Computer Knowledge Newsletter – December 2001 Issue

In This Issue:


Computer Knowledge had a DOS tutorial and electronic books for download. Due to lack of accesses these items have been removed.

New acronyms/definitions added to CKNOW.COM this past month:

  • [Removed. CKnow no longer catalogs acronyms/definitions]

General Security

Wireless Networks. The latest and greatest thing to buy these days is a wireless network for home or office. I’m even considering one. The problem, however, is that most of these networks come with little or no hacking protection. Anyone can drive along the street with a receiver and connect directly into your network. One report indicates that a car tour of Belgium resulted in 263 wireless networks being discovered with the ability to directly log into 85% of these. The two main problems are the power of the main transmitter (it’s often far more powerful than needed) and the lack of any sort of encryption of network data. Paying attention to both of these can result in greatly enhanced security for a wireless network.

MS Security. Microsoft has issued a a number of new security bulletins this past month. Please see all current alerts at: Link

  • Windows Media Player .ASF Processor Contains Unchecked Buffer. The handler for Advanced Streaming Format has an unchecked buffer in Windows Media Player 6.4. An attack could overrun the buffer and either run adverse code or cause the system to fail. There is a patch which eliminates this and other vulnerabilities. For more info: Link
  • Cumulative Patch for IE (13 December 2001). If you have not updated your Internet Explorer 5.5 or 6 (the only versions Microsoft supports now) previously, now is the time to do so. This patch eliminates all prior security vulnerabilities plus three new ones…
    • A flaw in the handling of HTML header fields where it’s possible to make IE think an executable file is a data file and run it automatically without asking first.
    • A flaw that allows a Web site to open two browser windows (one showing your local computer’s files) and pass information between them. This allows the Web site to read (but not change) files on your computer.
    • A flaw that allows an attacker to fool you into accepting an unsafe file from what you assume is a trusted source.

    For more info: Link

General Interest

SSSCA. A proposed law in the United States is being called the Security Systems Standards and Certification Act (SSSCA). This law would basically extend the Digital Millennium Copyright Act (DMCA) to hardware devices. The new requirement would be that all future digital devices include built-in anti-piracy technology. This proposed law is being supported by a few large media organizations and few others who have looked at the initial drafts. It requires “certified security technologies” in a wide range of devices. As most who have looked at digital security know, this will basically lock most users out of the rights they now have to copy things between devices for personal use yet, as most also know, such locks will only work for average users; those who are determined to copy will quickly find a way to do so. Essentially, the proposed SSSCA is trying to do with legislation what should be done with innovative marketing; it should be fought at every turn. Sen. Fritz Hollings, D-S.C. is the reported sponsor. With everything that’s been going on lately it’s unlikely to come to the floor this year; but keep a watch. These things can sneak up to bite you.

Identity Theft. There are a number of resources you should consult if you suspect identity theft. First, place a fraud alert on your credit account at all three of the major credit reporting agencies:

Basically, what you want is to require the agencies to call you before issuing any credit information. But, you also want to get a credit report from each at least every six months since sometimes these requests fall through the cracks. Also, don’t ask for a fraud alert unless you really do suspect fraud. Calling for one with no evidence could get you into trouble instead.

Some other Web sites to look at include:

and, finally, the Federal Trade Commission has information and takes complaints at:

California Halts Info Sale. In a related story…in early December California halted the sale of birth and death records to companies who published the information on the Internet. As you might expect, this information could easily be used to obtain just tidbits as mother’s maiden name and other data that could make it relatively easy to steal identities. Unfortunately, the sale is only stopped for 45 days. Let’s hope sanity prevails and the ban continues beyond that period.

Rumor. Rumor has it that Microsoft is going to take a stab at entering the anti-virus software market with a product of their own (instead of licensing someone else’s product as they did once before). The suspicious among you must have to wonder why they would want to do that. Theories abound but the one I like best is that they are doing so in order to wrap this protection into the operating system. Once that is done they’ll begin sending updates to the protection to your computer on a regular basis–automatically. In the process, they’ll likely make it part of their .NET strategy and force a Passport account on you. Now they’re set; they have you expecting, indeed demanding, regular communications from them and have your personal information. But, that’s all rumor…

Goner Authors Caught. Four teens (age 15 and 16) were arrested in Israel for writing and spreading the Goner worm (see below). Under Israeli law the teens could be put into jail for up to five years. They were tracked down and found via network logs in Israel and it’s reported they have confessed.

Virus News

There are a number of new viruses described this month. They are listed below.

Don’t forget our virus tutorial site.

More complete descriptions of most of these viruses can be found at the Sophos or F-Secure web sites: Link Link

Trojans. These important new Trojans appeared recently:

  • Troj/PWS-AV. A keystroke logging Trojan that is dropped by the W32/Badtrans-B worm.

Macro Viruses. A number of macro viruses have been announced this past month. Below is a summary of the more important ones:

  • Variants. The following variants have been observed but generally carry no payload: WM97/Ethan-EN
  • WM97/Footer-Fam. A family of Word macro viruses that either insert or overwrite a footer in the document. The documents full path/filename is inserted. The virus resides in the files C:\FOOTPRINT.$$$ and C:\FOOTPRINT.$$1. The virus knows to infect a document only once by setting a custom property.
  • WM97/Marker-JX. A Marker variant that created JON.HTML in the Windows folder. IE is configured to use the file. All .DOC and .DOT files in the Word startup directory are deleted. Ownership of Word is changed to JonMMx 2000.
  • WM97/Marker-JZ. A corrupted Marker-C variant that attempts to FTP data from your system to the Codebreakers Web site on document close.
  • WM97/Marker-KA. A Marker family member. When activated, it places two files onto your system: \Windows\EMAILME.HTML and \Windows\System\OEMINFO.INI. Word user info is changed to a combination of letters and numbers. The Windows registered owner is also changed to: “Hi! It’s Me!” Depending on the date, one of four different messages will be shown on document open:
    • 1 to 9 Jan: “HAPPY NEW YEAR…”
    • 27 Feb: “Happy Birthday Honey…”
    • 8 Jun: “Today Is My Birthday! …”
    • 15 Dec: “Happy Birthday, Son…”.

Worms. A number of worms have been announced this past month. Below is a summary of the more important ones:

  • W32/Badtrans-B. An E-mail MAPI worm that arrives in a message with no text and an embedded file attachment. The subject is “Re:” and the return address starts with an underscore. The attachment filename varies randomly from a list in the worm. If run, it installs as the file KERNEL32.EXE and changes the registry so this file is run at system start. The file KDLL.DLL is also dropped and run at system start. This is the password-stealing Trojan Troj/PWS-AV. [Note: I *really* wish people would learn not to run attachments; I’ve gotten so many of these beasts addressed to my “webmaster@” addresses, mostly, I’ve lost count. Sighhhhhh.]
  • W32/Eira-A. A worm that spreads using Outlook and MAPI by saying it is a Quake (computer game) demo. If run it resides in C:\EIRAM\QUAKE4DEMO.EXE and, if available, F:\QUAKE4DEMO.EXE (F: is usually a network drive). The registry is changed so this file runs at system start. The worm’s E-mail has one of five programmed subjects and a body composed of combinations of programmed phrases. The worm has a destructive payload that attempts to overwrite files with the extensions OCX, EXE, XLS, DOC, MDB, HTM, HTML, and TXT with an ASCII file taunting you for not protecting your system.
  • W32/Gokar-A. An E-mail work that spreads to addresses in your Outlook address book. It has a subject and body taken randomly from programmed selections in the worm body. The attachment will also be randomly named and have either BAT, COM, EXE, SCR or PIF extension. Gokar will also try to spread via mIRC. Finally, if the infected computer is running IIS that will be infected in such a way that visitors to the site will become infected on viewing the DEFAULT.HTM file. The worm sets the registry so its files run on system start.
  • W32/Goner-A. An E-mail worm with the attachment GONE.SCR, posing as a screensaver. The message subject is “Hi” and the message tries to convince you that you should run the screensaver. Goner attacks anti-virus programs by attempting to disable their active processes or creating the instructions in WININIT.INI to delete their files at the next system start. The worm also spreads via mIRC and ICQ chat systems. Appearing to be a screensaver the worm saves itself as \WINDOWS\GONE.SCR and sets the registry to run this file on system start. A bogus screensaver graphic is shown in an attempt to make you think the file is real. [The press made a big deal out of this one; I never got one that I know of.]
  • W32/Updatr-A. An E-mail worm with a variable subject and attachment name. The body asks you to save and then run the attachment. If you do it copies itself to C:\WINDOWS\UPDATE.EXE and sets the registry to run at system start. UPDATE.VBS is also put into the Startup folder. When run, the worm appears to be a file open error. The worm copies itself to files with the extension .EXE, .DOC, and .VBS; adding the extension .VBS to the original name. A message box displays on the 12th of any month.
  • W32/Zacker-A. An E-mail worm that uses Outlook to spread itself to your address book. It arrives in the file LUCKEY.EXE in an E-mail with the subject: “Your Friend <person infected’s address>… Good Luck”. If executed, it copies itself to \WINDOWS\LUCKEY.EXE and \WINDOWS\SYSTEM\DALLAH.EXE. You might also hear your A: drive spinning as it tries to write A:\MALLAIT.EXE. Finally, it uses up much of the free space on the hard disk with numbered copies of itself in various names.

In closing: Best of the holiday season to all. Pray for peace.