Computer Knowledge Newsletter - September 2000 Issue

In This Issue:

• Trinity DDoS
• Word Web Bugs
• Western Union Hacked
• MS Security (Java VM Applet Vulnerability, Local Security Policy Corruption Vulnerability, Malformed RPC Packet Vulnerability, Money Password Vulnerability, Still Image Service Privilege Escalation Vulnerability, Windows 2000 Telnet Client NTLM Authentication Vulnerability)
• Honor Virus
• Virus in Spam
• Trojans (Palm/Liberty-A)
• File Infectors (W32/Apology and Apology-B, W2K/Streams)
• Macro Viruses (OF97/Shiver-N, WM97/Macroble-A, WM97/Marker-C, WM97/Myna-X, WM97/Nagem-A, WM97/Piper-A, WM97/Verlor-I, WM97/Vmpck1-DV, XM97/Barisada-D, XM97/Divi-S, XM97/Laroux-ET/NL, XM97/Oblivion-A)
• Worms (VBS/Elva, W32/ExploreZipF, VBS/Lovelet-BD/BE/BF, W32/MTX, VBS/Quatro-A, W32/Scooter)

General Security

Trinity DDoS. A new distributed denial of service attack tool called Trinity v3 has been added to the arsenal of such tools now available. What distinguishes this tool from the others is that it uses Internet relay chat (IRC) as the attack mechanism and the tool is available to far more people as well.

Recall that DDoS tools basically reside on host computers until some trigger is sent. At that time these tools broadcast to the target computer(s) at the same time, effectively shutting it down for access by others. In the case of Trinity the IRC chat channel is used to distribute the tool and anyone with the proper password can access it and use the tool. Commands can be sent to individual agents or the entire channel. Use of IRC makes the origin of the attack very hard to find.

Trinity has been found on several hundred computers to date.

Word Web Bugs. Web bugs have once again raised the concern of some privacy groups; this time in the ability to plant them into Word documents (and other Office files). In case you forgot, a web bug is nothing more than a remote call attached to a non-visible 1-pixel image. When the web page (or Word document in this new flap) sees the embedded image it tries to access the referenced web page. When it does so, referrer information from your computer is sent along with the web request. This, then, allows the remote site to track who is accessing the bugged web page or document. This technique is similar to cookies.

There are any number of reasons someone might want to bug a document. One might be to add them to confidential documents to see if there are any leaks. Another might be to protect the copyright on a document. Sections of a document might be bugged to see if they are moved to other documents via cut/paste.

If you are worried about web bugs you can turn off the cookie feature in your browser, read suspect documents when not connected to the web, or install a personal firewall that detects outbound communications and blocks them.

Western Union Hacked. Due to human error during an update a hacker was able to steal credit and debit card info of about 15,700 customers of Western Union's Web site. The site was down for a few days and customers have been contacted via either telephone or E-mail. If you believe your were affected but have not been contacted you can call Western Union at 1-800-228-6530.

MS Security. Microsoft has issued a few new security bulletins this past month. Below is a summary (this is only a summary for Windows 95/98; it does not include NT--see the Microsoft web site for a complete listing):

• Java VM Applet Vulnerability. A security problem with the Microsoft Java Virtual Machine that ships with IE could allow a web site operator to masquerade as a visitor and visit other sites using the visitor's identity and relay information back to the malicious operator's site. A patch is available and if you browse with Java turned on you should apply the patch.
• Local Security Policy Corruption Vulnerability. Windows 2000 users who have not upgraded with Service Pack 1 are at risk for malicious users disrupting operation of a computer and possibly the entire network it's connected to. It's important that you apply this Service Pack update.
• Malformed RPC Packet Vulnerability. A vulnerability in the Windows 2000 Server has been found that would allow a denial of service attack when a malformed Remote Procedure Call packet is sent to the server. A patch is available.
• Money Password Vulnerability. Microsoft Money 2000/2001 has a vulnerability that could allow the password to your data file to be written in plain text. The problem only exists for local access, not through on-line services. Users should control physical access to the directory Money files are stored in.
• Still Image Service Privilege Escalation Vulnerability. An unchecked buffer in the Still Image Service of Windows 2000 could allow a local user to obtain permissions equal to the program (LocalSystem). A patch is available.
• Windows 2000 Telnet Client NTLM Authentication Vulnerability. A vulnerability in the Windows 2000 telnet client could allow a malicious user to obtain coded logon information from another user. A patch is available. It should be obtained and applied; particularly if you log in as an Administrator often.

For all of these items and more please take a look at:

http://www.microsoft.com/security/default.asp

Virus News

Don't forget our virus tutorial site.

More complete descriptions of most of these viruses can be found at the Sophos or F-Secure web sites:

http://www.sophos.com/virusinfo/analyses/
http://www.datafellows.com/virus-info/

Honor Virus. Here's the latest that supposed to be circulating via E-mail. It's clearly a hoax but these days one has to wonder how many have actually erased their disks! The E-mail comes from "A Friend" with the subject "Honor Virus". The Text is:

The message you are now reading contains no hidden attachments or anything other than the text you see here. It is a computer virus sent to you on the Honor System. Please delete all files on your hard drive and forward this message to everyone you know.

Virus in Spam. You need to keep your anti-virus software up to date and active. During this month in one of the many spam messages I get the Kak Worm appeared. Fortunately, Norton intercepted it and, even if it had not it would not have worked with my Eudora mail program. But, it pays to keep everything up to date. You just never know when something like this will pop up in your E-mail box. For more info on Kak see its description in the Virus Tutorial.

Trojans. These important new Trojans appeared recently:

• Palm/Liberty-A. This is the first Trojan developed for the Palm PDA. Called Liberty and developed by Aaron Ardiri the co-developer of the Palm Game Boy emulator Liberty, the Trojan was developed as an uninstall program and was distributed to a few people to help foil those who would steal the actual software. Ardiri has helped contain its spread.

File Infectors. These important new file infectors have been reported recently:

• W32/Apology and Apology-B. A file infector with worm and backdoor payloads. The virus replaces WSOCK32.DLL with a version that works but also monitors network traffic. When you send E-mail the virus will send a second message to the same address. Attached to that blank E-mail will be a file with one of a variety of names. The file is the virus. If you attempt to send mail to a known anti-virus company address the virus will try to block that mail. The virus' backdoor attempts to obtain new components from the web.
• W2K/Streams. A new virus type that exploits the stream file characteristics of the NT and Windows 2000 NT File System. This is a proof of concept virus that has not been seen in the wild. For a more detailed discussion of ADS-type viruses please see that page in the Virus Tutorial.

Macro Viruses. A number of macro viruses have been announced this past month. Below is a summary of the more important ones:

• OF97/Shiver-N. A Shiver variant that infects Word documents and Excel spreadsheets. If infected you'll see message boxes containing "Shiver[DDE] by ALT-F11".
• WM97/Macroble-A. A Word macro virus that inserts text into documents when they are printed.
• WM97/Marker-C. A Marker variant that, on document close, collects summary info about the current document and sends it via FTP to the Codebreakers site.
• WM97/Myna-X. A Myna Word macro virus variant. The virus looks for the string "MYNAMEISVIRUS" to determine if it's already active and infects if not. It also turns off the Microsoft virus protection warning in Word (Tools|Options|General).
• WM97/Nagem-A. A Word macro virus that password protects documents with the password "password" after the 20th day of any month.
• WM97/Piper-A. A Word macro virus that animates the Office Assistant on file operations.
• WM97/Verlor-I. A Verlor variant that uses stealth to hide itself when you open the Word Visual Basic Editor. On opening the editor the virus will disinfect the Word NORMAL template and all open documents. A record of this is placed into C:\HIMEM.SYS so the virus knows what to reinfect later. The files OVERLORD.B.VBS and OVERLORD.B.DLL (actually the virus code in ASCII) are created in the Windows directory and WIN.INI is changed to run the VBS file on reboot. On reboot, the VBS reinfects all disinfected files. The virus also changes your computer's registered name to "the Overlord".
• WM97/Vmpck1-DV. A Word macro virus that tries to relabel the C: drive and 10% of the time replaces "il" with "il cazzo duro" in the document.
• XM97/Barisada-D. An Excel Barisada variant without the message box payload. Virus macros are in KHM.XLS.
• XM97/Divi-S. An Excel macro virus that infects on open or close from the file 874.XLS in the template directory. A flag called IVID plus a hex number is added as a signal variable to each worksheet infected.
• XM97/Laroux-ET. Another Laroux Excel macro virus variant. AUTO_OPEN calls CHECK_FILES creates the infected file PERSONAL.XLS in XLSTART. This file infects all future opened workbooks.
• XM97/Laroux-NL. A Laroux Excel variant. In this case the file created in XLSTART is RESULTS.XLS.
• XM97/Oblivion-A. An Excel macro virus. As written, the virus will not replicate in versions lower than Office 97 (version 8). It will, however, continue to be detected in downconverted files. AUTO_OPEN calls KILL. This creates the infected file ACF.XLS in XLSTART. This file infects all future opened workbooks.

Worms. A number of worms have been announced this past month. Below is a summary of the more important ones:

• VBS/Elva. A VBS worm and Word Macro Virus combined. It arrives via E-mail with the subject "BIRTHDAY CARD !!!" and a body that reads "Hello Jo, Happy birthday ELVA forever. This I made birthday card for you. Please open it and I hope you like." The worm itself is in a file called "CARD.HTA". The worm copies itself to FS.VBS and FS.VBE in the System directory then sets the system to run FS.VBS on each reboot. The registry is set to apply "vbsfile" to all files with extensions ".JS, .JSE, .GIF, .JPG, .MP3, .WSH, .WSF, .WSC, .SHS and .SCT". This causes the scripting engine to run whenever any of these files are opened. The worm does this because it also overwrites files with these extensions with copies of itself. The worm also infects NORMAL.DOT and checks to see that it's still there every 10 days. That infection will start the VBS component every three days. The worm is also a source code infector in that it inserts its code at the start of any files with extensions .HT? or .ASP. This could cause clients connecting to these files to become infected.
• W32/ExploreZipF. A variant of the basic ExploreZip worm that uses Outlook (and other MAPI-compliant mail clients) to spread itself. When run, the worm looks for unread mail in the Inbox and sends a message in reply to each. The message basically tells the sender you got their mail and you should, in the meantime, look at the attached file (ZIPPED_FILES.EXE the worm). If run, the worm pretends the file cannot be executed while copying itself into the System directory as EXPLORE.EXE. WIN.INI is changed to make that file run at each system start. The payload reduces files of extension ASM, CPP, DOC, XLS, C, H and PPT on any accessible drive to zero length.
• VBS/Lovelet-BD. A LoveLetter variant. The worm is in the message attachment: RESUME.TXT.VBS. The message comes with the single word subject "contract" and no text in the message body. If run, the worm sends itself out (once only; a registry entry tells the worm if it's attacked a particular machine before) via the Outlook Address Book and then creates and displays (using Notepad) what appears to be a resume (so it looks like you only clicked on the RESUME.TXT portion of the name). In the background a Trojan is then downloaded and also run. The Trojan (HCHECK.EXE) collects network passwords and sends them out by E-mail.
• VBS/Lovelet-BE. Another LoveLetter variant. The worm is in the message attachment: JOKE.VBS. There is no message text and the subject is "fwd: Joke". The worm checks for WINFAT32.EXE and, if not found, sets the registry so IE attempts to download WIN-BUGSFIX.EXE on its next start. The registry is set to run this file on next system boot. The worm sends itself to all Address Book entries. It also attempts to drop an HTM file and searches for all files with the extensions JS, ZIP, CSS, DOC, XLS, or HTM. If found, the files are overwritten by the worm and extension changed to VBS. JPG (JPEG) files are also overwritten but have VBS added to their original full name. MP3 files are also affected. The worm also attempts to spread itself via mIRC.
• VBS/Lovelet-BF. Yet another LoveLetter variant. The subject with this one is "True Story...." and the message contains "My-Linong...." The worm is in the file MYLINONG.TXT.SHS, a scrap object with embedded VisualBasic script. The script first makes registry changes and displays "0" in a message box. On second execution the script tries to create 600 directories named "LINING I LOVE YOU MY FOLDER". It then tries to send itself to addresses in your Address Book but has problems doing so. A week later it tries to undo everything it did.
• W32/MTX. A combination worm, virus and Trojan. When an infected file is executed the virus portion infects other executables in the Windows directory. It than drops the worm portion twice as IE_PACK.EXE, and WIN32.DLL. The Trojan portion is also then dropped into the Windows directory as MTX_.EXE. This file is set in the registry to run on every system boot. Now the stage is set. When the Trojan runs it attempts to download and run other malicious programs. It then launches the worm portion which creates a modified version of WSOCK32.DLL which replaces the real file on the next system restart. With that done, the modified WSOCK32.DLL monitors the network datastream. If E-mail is detected the modified driver attempts to place the virus as an attachment to a copy of the E-mail message (but fails in this version due to a bug). Further monitoring causes the driver to crash if you attempt to access (via HTTP or E-mail) a known anti-virus site.
• VBS/Quatro-A. A VBS worm that poses as an Internet Explorer 5.5 update utility. It arrives attached to an E-mail with a message in French about updating IE to version 5.5. The attached file is called UPDATE.VBS. If run it will actually try to find E-mail addresses in TXT, WAB, HTM and HTML files and use Outlook to mail itself to those addresses. The worm also looks for the file C:\13A0.txt and attempts to delete all files on the computer if not found.
• W32/Scooter. Arrives as a file attached to an E-mail with the subject "Faster.. harder.. your PC will run like a scooter!" The file will be named *.exe where the "*" is a random combination of letters from "a" to "j". If run, the worm drops an mIRC script.ini file if mIRC is detected. It also drops a VBS file which causes Outlook to send the virus to the first 90 entries in the address book; then deletes itself. Finally, the worm, if it finds a player, plays the MP3 audio file "Faster.. harder.. scooter..".

In closing: Stay healthy.