In This Issue:
- CueCat Problems
- MS Security (Cached Web Credentials Vulnerability; Malformed IPX NMPI Packet Vulnerability; Multiple LPC and LPC Ports Vulnerabilities; NetMeeting Desktop Sharing Vulnerability; OCX Attachment Vulnerability; Share Level Password Vulnerability; Simplified Chinese IME State Recognition Vulnerability; VM ActiveX Component Vulnerability; Windows 2000 Telnet Client NTLM Authentication Vulnerability; Word Mail Merge Vulnerability)
- File Infectors (Palm/Phage-963)
- Macro Viruses (WM97/Crono-A; WM97/Marker-FP; WM97/Metys-I; WM97/Plant-A; WM97/Shore-D; WM97/Thus-AM; WM97/Titch-G; WM97/Title-A; XM97/Barisada-J; XM97/Divi-T; XM97/Ready-A)
CueCat Problems. If you are a Forbes subscriber you recently received a CueCat “Capitalist Tool” in the mail. The CueCat can also be obtained free at Radio Shack stores. It’s basically a barcode scanner that attaches between your PC and your keyboard. The CueCat is designed to scan barcodes printed in magazines, transmit that scan to DigitalConvergence over the web and receive, in return, a direct browser link to more information about the product/service associated with the barcode. As part of the installation and setup routines you had to register with DigitalConvergence before the CueCat would scan. DigitalConvergence, unfortunately stored the registration information in an insecure location and it became available to hackers. Registered users’ name, E-mail address, age range, gender and zip code became available. DigitalConvergence has since closed that security hole and has offered all names potentially made available a $10 gift certificate to Radio Shack. Shortly after that was made public, the CueCat was further accused of sending a unique identification number with each barcode scanning request; allowing DigitalConvergence to track individuals. The company claims it does not use that information to track individuals.
MS Security. Microsoft has issued a few new security bulletins this past month. Below is a summary (this is only a summary for Windows 95/98/2000; it does not always include NT–see the Microsoft web site for a complete listing):
- Cached Web Credentials Vulnerability. Rarely, and under very specific circumstances a malicious user might be able to obtain another user’s ID and password to a web site from IE 4.x and 5.x (prior to 5.5). A patch is available.
- Malformed IPX NMPI Packet Vulnerability. A fault in the Microsoft IPX/SPX protocol for Windows 95, 98, 98SE, and Me could cause a broadcast storm that would have the effect of shutting down affected computers. This only happens if IPX is installed (it’s not by default) and the user has the ability to deliver a malformed Name Management Protocol in IPX packet to an affected machine. A patch is available.
- Multiple LPC and LPC Ports Vulnerabilities. Multiple Windows 2000 vulnerabilities with a wide range of effects are fixed by a patch. Without the patch, Windows 2000 is vulnerable to denial of service attacks and, possibly, privilege elevation at the local machine level.
- NetMeeting Desktop Sharing Vulnerability. NetMeeting (ships with Windows 2000 and available for NT) has a vulnerability that could shut down an attacked computer. A patch is available.
- OCX Attachment Vulnerability. A Windows Media Player 7 vulnerability that could enable a malicious user to send an E-mail that, after reading, would cause the E-mail program (all RTF-enabled programs could be affected) to fail. Restarting the E-mail program and deleting the E-mail deletes the problem and a patch is available.
- Share Level Password Vulnerability. It’s possible, through a specially-written utility to give a malicious user the ability to access shared files without knowing the entire password needed to access those files. Windows 95, 98, 98SE, and Me are affected. A patch is available.
- Simplified Chinese IME State Recognition Vulnerability. A patch is available to fix a problem that allows a malicious user to control your computer through an inappropriate vulnerability in the Chinese language implementation in Windows 2000.
- VM ActiveX Component Vulnerability. The VM (Virtual Machine) allows ActiveX controls to be created and manipulated by Java applets. Normally, these would only be available through the Java sandbox but the vulnerability allows them to be available through a web page or through HTML-based E-mail. Thus, Java on a web site could access an ActiveX control that normally should not be available to it and a malicious user could take virtually any action on your computer. A patch is available and should be applied by all.
- Windows 2000 Telnet Client NTLM Authentication Vulnerability. The telnet client in Windows 2000 could allow one user to obtain the protected logon credentials of another user without their knowledge. A patch is available.
- Word Mail Merge Vulnerability. If remote security is set improperly and a coded Word mail merge document is opened it is possible that a remote Access database could be requested for the mail merge and bring with it code that could allow arbitrary (malicious, perhaps) code to run on your computer. A patch is available to fix this in Word 97 and 2000.
For all of these items and more please take a look at:
Don’t forget our virus tutorial site.
More complete descriptions of most of these viruses can be found at the Sophos or F-Secure web sites:
Removal. I’ve received a few E-mails requesting that I address removal of the various viruses described each month. I’m sorry, but I really can’t do that. It would be a rare circumstance where I would recommend anyone try to manually remove any virus. Each virus is different and many have variants that differ in how they infect even though the basic name is the same. For this reason, always obtain the latest update to whatever anti-virus software you are using and then allow that software to repair your system according to the directions in the AV software. This is the only safe way to contain and reverse an infection.
- Palm/Phage-963. The first virus written for the Palm handheld operating system. When the virus executes (you run an infected program) it finds the resource section for another application and overwrites it with the virus. You will just see a blank screen. Since a critical section of the targeted code is overwritten the infected program can no longer be run. The only way to recover from this beast is to restore from backups.
- WM97/Crono-A. A Word macro virus that, at midnight on the last day of the month, displays a “Message by Crono:” followed by a random selection from a variety of messages in the virus. With one of the messages about date changing the virus also tries to change your computer’s date.
- WM97/Marker-FP. Yet another Marker variant. It changes Username in Word to “JonMMx2000”, initials to “MeMeX”, and address to “JonMMx2000@yahoo.com”. Mondays, it creates JON.HTML; a harmless attempt at poetry.
- WM97/Metys-I. A Word macro virus in the form of a game that plays out on the 18th of September. A message box pops up with a message about a number game where you match numbers with the dealer. Winning displays one message; a loss displays another. No other payload is present.
- WM97/Plant-A. A Word macro virus that displays a message on the first of January: “Happy NewYear ! You are infected by Plant.Virus. Don’t panic, i’m KILL you.”
- WM97/Shore-D. A Word macro virus that infects the Normal Template. Besides installing itself into NORMAL.DOT it deletes user macros as well. Document properties will also be deleted and replaced with a serial number. This serial number is used as part of another file dropped into the Clipart directory (OFFEE ####.DOT) which will run when Word opens and reinfect the system if the NORMAL.DOT version is deleted from the system. When operating the virus animates the document window caption.
- WM97/Thus-AM. A Thus variant that tries to erase the C: drive on 13 December.
- WM97/Titch-G. A Titch variant that included text taunting you to find the virus; but the virus is otherwise inoperative.
- WM97/Title-A. A Word macro virus that on three dates (3 May, 20 June, and 30 July) password-protects the document with a random integer between -1 and 9.
- XM97/Barisada-J. A Barisada Excel macro virus variant with viral macros in HJB.XLS. This one also plays a game between 2pm and 3pm on 24 April. The game is a series of questions relating to a fantasy role-playing game. If you don’t play correctly the virus clears all cells in all open worksheets. (Hint: Answer “no” to the first question.)
- XM97/Divi-T. A Divi variant that will infect worksheets as they are opened or closed using the viral sheet BOOK1.XLS the virus writes to the template directory. A variable flag (IVID) is added to indicate a sheet is infected. There is no payload for this variant.
- XM97/Ready-A. An Excel macro virus that drops PERSONAL.XLS into XLSTART to get the virus to run each time Excel is started. The virus changes the status bar to XM97.ReadyZ and tries to erase files associated with some anti-virus products.
- VBS/Funny-A and Troj/Hooker-E. The worm portion sends itself as an attachment to an Outlook message. The message subject is “Funny Story” and attached file named “FUNNY_STORY.HTM.VBS”. The second time the worm runs it drops the Trojan (Hooker-E) which copies itself into the Windows\System subdirectory as MSTK32.EXE. It also sets the registry so that this file is run on each system restart. The Trojan is a password and keystroke thief.
- VBS/Funny-B and Troj/Hooker-E. The worm portion sends itself as an attachment to an Outlook message. The message subject is “When did you die?” and attached file named “LIFE_ASSURANCE.HTM.VBS”. The second time the worm runs it drops the Trojan (Hooker-E) which copies itself into the Windows\System subdirectory as MSTK32.EXE. It also sets the registry so that this file is run on each system restart. The Trojan is a password and keystroke thief.
- VBS/Funny-C and Troj/Hooker-E. The worm portion sends itself as an attachment to an Outlook message. The message subject is “Rechnungsabschrift” and attached file named “RECHNUNGSABSCHRIFT.DOC.VBS”. When run the worm will first drop a text file named “RECHNUNGSABSCHRIFT.DOC”. This file is a fake invoice. The second time the worm runs it drops the Trojan (Hooker-E) which copies itself into the Windows\System subdirectory as MSTK32.EXE. It also sets the registry so that this file is run on each system restart. The Trojan is a password and keystroke thief.
- VBS/Kakworm-D. Another Kakworm variant. This one only works if Outlook Express 5 is running under Windows using the French language. The file TAM.HTA is dropped in the Windows Startup folder. OUT.HTML is dropped into the Windows folder and is set as the default signature. This file spreads the worm.
- VBS/LoveLet-BI. Another LoveLetter variant that sends itself to your Outlook address book. This variant has Subject: Gotov je! 24.09.2000!; Text: Ej! Pogledaj ovo u prilogu!!!; and Attachment: GOTOVJE.VBS. When executed the worm writes itself to two directories, sends itself out, and displays an HTML file that starts with “KOMSIJA,…”.
In closing: Keep security in mind when preparing for the holiday season!