Computer Knowledge Newsletter – September 1999 Issue

In This Issue:

Virus News

Year End Virus Activity. Between now and the turn of 2000 expect an increased amount of virus/Trojan/worm activity. Writers of these beasts often take advantage during times of confusion. I would not believe the predictions of one of the anti-virus marketing folks (over 100,000 new viruses between now and the end of the year); but you can expect to see some increase. A few specifically keyed to the end of the year have already been found:

  • Win32.Kriz. This beast is supposed to activate on Christmas Day. It is similar to the CIH (so called Chernobyl) virus and infects Windows EXE files and screen saver (SCR) files. It also infects the main Windows system library (KERNEL32.DLL). On activation the virus will overwrite data in all files on all drives, erase the CMOS memory, and (like CIH) attempt to overwrite the Flash BIOS in the computer.
  • Polyglot. This is a Trojan distributed originally in an E-mail attachment named Y2KCOUNT.EXE. The mail message that carried the attachment appeared to come from Microsoft saying the program was a Y2K countdown program. When run, the program displays a WinZip error and then drops the files PROCLIB.DLL, PROCLIB.EXE, PROCLIB16.DLL, and SVSRV.DLL in the Windows\System directory and changes SYSTEM.INI. WSOCK32.DLL is renamed to NLHVLD.DLL and PROCLIB16.DLL copied to WSOCK32.DLL to replace it. In addition to managing your connection the new DLL looks for “password,” “login,” and “username” in all mail and sends the related info off for exploitation.
  • Thursday Virus. Keyed to activate on 13 December, this virus will delete all files on the C: drive. Thursday is a macro virus that infects computers running Office97 and Office 2000. It will spread to and then from Macintosh systems but not activate on them. This virus has not spread very far but has been found at some banks.

Cholera. This is a new virus with worm-like characteristics. It has received a lot of mention in the press but to date has not been seen in the wild. It spreads by sending itself as an E-mail attachment (a file called SETUP.EXE) to a message that contains only the text “:)” (the subject is “Ok…”). If you run the file Cholera will copy itself to the file RPCSRV.EXE in Windows and then displays an error message indicating the archive is not valid. Cholera will then become active on the next reboot and send itself to all users it can find in your address books.

Toadie. A virus that infects DOS and Windows executable files and, in a twist, uses the mIRC or Pegasus Mail programs to propagate. When you run an infected file at 17 minutes after any hour the virus will display a message in the form of one of several poems. One of them is reproduced below:

There once was a bud named B.C.
He grew on a 7 foot tree
Till one day I plucked him
Rolled him and smoked him
And now I can barely see!

Probably the most interesting thing about this virus is that its author regularly appears on alt.comp.virus and there has been much philosophical discussion with him about the virus.

This, and all viruses listed above, can be easily found using updated versions of any of the current anti-virus software programs.

General Security

More Jet. Last month I wrote about a flaw in the Jet implementation in Office97 but mentioned that the flaw did not affect Office 2000. Shortly after pressing the send button on the E-mail program I received a security notice from Microsoft saying that prior reports of the flaw not affecting Office 2000 were wrong. A similar vulnerability does exist for Office 2000 and can be used to perform malicious acts.

Full info and a download guide are at the URL listed in last month’s newsletter:

[Link 404]

NSA Windows Hole. Early in September a firestorm of discussion took place in various computer security venues when a security expert at a private North Carolina company revealed a “weakness” in Windows that would allow anyone with the correct authentication code to take over Windows on the local computer. The expert indicated the weakness could have been inserted at the request of the National Security Agency (NSA). The weakness involves the method Windows uses to authenticate software programs and drivers.

Microsoft has denied any such weakness installed at the request of the government and indicated the “NSA” designator found in the authentication key simply indicates the key complies with NSA rules.

The discussion has died down; the resolution is still in the “who do you believe” stage.

ICQ Identities Stolen. Shorter (and older) ICQ names are in demand because newer names are fairly long with 40+ million users now. So, a Trojan has been developed to target ICQ names and steal the accounts and passwords. The Trojan was originally announced as being in a JPEG image file but, as we know, that’s impossible as image files don’t execute. As you might expect, this Trojan uses a characteristic of how Windows displays file names to trick users and is really an EXE file.

In an attempt to keep the clutter down for you Windows has an option that only displays the root name of any file registered in Windows. The problem is that if you have that option set a file named TRICK.JPG.EXE will not show the EXE portion of the name and show up as TRICK.JPG instead. Now, if this were a true image file it should only show TRICK with the option set but that’s easy to forget and so when you see TRICK.JPG you think it’s a true image file and can safely be clicked on. It’s important that you keep the option to suppress extensions turned off so you can correctly recognize the nature of all files. (Note: I do not know the name of the sent JPEG file; TRICK, above, was an example only.)

About 200 ICQ users were affected but there may be more. Take standard precautions and you should not be affected.

Java Hole in IE. Java is supposed to create a “sandbox” when run from the Internet. This prevents Java applets from doing anything malicious on your computer. A hole has been found in the Microsoft implementation of Java and an “attack applet” could be written to do pretty much whatever it wanted on your system through the hole. The problem was discovered at Princeton University and affects Microsoft’s Java software running on Windows 95, 98 and NT. A patch is available to close the hole and there are no known exploits of it.

Telnet Vulnerability. There is an overrun vulnerability in the telnet client that ships with Windows 95 and 98. An unchecked buffer could allow arbitrary code to run. A patch is available.

ActiveX IE Hole. Yet another security hole has been found in IE5, Microsoft’s flagship browser. If exploited, the hole will allow arbitrary programs to take full control of your computer. The exploit takes advantage of an ActiveX control that ships with IE5. In brief, the exploit could allow something from a web site to be written into the Windows StartUp directory. This “something” would then execute the next time you started Windows. There is no known instance of this exploit being used.

For all Windows updates take a trip to:

http://windowsupdate.microsoft.com/Web Link

Items of Interest

Cookies Revisited. With the privacy issue becoming more important, C|Net and others are once again revisiting the topic of cookies and what they reveal about you. As a matter of review, take a quick look at the Computer Knowledge information page about cookies if you have not already:

[Moved: Search the site]

That info page fairly well sums it up.

It’s interesting to note that some advertisers now are accused of collecting “clickstream” information about your browsing habits so they can feed you ads they advertisers think you will be more apt to click on. The advertising companies that feed the ads say they do not; but the potential is there nevertheless.

Expect to see more detailed privacy statements on web sites as a result of these concerns.

In closing: Keep your anti-virus software up to date; even more between now and the end of the year.