and the attached file KIRAY.EXE. That name is specific and the file must reside in the Windows TEMP directory for the worm to be attached to outgoing E-mails. The registry is changed so the worm is run when *any* other EXE file is opened (the worm runs instead of the clicked on EXE). The worm also changes registry entries in order to not show the desktop, tell the system there are no drives, and disconnect any network. It also attempts to delete files from various system and Office directories.

In closing: Watch your money when holiday shopping.