Computer Knowledge Newsletter – August 2000 Issue

In This Issue:

General Security

Register.com Hole. The middle of June the second-largest domain name registrar, Register.com, reported a security problem where some people could have hijacked other people’s web sites. Hijacking sites is a common goal of hackers and is commonly attempted against high-profile sites. The security hole was discovered by analysis of standard referrer logs which contained complete authentication information for Register.com’s administration tool. The hole has since been fixed but it clearly shows how careful everyone has to be in the distributed environment of the Internet.

Excel Vulnerable. Another potential security problem has been found in the Excel spreadsheet program. This hole would allow an attacker to write and distribute a worksheet that, as soon as it is started, could access a previously loaded dynamic link library (DLL) file which might have most any kind of code in it. While this is a two step process (copy the DLL, then execute the XLS file), the DLL does not have to be on the local computer; if firewalls were set to allow it, it could be on any internet machine. Since this exploit is part of the worksheet itself, no scripts are needed or run. Microsoft is working on a patch.

IE 5.5. Just a short while after Microsoft released Internet Explorer 5.5 a security hole that would allow others to read files on your computer. Suggestion: Give upgrading a rest for a short while. Let the initial bugs get identified and fixed.

MS Security. Microsoft has issued a few new security bulletins this past month. Below is a summary (this is only a summary for Windows 95/98; it does not include NT–see the Microsoft web site for a complete listing):

  • “Active Setup Download” Vulnerability. This patch eliminates a vulnerability in an ActiveX control that works with Internet Explorer and allows a malicious site to download a Microsoft-signed .CAB file (installation archive) to a location that will overwrite system files.
  • “Office Script” and “IE Script” Vulnerabilities. The Office Script vulnerability basically allows script on a web page to save a remote hosted file to a visitor’s local hard drive. The IE Script vulnerability can let scripts reference a remote Access file which, then runs VBA macro code in that file to be executed on the local computer.

For all of these items and more please take a look at:

http://www.microsoft.com/security/default.aspWeb Link

General Interest

Scrap Files. A scrap file is a type of file used to transfer objects between programs on Windows computers. A scrap file can contain just about anything from simple data, to a document or spreadsheet, to an executable program. The scrap file can be named with most any extension to make it look like a benign file (e.g., .GIF, .JPG, .TXT, etc.) and then Windows adds the .SHS extension to that. In most cases, even if you have Windows set to show all file extensions, the .SHS extension will not show up after you’ve saved the file to disk (it should be visible as an attachment to an E-mail message). This can make scrap files more dangerous as they can easily appear to be something they are not just by giving the file a benign name.

Windows assigns “RUNDLL32.EXE SHSCRAP.DLL, OPENSCRAP_RUNDLL %1” to the .SHS extension by default and, when opened, Windows will unpack the scrap file and open or execute whatever is in the file. You will have no control over this once you attempt to open the scrap file.

There is really never any reason for anyone to send you a scrap file. If you ever receive one via E-mail you should delete it without attempting to open it. Tell the sender to send you the actual object instead if you think there was something useful involved. The main reason is that scrap files can easily hide code without any indication of what that code really represents so there is no guarantee the scrap file will be what you think it is.

Advanced note: The display of the .SHS extension is controlled by the following registry entry…

HKEY_CLASSES_ROOT\ShellScrap
“NeverShowExt”=””

If you want to experiment [Computer Knowledge takes no responsibility if you do!] you can either change “NeverShowExt” to “AlwaysShowExt” or simply delete the entry. Then, reboot and .SHS files should show their extension even when saved to disk.

See VBS/Stages-A under Worms below for added information.

Hacker Insurance. Counterpane (San Jose, CA) has teamed with Lloyds of London to offer “hacker insurance” in policy limits up to $10 million. The company provides a consulting service as well and, as part of the service/insurance both recommends protective measures and collects logs and monitors them. Reported costs are $20,000/year for $1 million coverage and $75,000/year for the full $10 million. Over time this sort of business is expected to increase and, in the future, it’s quite possible you might see your ISP and/or web hosting service offering a similar package.

Private Info Sold? Failed dot-com companies are being looked at by privacy watchers. It’s feared that one of the “assets” being sold to raise money by failed companies is their customer database. Of concern is the possible sale of data that was promised, in privacy statements, not to be transferred to others. Fashionmall.com, for example, specifically acquired data on Boo.com’s 350,000 customers. Toysmart even advertised the sale of customer data in The Wall Street Journal. Other companies are being more careful. CraftShop, for example, plans to sell their data but restrict its use so that the buyer must only use it under the CraftShop name (not that this helps calm privacy fears from some who consider that tactic a loophole). Expect, over time, more companies wanting to do this and you’ll likely see, in response, legislation attempting to either disallow or regulate these types of sales. In current cases, courts will likely have the final say.

High Hacking/Virus Cost. InformationWeek has produced a study that reports the world-wide cost of computer viruses and hacking to larger companies over the past year has been in the order of $1.6 trillion with $266 billion (2.5% of Gross Domestic Product) of that in the United States alone. (The study does not take into account medium/small companies nor individuals.) The majority of the costs are centered around lost productivity due to computer downtime. Worldwide, this downtime is estimated at 3.28% due to viruses or hacking. Now, do we all believe that all that time would have been “productive”? The numbers here seem a bit on the high side.

E-Signatures. A new law in the United States allows electronic signatures. Unfortunately, the form of those signatures is not specified in the law. Indeed, some speculate that as written if a telemarketer, for example, tells you to “press 1” to agree that this qualifies as an “electronic tone” and therefore would be your “signature” that binds you to whatever was said. The same would be true of a door-to-door salesman that hold up his laptop and asks you to “click OK” to sign some deal. But, in neither of these cases do you get a copy of the contract and, if one is sent later, you cannot be certain that some clause(s) have not been added. A real digital signature would have encryption components based on some sort of public key system. That’s not a requirement under the new law. Be aware and watch your back.

Extension List Improved. In local news, the Computer Knowledge list of file extensions is in the process of being both expanded and improved. New extensions have been found and are being added as they can be verified. Also, we are now adding links to the extension list so that not only do you get the name of the program that created or uses the file but you also get a link to a web site associated with that program or a link to a standard that describes the contents of the file. Please note that this is a time-consuming process so it will be ongoing for some time and, since I don’t want to break up the list into sections right now, the extra characters in the HTML file make the file quite large so give it time to load and get down to the extension you are interested in. Please bookmark:

[Moved to a new domain: http://filext.com/Web Link.]

for this often-used and handy page (it’s the page that often shows up as number one in my logs).

Virus News

Don’t forget our virus tutorial site.

More complete descriptions of most of these viruses can be found at the Sophos or F-Secure web sites:

http://www.sophos.com/virusinfo/analyses/Web Link
http://www.datafellows.com/virus-info/Web Link

Trojans. These important new Trojans appeared recently:

  • BAT/Simpsons. A simple batch file Trojan that is distributed in a self-extracting archive (SIMPSONS.EXE). The file icon will appear to be an install program. If executed two dialog boxes will display: in the background is a WinZIP self-extractor copyright screen, in the foreground a dialog that indicates the archive was created by a non-licensed version of WinZIP and that the archive can’t be distributed. DO NOT CLICK ON “OK” if you see these dialog boxes. If you do, the files SIMPSONS.BAT and SIMPSONS.BMP will be extracted and the batch file run. It uses the DELTREE command to delete all files and folders on C: and other drives (but will stop after it deletes the DELTREE.EXE file). The SIMPSONS.BMP file is a filler file that is not even an image. If you see the two dialogs, restart your computer and erase the archive to delete this Trojan.

Macro Viruses. A number of macro viruses have been announced this past month. Below is a summary of the more important ones:

  • OF97/VVac-A. Word and Excel macro virus (it’s designed to work with both but may not). There is no payload so this is likely a proof of concept virus.
  • WM97/Antiv-A. A Word macro virus that pretends to be disinfecting a document while actually infecting it. If macro module names other than “Hunter” or “ThisDocument” appear the virus indicates (in Portuguese) that the document is infected and offers to remove the virus. If told to, the virus then removes the existing macro and adds “Hunter” which is it’s own infection.
  • WM97/Class-EX. A Class Word macro virus that tells you that you are “a big stupid jerk” on the 14th of June through December.
  • WM97/Ethan-CZ. A Word macro virus that 50% of the time will display a Summary box titled “R’Sink – 2000” on document close. Not very widespread but can coexist with other Word viruses.
  • WM97/Fs-Q. A simple replicate-only Word macro virus. It replicates in most double-byte versions of Word (except Japanese). Not very widespread.
  • WM97/Marker-AL. A Marker variant that modifies the Word caption to “Happy Birthday Shankar-25 July. The world may Forget but not me” between 20 and 31 October. It then asks a question and displays different responses based on your answer.
  • WM97/Marker-EF. Another Marker variant. This one tries to delete all .DOC and .DOT files in the Office startup folder when a document is closed. It also changes some Word identification settings (Username, Userinitials, and Useraddress).
  • WM97/Marker-EQ. Another Marker variant. With this one there is a 33% chance of the document properties being changed to reflect Ethan Frome as the title (author and keywords are also changed).
  • WM97/Marker-ER. Another Marker variant that looks for Wednesday and, on document close, changes the case of all letters.
  • WM97/Melissa-G. Another Melissa variant that “deletes” MS Explorer drive icons by editing the registry.
  • WM97/Metys-D. A Word macro virus that plays a game about matching numbers between one and nine when activated. If you win, nothing happens; if you lose, the virus added “YOU LOSE!” to the start of the current document.
  • WM97/Opey-AE. A Word macro virus that, on 22nd of any month, changes the AUTOEXEC.BAT file to show a message on system restart. The working document will also have its properties changed to show “Young Kim” as the author and the UserName will also be changed to Young Kim. The virus also changes the menu to try to hide itself.
  • WM97/Rendra-A. French text is displayed in a message box between 3 April and 10 May with the Word macro virus.
  • WM97/Sherlock-A. A Word macro virus that changes the Word title bar to “sherl0ck on the move”, the registered user’s name to “sherl0ck”, the user’s address to “[email protected]”, and the user’s initials to “Bad”.
  • WM97/Surround-B. A Word macro virus that beeps on the 21st of any month.
  • WM97/Thursd-AB. A Thursday variant that picks a random disk file and copies itself to that file’s name but with .DOC added. It also corrupts a random file on the disk.
  • WM97/Thursd-AI. A Thursday variant that attempts to erase the C: drive on 13 December.
  • WM97/Thursd-AJ. A Thursday variant that simply replicates.
  • WM97/Touchme-A. A Word macro virus that starts Office Assistant on 5 March, 8 August, and 22 December. It displays “ReYoKh Team Labs mengucapkan Selamat Ulang Tahun !!!” while deleting all files in the Word start-up path.
  • XM/Totaler-B. An Excel macro virus that tries to delete all C-drive files on the 11th of May, September, November, and 29 October. It further displays: “The NHS Fat Cow Has Just Trashed Your Hardisk.”
  • XM97/Divi-N. An Excel macro virus that creates HR223.XLS in Excel’s template folder. It infects spreadsheets as they are opened or closed and adds the flag IVID to indicate it has already infected the file.
  • XM97/Divi-O. An Excel macro virus that creates 874.XLS in Excel’s template folder. It infects spreadsheets as they are opened or closed and adds the flag IVID to indicate it has already infected the file.

Worms. A number of worms have been announced this past month. Below is a summary of the more important ones:

  • VBS/Cod-A (Crayon of Doom). A combined Outlook and mIRC/PIRCH IRC chat client worm. Via E-mail, the worm has the subject “Hey whats up, Important!” and the body tells you to look at the attached list in the file PORNLIST.DOC, a Word document. Open the DOC file and you see a GIF file icon. Click on the icon and a VBS file is saved to your hard disk and run. The VBS file is the heart of the worm. It copies itself to all drives, checks for C:\MIRC or C:\PIRCH98 and, if found, writes an INI file into the directory that then tries to send PORNLIST.DOC to other chat users. Finally, the worm changes the registry and both WIN.INI and SYSTEM.INI to make certain it runs on each system start.
  • VBS/Jer-A. A buggy script worm that tries to use both Outlook and mIRC to spread but only the mIRC method appears to work. The script itself is in an HTML file and requires the user to run it from the web page.
  • VBS/Stages-A. An E-mail worm that spreads via Outlook and mIRC or Pirch IRC chat. E-mail copies are sent (once only) via the Outlook address book and subjects are constructed from the following list of terms: “Fw:”, “Life Stages”, “Funny”, “Jokes”, and ” text”. The message itself may contain “The male and female stages of life.” The attachment (the worm itself) is in a file named LIFE_STAGES.TXT.SHS (again, like many before it, note the double extension–the problem is that the .SHS extension may not show up even if your system is set to show all extensions). This is the first worm known to use the scrap file (SHS) file type to send its code (see “Scrap File” article elsewhere). When run, the worm creates and displays the file LIFE_STAGES.TXT containing humorous text about seduction lines used by people at various ages in their life (e.g., 17: My parents are away for the weekend and 66: My second wife is dead). The worm then creates the file SCANREG.VBS with its code and sets the registry so SCANREG.VBS runs at each startup. It also moves the program REGEDIT.EXE to the recycled directory and changes its name to RECYCLED.VXD (this is an attempt to keep you from editing the registry to remove the worm). The default icon for .SHS files will also be reset to the default icon for text files and .SHS not shown.
  • VBS/Pica. A simple worm that appears to have been created using some sort of kit that allows kit users to specify a different subject, body, and attachment name. It uses both Outlook and mIRC to spread. Because of the kit nature this worm could appear in many variants with the same structure (at least five now at the time of this writing).
  • WIN32/Pikachu. A worm with an .EXE file (PIKACHUPOKEMON.EXE) attachment. The subject is “Pikachu Pokemon”. The body of the message directs you to the official Pokemon site (http://www.pikachu.com/) and suggests the .EXE file is a program that contains a Pokemon message. If run, the .EXE file sends a message to addresses in your Outlook address book and then replaces the AUTOEXEC.BAT file with one that will delete the Windows and Windows\System directory on the next restart. A message: “Between millions of people around the world i found you. Don’t forget to remember this day every time MY FRIEND” is also displayed.

In closing: Best of the summer season to all.