Computer Knowledge Newsletter – December 2000 Issue

In This Issue:

  • 809
  • Attacks
  • MS Security
  • Spam
  • Nigerian Scams
  • Web Site Info
  • Macro Viruses (Variants; WM97/Afeto-A; WM97/Bobo-H; WM97/Ethan-DO; WM97/Metys-E; WM97/Shore-D; WM97/Thus-BF; XM97/Fusion-A; XM97/Slacker-B)
  • Worms (VBS/Forgotten-A; VBS/Jean-A; VBS/Kakworm-E; VBS/LoveLet-CA; VBS/Season; W32/Bymer-A; W32/Hybris-B, C, and D; W32/Music; W32/Navidad; W32/Navidad-B; W32/Prolin; W32/Verona; W32/Verona-B; Win32/Xtc)


Computer Knowledge now has a web store for T-shirts and mugs. Please take a look at our store at:

[Sorry, the store is gone for lack of interest.]

Thank you.

General Security

809. Toll free area codes are quickly expanding beyond the traditional “800” numbers. This expansion can sometimes be confusing to those not paying attention. For example, one of the scams circulating consists of an urgent message relating to clearing up a bill/account or some other urgent matter. To clear up the matter (or take advantage of the offer) one is given a phone number to call. The number might start with area code “809” and thus sound like a toll free number. In fact, 809 is the area code for the Dominican Republic and there are very few rules about pricing there. When you call one of these numbers you will be taken through an extensive phone menu recording system that keeps you on the line for several minutes or more. Then, when you get the bill you find you’ve been charged up to $25 per minute for that call.

Protect yourself. If you receive such a message and you insist on returning the call, before calling find out where the call will be going at a minimum. One good site for this is: Link

Click on the “Code Lists” link (top left as this is written) and then select the list you want to see (the “non-US” list is good for a quick check to see if you’ll be calling into an area where the rules may not be in your favor).

Attacks. Attacks against computers are fairly well endemic on the internet these days. It’s important, for that reason, that you be protected by both anti-virus software and some sort of personal firewall. I use BlackIce Defender (protects incoming only) but others are available; some free. Let’s look at my system as just one example. I’m on the internet via a dial-up link so the IP address changes each time I’m logged on. I’m connected various times that total maybe two hours on an average day (give or take a few minutes and assuming no major downloads or uploads). Looking at my BlackIce logs for the period between 1 September 2000 and 30 November 2000 (three months) I find:

36 identifiable attacks divided up as follows–

  • 19 NetBIOS probes (a well-known attack vehicle)
  • 5 SubSeven probes (looks for SubSeven Trojan)
  • 5 UDP probes (looking for a particular open port)
  • 3 TCP fingerprint probes (looking for ways in)
  • 1 IRC probe (looking for this service)
  • 1 NetBus probe (looks for NetBus Trojan)
  • 1 RPC probe (looking for this known service)
  • 1 SNMP probe (looking for this service)

And, remember, this is for a dial-up account that changes IP addresses and is only connected on average a couple of cumulative hours a day. If you have an “always on” broadband link of some kind (e.g., cable modem or DSL connection) you are considerably more at risk.

MS Security. Microsoft has issued a a number of new security bulletins this past month. Their alerts are no longer in a format convenient to summarize and so won’t be included in the newsletter any longer. Please see all current alerts at: Link

General Interest

Spam. Spam continues to be a large problem to many and, sadly, many providers have largely given up on helping users get protection from unwanted mailings. And, mailers are finding ways around spam blocks that are put up. Plus, because bandwidth is increasing, some spammers think nothing about sending much larger files. The problem is, however, that not all users have the luxury of high speed lines and unlimited connection times. Non-US users, for example, may very well have to pay for connect time by the minute. Others might use a Cybercafé and have to pay by the hour with the added complication of needing to tote files back and forth on floppy disk. One reader, for example, relates a story about signing up with [name changed to keep from being sued], receiving a 90K newsletter each week on a restricted use account, and having unsubscribe requests ignored. This reader even asked for to be blocked (the request was granted by the reader’s mailbox redirection provider). To add insult to injury, however, in this case it appears that somehow was able to bypass the original mailbox provider’s block and the reader had to set up a second block in order to keep from receiving the large and unwanted newsletters. For myself, I simply delete spam; mostly unread (and even unopened when it’s obviously spam). If, however, you have some form of restricted or pay-by-the-hour service you may have to take more aggressive actions. Some anti-spam sites that can help are: Link Link Link Link Link Link

Nigerian Scams. In case you have not gotten your copy yet, the “Nigerian scam” letters have made it to E-mail and are circulating. There are several varieties of this scam, but mainly the thrust is that there is money available in Nigeria that must be moved out of Nigeria with your help. All you have to do is provide bank account information for the transfer and the person contacting you will share the money with you (percentages vary). Don’t fall for it. There is no free money and many greedy people have fallen for this scam and lost money. A good summary of the various scams can be found at: Link

Web Site Info. Many people, for various reasons, will place personal information onto generally-available Web pages. If you do this, take care since this information can be archived (and often is) so when you remove it there is never a guarantee the information will not be floating around in cyberspace for a very long time. In particular, never post information that can aid others in identity theft. This would include your birthday, home address, and (often overlooked in family trees) your mother’s maiden name. The latter is often used as a password at banks. Indeed, I’ve seen some merchant sites insist on mother’s maiden name as part of their purchase database. What they get from me is a “web mother’s maiden name;” never the real thing. So long as I remember when to use which name, doing that has never come back to bite me.

Virus News

Don’t forget our virus tutorial site.

More complete descriptions of most of these viruses can be found at the Sophos or F-Secure web sites: Link Link

Macro Viruses. A number of macro viruses have been announced this past month. Below is a summary of the more important ones:

  • Variants. A number of minor variants of existing macro viruses were announced. These include: WM97/Marker-FX, WM97/Metys-D, WM97/Metys-F, WM/97/Metys-J, WM97/Thus-AD, XM97/Laroux-EH.
  • WM97/Afeto-A. A Word macro virus that only works in Word 2000. It spreads via Outlook mail and sends itself to most entries in the Sent box (from which it also takes its subject and message body). The virus inserts a 50K or less random JPG file it finds on your system into the E-mail before sending. Because information in your Sent box is used the worm may very well send out confidential information to others.
  • WM97/Bobo-H. A Bobo variant that removes spaces from the text of the active document.
  • WM97/Ethan-DO. An Ethan variant that can result in double infections with other viruses. When started there is a 33% chance of a summary box popping up with “Ethan Frome” as the title.
  • WM97/Metys-E. A Metys-D variant that displays a message box on 1 Sept. The message wishes “Jess” a happy birthday and says it wants to play a game.
  • WM97/Shore-D. The Word virus changes various styles and protects its code with the password “cool13”. It also displays a message in the title bar for a short time after opening or closing a document and places a template file OFFEE*.DOT in the clipart folder.
  • WM97/Thus-BF. A Thus variant the produces runtime errors when activated but none-the-less successfully spreads.
  • XM97/Fusion-A. An Excel macro virus that tries to “clean up” several other viruses by deleting HJB.XLS, 874.XLS and KHM.XLS from XLSTART (if there). It then creates its own infection file (FUSION.XLS) in that same folder.
  • XM97/Slacker-B. An Excel macro virus that tries to delete the files on the C: drive.

Worms. A number of worms have been announced this past month. Below is a summary of the more important ones:

  • VBS/Forgotten-A. A Visual Basic worm that uses Outlook. The transmitting message has no attachments and usually has the subject “RE: Financing.” A VBScript in the message performs all the actions of the worm (so you’ll see an error message about needing ActiveX enabled if your security settings won’t let scripts run automatically). If the script runs you will see the message “YOU WILL NOT FORGET THIS MOMENT, NEVER!” and have the file VB1.COM.VBS placed into the System directory, then run. This script creates worm-infected E-mails that are sent to your Outlook address book. Further, all VBS files found on all active local and network drives are overwritten with this worm. And, if PIRCH or mIRC clients are found the worm will also send itself to other users via those links.
  • VBS/Jean-A. A VB Script worm that sends itself to 50 entries in our Outlook Address Book. The subject and text of the message are in German and basically talk about shopping tips from Father Christmas. The attached file (often XMAS.VBS) is the worm.
  • VBS/Kakworm-E. A Kak variant. A Microsoft Security Bulletin (MS99-032) announced a patch for Outlook Express that prevents this worm from operating. Please download and install it if you have not as yet! (See the MS Security topic earlier in this newsletter.)
  • VBS/LoveLet-CA. A Love Letter variant. It sends itself as an attachment to addresses in your Outlook address book. The message subject either references FBI Secrets, WWW.2600.COM, or a random string of six characters.
  • VBS/Season. A VBScript worm that launches message boxes that talk about an important message from Bill Gates and indicates one should read the file IMPORTANTMESSAGE.TXT on the desktop. This file continues the illusion of a Bill Gates message. However, the following files are also dropped: C:\WINDOWS\IMPORTANT.TXT.VBS, C:\IMPORTANT.TXT.VBS, C:\WINDOWS\SYSTEM\IMPORTANT.TXT.VBS, and C:\MYDOCUMENTS\IMPORTANT.TXT.VBS (the .VBS extension may be hidden on some systems). The worm also overwrites SCRIPT.INI if mIRC is installed so that the worm also spreads via this channel. The worm also attempts to copy itself to a floppy on system boot (via the VBS file C:\WINDOWS\START MENU\PROGRAMS\STARTUP\SPREADBYADRIVE.TXT.VBS). And, the worm changes AUTOEXEC.BAT to display the Bill Gates message and then delete files with the following extensions .TXT, .MP3, .BMP, .JPG, .GIF, .ZIP, .EXE and .WAV in the C:\MYDOCU~1 folder on system start.
  • W32/Bymer-A. A worm that looks for open file shares to propagate. It looks for random IP addresses and if in finds a machine with a share named “C” (i.e., the C drive is set for file sharing) it copies files to the Windows and System folders. The worm may also change WIN.INI so that it runs on system boot.
  • W32/Hybris-B, C, and D. A worm built in component form for easy upgrading over the Internet. Components are encrypted. The worm affects WSOCK32.DLL. For each E-mail sent, the worm attempts to send itself in a second message to the same address. When sent, the worm is encrypted in different ways as an attempt to defeat scanners. The message text varies with the installed components and is controlled by the language setting in the computer. It generally refers to “Snow White” however. The original upgrade site for the worm has been shut down but the address the worm uses is in a component that could be upgraded. Further, worm plug-ins can be obtain through the worm monitoring postings to the Usenet group alt.comp.virus and can obtain these plug-ins from encrypted messages in the newsgroup [and, as an aside, is flooding that newsgroup because of postings from infected people around the world!]. For alternate spreading, the worm looks in all .ZIP and .RAR archive files. When .EXE files are found they are renamed to .EX$ and the original filename replaced with a copy of the worm. As a payload, the worm displays a large animated spiral. This happens on 24 Sept of any year or at minute 59 of any hour during 2001.
  • W32/Music. An E-mail worm that, when run, starts to play Christmas music and show a Christmas cartoon. Meanwhile, the worm is attempting to update itself over the Internet and send itself to mail addresses found in your Outlook address book. The worm can be in MUSIC.COM, MUSIC.EXE, or MUSIC.ZIP (and, of course, variants could be named anything). Variants include W32/Music-D and W32/Music-E.
  • W32/Navidad. An E-mail worm with the extension NAVIDAD.EXE. The attachment displays a dialog showing “UI” and then tries to read new E-mails and send itself to addresses found there. The worm also copies itself to WINSVRC.VXD in the System folder and causes it to run on system start. It can also be found in the system tray and displays a Spanish Christmas greeting if run.
  • W32/Navidad-B. A Navidad variant. The attachment is a file named EMANUEL.EXE. When run, the program displays a dialog box with a smiley inside. It copies itself to the System folder under the name WINTASK.EXE and makes that file execute on boot. It also installs itself into the system tray with various texts about Emmanuel and God should the icon be clicked. It spreads by reading new E-mail and sending itself to the senders.
  • W32/Prolin. A worm that uses Outlook. It says it’s “A great Shockwave flash movie” in the subject. The attached file is named CREATIVE.EXE. If run, it copies itself to the C-drive root directory and the Windows Startup directory. It then sends itself to your Outlook address book plus a message to a address. The worm finds files with .MP3, .JPG, and .ZIP extensions. It appends the text “change at least now to Linux” to the end of the extension and moves the file to the C-drive root directory (without changing the file contents). The worm is polite in that it also creates the file C:\MESSAGEFORU.TXT which has a complete list of all moved files. Reading this document allows you to rename and move the affected files back to their original locations.
  • W32/Verona. An E-mail worm with two attached files: MYJULIET.CHM and MYROMEO.EXE. Attachments are saved to the Windows temporary directory. A script in the E-mail body runs the .CHM file which, in turn through the Windows Help browser, runs the .EXE file. The .EXE file tries to forward itself to your Outlook Address Book. The subject for each message is selected from a list of 12 different subjects embedded in the file.
  • W32/Verona-B. The “B” variant of Verona uses one of 18 SMTP servers to send itself. It also copies itself to C:\WINDOWS\SYSRNJ.EXE and creates a new filetype, RNJFILE, in the registry. Various file types are then registered such that the worm runs when one of the file types is clicked on. The types are: EXE, JPG, JPEG, JPE, BMP, GIF, AVI, MPG, MPEG, WMF, WMA, WMV, MP3, MP2, VQF, DOC, XLS, ZIP, RAR, LHA, ARJ and REG. The worm uses an Outlook vulnerability that has been patched. Be certain to apply all current patches.
  • Win32/Xtc. A worm that spreads through E-mail and network drive sharing. The arriving E-mail appears to be from [email protected] and says it’s an AVX update notification. The attachment is supposed to be a small AntiVirus eXpert (AVX) program. When run, the worm copies itself to the Windows folder as SERVICES.EXE and defines that to run on system boot. The worm also connects itself to other computers via IRC (chat). The worm also replicates over a LAN if the LAN uses file shares. The infecting file is named TASKMGR.EXE and might be placed into one of the following directories: C:\WINDOWS, C:\WINNT, C:\WIN95, C:\WIN98, C:\WIN2000, C:\WIN2K, or C:\WINME.

In closing: Happy Holidays to all and the best in the New Year.