Computer Knowledge Newsletter – September 2000 Issue

In This Issue:

  • Netscape Java Problem
  • Mobile Targets
  • MS Security (Cache Bypass Vulnerability; Excel REGISTER.ID Function Vulnerability; Malformed E-mail Header Vulnerability; Malformed IPX Ping Packet Vulnerability; Microsoft Office HTML Object Tag Vulnerability; Persistent Mail-Browser Link Vulnerability; Protected Store Key Length Vulnerability; Relative Shell Path Vulnerability; Scriptlet Rendering Vulnerability; Service Control Manager Named Pipe Impersonation Vulnerability; Telnet Server Flooding Vulnerability)
  • Backup
  • Acronyms
  • Myths
  • Trojans (QAZ)
  • File Infectors (W95/Zperm)
  • Macro Viruses (WM97/Bablas-AB; WM97/Doeii-A; WM97/Eight941-J; WM97/FF-E/F; WM97/InAdd-D (Timeless); WM97/Marker-DG/ES/ET/EU; WM97/Melissa-BI; WM97/Onex-E; WM97/Panther-B; WM97/Piece-A; WM97/Thus-AW; XM97/Adn-A; XM97/Barisada-B/C; XM97/Divi-K/Q; XM97/Laroux-NK)
  • Worms (W32/Bugfix & VBS/Bugfix; VBS/Kak.B; VBS/LoveLet-BA; W32/Sysid)

General Security

Netscape Java Problem. CERT Advisory CA-2000-15, is titled “Netscape Allows Java Applets to Read Protected Resources.” Affected are systems running Netscape Communicator versions 4.04 through 4.74 (with Java enabled). Netscape 6 is not affected. Basically, these versions are shipped in a way that allows an unsigned Java applet to access local and remote resources (a no-no). Tools have been written that demonstrate this vulnerability. Turning off Java is one protection against this vulnerability. Visit Link to find out when a patch might become available.

Mobile Targets. Mobile operating systems are now starting to come under attack with the expansion of the EPOC operating system from Psion handhelds into other mobile devices. So far there is no virus-like activity but a number of Trojans exist that tend to play jokes, display warnings, change user information and do/display other unwanted things. Expect such childish behavior to continue.

MS Security. Microsoft has issued a few new security bulletins this past month. Below is a summary (this is only a summary for Windows 95/98/2000; it does not include NT–see the Microsoft web site for a complete listing):

  • Cache Bypass Vulnerability. Outlook and Outlook Express contain a vulnerability that could allow HTML mail that, when opened, could read files on the reader’s computer (read only, not write or change). A patch is available.
  • Excel REGISTER.ID Function Vulnerability. If a malicious users happens to plant a malicious DLL on your system and then a spreadsheet invokes REGISTER.ID the malicious DLL can then be accessed and the functions in it run without warning. Excel 97 and 2000 are affected. A patch is available.
  • Malformed E-mail Header Vulnerability. Outlook and Outlook Express share a component that contains an unchecked buffer when E-mail headers are being read. By overrunning the buffer in the affected header a malicious user could send a E-mail message that could crash the reader’s computer or run code on the reader’s computer. Only certain versions of Outlook and Outlook Express are affected and a patch is available. Note: A Trojan (Win32/OutlookOverflow.Trojan) is available that takes advantage of this vulnerability. OBTAINING THE PATCH SHOULD BE CONSIDERED A PRIORITY.
  • Malformed IPX Ping Packet Vulnerability. This vulnerability is most important for intranets as Internet routers generally filter out IPX packets. The problem is that an IPX ping command could be processed incorrectly on Windows 95/98 computers and cause a network storm which could require computers on the network to have to be rebooted to recover. A patch is available.
  • Microsoft Office HTML Object Tag Vulnerability. There is an Office 2000 vulnerability that would allow a malformed data object tag embedded into an Office 2000 document to either crash the application or maybe run malicious code. Outlook users should apply all security updates and in Word disable “Confirm conversion at Open” on the Tools|Options|General tab.
  • Persistent Mail-Browser Link Vulnerability. Outlook Express has a security problem that would allow the sender of one E-mail to look at subsequent messages previewed by the reader. This is accomplished via a script in the E-mail that opens a persistent browser windows that reads HTML mail as it is displayed on Outlook Express. This is a limited vulnerability and a patch is available.
  • Protected Store Key Length Vulnerability. A revised patch for this vulnerability in Windows 2000 is now available and should be applied. This will make your Protected Store (the place where private keys, etc. are stored) as well protected as the highest level of protection on your computer.
  • Relative Shell Path Vulnerability. The registry pointer to EXPLORER.EXE (the Windows Shell executable) is relative instead of absolute. It’s possible, therefore, at startup for a different (malicious) EXPLORER.EXE to be run if placed in the proper location. There is no patch; the solution is to make certain malicious users don’t log into the computer that needs to be absolutely protected.
  • Scriptlet Rendering Vulnerability. An Internet Explorer vulnerability allows a malicious site to perhaps read (read only) files on your computer. A patch is available that fixes this and all related vulnerabilities.
  • Service Control Manager Named Pipe Impersonation Vulnerability. By interacting with the Windows 2000 Service Control Manager a local user logged onto the machine from the keyboard could perform tasks only an administrator should be able to perform. A patch is available.
  • Telnet Server Flooding Vulnerability. The Telnet Server shipped with Windows 2000 could be subject to a remote denial of service attack. The vulnerability is limited to the Telnet Server and a patch is available.

For all of these items and more please take a look at: Link

General Interest

Backup. I just installed a second hard drive for data into my system. This leads me to the subject at hand. Because the drive was larger than my BIOS could handle the install software from the drive maker attempted to compensate by installing a BIOS extension program that could handle the larger drive. Since it is a BIOS extension that has to run before anything it has to be installed into the C: Master Boot Record. As it turns out, I also run a program called GoBack! which keeps track of what I am doing and allows me to revert changed files to older versions and even revert my entire system back to some point in time minutes, hours or days in the past (this has saved me several times!). The problem is that GoBack! must also run from the MBR. So, after the BIOS extension installation the first system start resulted in a completely dead system; no operating system (or anything else) could be found.

Fortunately, I also have a good set of backups and keep a set of rescue disks created by Norton SystemWorks handy. The rescue disk was able to restore the original Master Boot Record and get the C: drive working again and installation of a PCI bus hard disk controller card for the new drive allowed me to get that drive up and running without the BIOS extension software.

Bottom line: Keep a complete set of backups. Make them often. Also, keep a set of rescue disks (a number of utilities can create them and use them). Keep them up to date as your system changes. IT’S IMPORTANT!

Acronyms. The acronym section on the Computer Knowledge site has been static (except for the file extensions page) for some time now. This is because I have been having problems with the HTML editor I was using. I’ve recently started to cut/paste all that info into another editor and am down to three more letters to go. Hopefully, I should be done with that in a week or so and can then start adding entries I’ve been keeping in a text file. As with the file extension page, I’ll also be eventually adding URL references for further information on a number of the pages.

Please stay tuned and visit often [Link removed as section has been removed].

Virus News

Don’t forget our virus tutorial site.

More complete descriptions of most of these viruses can be found at the Sophos or F-Secure web sites: Link Link

Myths. The virus myths site has its own domain name now. Instead of going to simply call up: Link

This continues to be the best site for debunking virus myths and hoaxes. Go there first if you are investigating a possible hoax.

Trojans. These important new Trojans appeared recently:

  • QAZ. A backdoor Trojan that opens port 7597 to listen for remote commands. When run, the Trojan searches for all instances of NOTEPAD.EXE and renames them to NOTE.COM. The Trojan itself then copies itself to NOTEPAD.EXE. The registry is changed to cause NOTEPAD.EXE to be run at each system start. It spreads over a network by finding all instances of NOTEPAD.EXE on the network.

File Infectors. These important new file infectors have been reported recently:

  • W95/Zperm. A new metamorphic virus running under Windows. The virus mutates by inserting jump instructions throughout itself and the polymorphic engine that comes with it. It’s reported that the permutation engine is a knock-off of some of the old DOS permutation engines so there is little new here except that this virus operates under Win95/98 only. Since jump instructions are inserted throughout an infected program, infected files must be deleted and replaced from backup. (You do have a good, current backup don’t you?)

Macro Viruses. A number of macro viruses have been announced this past month. Below is a summary of the more important ones:

  • WM97/Bablas-AB. A Word macro virus that prevents files in Word from being closed and disallows access to the VB Editor.
  • WM97/Doeii-A. Word macro virus that contains extensive hidden comments and has a one percent chance of either displaying a message box with the text “w97.LAM by LiFEwiRE []” or replaces the document text with “LiFEwiRE2000 –” along with a password of “pietje” for the document.
  • WM97/Eight941-J. A Word macro virus that simply replicates.
  • WM97/FF-E. A Word macro virus that changes MSDOS.SYS. The effect of this is to stop Windows on the next system start.
  • WM97/FF-F. A Word macro virus that changes MSDOS.SYS. The effect of this is to stop Windows on the next system start.
  • WM97/InAdd-D (Timeless). A Word macro virus that changes the Username to “Timeless Phenomenon” and clears the setting for the ‘sTimeformat’ registry key.
  • WM97/Marker-DG. A Marker variant which functions after July 23rd. Message boxes relating to Shankar and Jananee are displayed along with different answers if you select the Yes or No option.
  • WM97/Marker-ES. This Word macro virus Marker variant attempts to send user and machine info to an FTP site. It also displays a message box on 15 August.
  • WM97/Marker-ET. Another Marker variant that basically just changes the Marker messages.
  • WM97/Marker-EU. In this Marker variant, on file close a File Summary box might appear with the author name set to Ethan Frome one out of every three times.
  • WM97/Melissa-BI. Yet another Melissa variant. The first 50 Outlook addresses are sent a message from you with the subject “A Piece of Information From <you>” and text saying “Here is some thing about EME College that you better know…”. As in the original Melissa virus, the infected document is attached.
  • WM97/Onex-E. A Word macro virus that tries to delete the file C:\WINNT\SYSTEM32\NTOSKRNL.EXE at random (1 in 75 chance each time the virus activates).
  • WM97/Panther-B. A Word macro virus named after one of its variables (HappyPanther). It varies variable names to try to avoid detection.
  • WM97/Piece-A. A macro virus reported in Europe and South America. It sends copies of itself to Outlook address book entries with the subject “A Piece of Information From [you]” and a body that references EME College. The virus has a payload that triggers on 28 May and deletes all .INI files in the Windows folder.
  • WM97/Thus-AW. A Thursday variant with no payload.
  • XM97/Adn-A. A simple Excel macro virus. The macro auto_open calls the macro ClassModulo. This copies the virus’ macros into PERSONAL.XLA which is run every time Excel starts. All opened workbooks are then infected.
  • XM97/Barisada-B. An Excel Barisada variant that stores its macros in RMC.XLS. Between 2pm and 3pm on 24 April the virus activates and displays a series of questions that resemble a role-playing game. If you can’t pass the test (the Sophos site has all the right answers) all cells in all open worksheets will be cleared.
  • XM97/Barisada-C. Another Barisada variant that stores its macros in KHM.XLS. The same payload and results as the “B” variant are in this one as well.
  • XM97/Divi-K. A Divi Excel macro virus variant that uses the file 874.XLS in the Excel template directory to infect as spreadsheets are opened or closed. The virus flags infected files to keep from reinfecting them.
  • XM97/Divi-Q. A Divi Excel variant that uses the file SCHEDULE.XLS in the Excel template directory to infect as spreadsheets are opened or closed. The virus flags infected files to keep from reinfecting them.
  • XM97/Laroux-NK. An Excel Laroux variant that calls auto_open when an infected worksheet is opened. That macro calls check_files which creates AGA.XLS in the XLSTART directory. This file infects every workbook used.

Worms. A number of worms have been announced this past month. Below is a summary of the more important ones:

  • W32/Bugfix & VBS/Bugfix. An executable file worm that arrives as an attachment to an E-mail with the subject “Microsoft Windows latest bugfix” and a filename of “BUGFIX.EXE”. If executed, all files in the Windows directory will be infected as well as all files in the mIRC download directory if one exists. The EXE files drops a VBS script that is used to send the executable to entries in the Outlook address book.
  • VBS/Kak.B. A minor Kak variant that spreads by exploiting a security hole in Outlook Express (for which there is a patch: Link). The worm is activated when E-mail is read; no action other than reading the infected message need be taken by the user (the worm is in the Outlook Express-generated signature). It can be found in either E-mail or newsgroup postings. This variant changes variable and function names, drops the file DAY.HTA instead of KAK.HTA, drops DAYS.HTA in the Windows help folder instead of a random name in the Windows system folder, backs up AUTOEXEC.BAT to DAYS.DAY, creates DAY.REG instead of KAK.REG, and points the signature to C:\WINDOWS\COMMAND\DEFAULT.HTM. At later than 5PM on the 11th of any month the payload triggers.
  • VBS/LoveLet-BA. A LoveLetter variant that comes across as an E-mail about a forwarded joke (subject: fwd: Joke). The attachment is VERY FUNNY.VBS. It targets the following extensions: VBS, VBE, JS, JSE, CSS, WSH, SCT, HTA, JPG, JPEG, MP2, and MP3.
  • W32/Sysid. An E-mail worm sent as an attached executable file to a blank message. The name of the attachment is not set but can be any one of 99 names. If run, it copies itself to: C:\WINNT\SYSTEM32\SYSID.EXE; C:\WINNT\SYSID.EXE; C:\WINDOWS\SYSTEM\SYSID.EXE; and C:\WINDOWS\SYSID.EXE. It also sets the registry so that it is run at system start. To send itself out via Outlook Express, the worm creates, runs and deletes the script: C:\WINDOWS\SYSTEM\WINVER.VBS.

In closing: BACK UP!