Computer Knowledge Newsletter – September 2001 Issue

In This Issue:


Everything associated with the Computer Knowledge Web site and newsletter is free for your education; but bandwidth costs money. As one way to help, I’ve set up a link for voluntary payments through If you feel inclined to participate by making a payment toward CKNOW.COM upkeep please use this URL…

[Thank you. Ads now take care of the site.]

Thank you; particularly to those who have chosen to do so (I only get notice of the payments).

General Security

Drive-by Hacking. Do you have a wireless network in your home or office? If not, you may have one in the not-so-far-distant future as they are becoming quite popular because they are so convenient. But, as always, with convenience comes increased risk. Using present implementations of wireless networks hackers have demonstrated the ability to sit outside a building and tap into the network within the building; effectively placing an Ethernet plug to the interior network on the hackers machine. The latest display of how to do this was at Hal2001 (HAL=Hackers at large), Europe’s biggest open-air hacking festival. Reports are that a simple experiment with a laptop, wireless card, and antenna in a car driving around London found 60% of 200 located networks were “wide open.” A week-long cruse through San Francisco netted 2,500 access points to wireless networks. With a more sensitive directional antenna one might have access over a kilometer or more. So, if you use a wireless network at a minimum encrypt the traffic if you take no other action!

Lebanese Loopil. The latest ATM scam physically steals your card and tricks you into keying your PIN into the machine, usually in view of another person who “captures” it. The scam is that when you place your card into an ATM machine you see a message saying the machine is temporarily out of order. Someone will then approach you and say this happened to them but if you key in your PIN and press “Cancel” twice the machine would work. Naturally, it doesn’t. And, the card is not returned. The idea here is to make you believe the card has been “swallowed” by the ATM machine. But, when you return to the bank you’ll find it wasn’t and the charges are starting to mount. How is it done? A plastic envelope which just fits the card slot is inserted into the ATM before you arrive. What you do is push your card into this envelope. The machine can sense the card but not read it, resulting in the error message. When you leave the plastic envelope with your card inside is recovered from the ATM. The person who came up to you likely observed your PIN as you entered it (but, even if not, the card itself is valuable merchandise). Your next statement will carry a big surprise!

What’s Next? We’ve seen E-mail worms; we’ve seen Code Red for servers; what’s next? Just look to virus development. We started out with regular viruses that spread via various means. Then, when anti-virus techniques became able to easily detect the viruses the virus writers began to fight back by developing viruses that had polymorphic characteristics (polymorphic means they could change their structure in order to try to bypass scanners). As with viruses, the next worms will likely be polymorphic. The “technology” to do this was demonstrated by hacker K2 at the Las Vegas DefCon conference this year. According to experts, K2 is skilled enough to make polymorphic worms work. What does that mean for you? Simply that you will have even more incentive to practice safe hex. And, it’s just another step in the attack and countermeasure strategy relating to security.

Passport Can Be Cracked. Would you hand your credit card numbers to a stranger who “promises” to protect them? I hope not. But, that’s what many people have already done by storing their credit card numbers with the Microsoft Passport central server. This is done under the rubric of convenience. But, guess what–Passport has been cracked. It is fairly easy to break into the Passport file on the local machine (a worm could be created to do it with little effort). Once you have this information you have everything you need to access the Passport info on the central computer. Once there all your personal information would be available. This is enhanced by Microsoft’s decision to enforce what in the security world is a really bad habit: using the same login information for multiple accounts. While this is a known bad habit, Windows XP will enforce a single user name and password for all Passport-participating Web sites! While Windows XP (and NT and 2000) close a hole in Windows 9x that exposes the user name and password in memory for a period; it’s still a bad idea to have everything available under a single login and password (plus existing Win 9x systems remain vulnerable). Passport has other problems as well. See the page at Link for more information.

XP Security. Windows XP is only just now close to release but already pirated versions are being used to develop cracks. In particular, the operating system’s Activation anti-piracy protection has been the first target. Expect to see a number of updates shortly after the operating system is released.

MS Security. Microsoft has issued a a number of new security bulletins this past month. Please see all current alerts at: Link

  • Access Violation in Windows 2000 IRDA Driver Can Cause System to Restart. A buffer overrun fault exists in the Windows 2000 code that interprets Infrared Data Association (IRDA) formatted commands. This could allow an attacker to “beam” a command to your computer that could exploit this fault. This could cause the computer to restart. A patch is available. For more info and the patch see: Link
  • Outlook View Control Exposes Unsafe Functionality. A previously-described vulnerability in Microsoft Outlook ActiveX View Control had an administrative workaround but no patch. A patch is now available. For more info and the patch see: Link

General Interest

Viruses/Worms Costly. It’s reported the research firm Computer Economics has come up with dollar estimates for fighting viruses and worms over the past three years. By their figures this fight cost $12.1 billion in 1999, $17.1 billion in 2000 and in the first eight months of 2001 the total is up to $10.7 billion. Included in the estimates are costs to clean infected systems, inspect equipment to determine if patches or other security fixes need to be made, plus the cost of protecting those inspected systems. Also included are moneys for “negative impact on productivity of system users, support staff, helpdesk staff, and other staff responsible for assisting internal end users, IT staff, and customers worldwide.” It strikes me as a bit strange to include the costs of inspection and patching of systems when this should be a routine task built into the overhead. Also, estimating the “negative impact on…customers worldwide” seems like an impossible task for a company to undertake. Therefore, the numbers seem on the high side. But, they do point out that there is a cost to fighting viruses and worms. Keep that in mind.

Invalid Address Trick. A chain letter is going around that basically says you can protect yourself from worms by placing an invalid E-mail address into your address book (usually a “!0000” or “0000” contact). The theory is that you will be notified when this address fails. This is generally bad advice. While it might work in a very few instances it in no way will protect you. Many worms now come with their own E-mail client and so are unaffected by a bad address. Also, not all worms send to all addresses so your bogus one just might be missed. Finally, some worms harvest other files for addresses. The best protection is a good up-to-date anti-virus program and the sense to simply say no to running attachments without knowing exactly what’s in them.

Used Computers Vulnerable. With the demise of many dot COMs there is a good deal of used equipment available at low prices. If you’ve obtained some of this equipment be very careful when setting it up. First, you must make certain the computer is free of viruses, worms, or other beasts. Second, since most of these machines were networked the users likely relied on system administrators for their security over the network. Thus, the individual computer may not have been set up in a secure manner. Also, you don’t know if all the current security patches have been applied to the computer. Finally, you may not have all the original discs that were used for the operating system and software on the system in order to do this setup. It’s often best in these circumstances to start over.

Watch Your Donations. We’re all saddened by the recent events in New York and Washington, D.C. During such times hearts and wallets open wide–and they should. But, be careful. There are already reports of scams starting up to take advantage of the situation and to take your money. The Coalition Against Unsolicited Commercial E-mail and the SpamCon Foundation have warned that fraudulent E-mails requesting donations have already been sent out. Similar requests have been noted on Internet bulletin boards.

Virus News

There are a number of new viruses described this month. They are listed below.

Don’t forget our virus tutorial site.

More complete descriptions of most of these viruses can be found at the Sophos or F-Secure web sites: Link Link

Trojans. These important new Trojans appeared recently:

  • Troj/Offensive. A Trojan that takes advantage of a vulnerability in the Microsoft virtual machine. This problem was first pointed out in October 2000 so you should have installed the patch that fixes it. But, in case you did not, you might be vulnerable to Troj/Offensive. The Trojan only requires you to go to a Web page (or receive an E-mail) with the JavaScript in it. It attempts to change the registry (mainly file associations) and the changes effectively make Windows unusable (programs open in Notepad and text files attempt to execute). Insults about Japan are also included in the registry. For more details about the vulnerability and patch see: Link

Macro Viruses. A number of macro viruses have been announced this past month. Below is a summary of the more important ones:

  • Interactions. Various viruses are created by the combination of two other viruses. These are listed here: WM97/Hope-AD; WM97/Myna-AW
  • OF97/Jerk-J. A Jerk MS Office macro virus variant. It attempts to infect both Word and Excel files but its Excel code does not work properly so infected Excel files don’t spread the virus.
  • WM97/CopyMe-A. A Word macro virus. In infects by either inserting itself into an existing ‘Document_Open’ routine or, if not found, creates its own infecting routine. The virus basically infects and spreads.
  • WM97/Ethan-EJ. An Ethan variant that uses the file C:\ETHA.___ to replicate. The virus activates on document close when there is a 30% chance the file summary information will be changed.
  • WM97/Hope-AG. A Hope variant. It hides by removing the Tools|Macro and Tools|Options items from the menu system.
  • WM97/Hope-P. A variant of the Word macro virus Hope. It activates when the numerical day of the month equals the number of the month (e.g., the 12th of December). When activated it uses the Office Assistant to show a message containing “CheeChoong.”
  • WM97/Marker-EW/GG/GP/JG. These Marker-C variants all attempt to FTP information about you to a Codebreakers Web site. This information is also added as a comment to the end of the macro so others who become infected from you may very well also get information about you you may not want them to have.
  • WM97/Metys-L. A Metys variant that celebrates the birthday of someone named “Jess” on 18 December. When you click OK on the birthday message there is a chance the working document will be password protected with a random password.
  • WM97/Titch-K. A Titch variant with no payload. It uses the file C:\ARBIND2000.TMP during infection.
  • XM97/Laroux-OE. An Excel Laroux variant. There is no payload and the virus resides in NEGS.XLS in the XLSTART directory.

Worms. A number of worms have been announced this past month. Below is a summary of the more important ones:

  • VBS/Cuerpo-A. An E-mail worm with polymorphic characteristics. The arriving message either has no subject or a subject made from other messages on the sender’s computer. The attached file has a random name and a double extension with 16 spaces and the phrase “(9 Kbytes)” in it (an attempt to fool users into thinking this is the file size?). When run, the worm creates a number of .VBS and .HTML files in the System folder. It changes the IE start page to the dropped file BLANK.HTM and this points to “” It hides in the C:\Recycled folder as the file RNDMEIN.VBS and the registry is changed to run that file on system start. The worm harvests addresses from the Outlook address book as well as from any files found on local or network drives with the extensions .TXT, .NA2, .WAB, .MBX, .DBX and .DAT. While it spreads via E-mail, the worm can also be found on some Web sites. When present, IE will display a message: “Some software (ActiveX controls) on this page might be unsafe. It is recommended that you do not run it. Do you want to allow it to run?”. If allowed to run, the control will create WINSTART.BAT which, on the next system start, will drop the RNDMEIN.VBS file to start the worm. Bottom line: Don’t be too quick to click on those OK buttons!
  • W32/Allgro-A. An E-mail worm that masquerades as a “New antivirus tool.” The attached file is usually named antivirus.exe. When run it resides in the System directory as the file SETUP30.EXE. This file runs on system start. On different days of the week the beast attempts to remove either Sircam, Pretty, or Badtrans from an infected system (but may do more damage instead). It displays a message box containing: “System protected by I-Worm.Antivirus Copyright [c] 2001 by aLL3gRo” on 16 September.
  • W32/Apost-A. An E-mail worm that uses Outlook. The message implies that the attached file is being forwarded to you “As per your request!”. If run, the worm resides in the file README.EXE in the Windows directory and this file is set to run on system start. Outlook is used to mail the worm to your address book. Strangely, since most people don’t use floppy disks today, the worm also attempts to copy itself to the floppy drive (thus, announcing itself with a loud grinding noise if there is no disk in the drive). It does this on running and also after displaying a dialog box titled “Urgent!” and a large button with an “Open” label.
  • W32/CodeBlue. Another incarnation of CodeRed. Like CodeRed it uses a vulnerability in the Microsoft Internet Information Server (IIS) software. This is a known problem and a patch has been available for some time now. If you are running IIS and have not applied the patch, shame on you! It’s available at: Link and should be installed ASAP. With all the publicity this beast and all its derivatives should be dead by now [sighhh]. If you have the worm it copies its files to new hosts using TFTP. The files SVCHOST.EXE, HTTPEXT.DLL, and D.VB are copied to the C:\ directory. After infecting it sets about searching for new hosts to infect by scanning IP addresses at random (starting at the local subnet with the idea that if one machine in a subnet can be attacked because of lax management then others there might also be available for attack). This scanning process may be so intense that the machine crashes. The registry is set so SVCHOST.EXE runs at system start. The INETINSO.EXE process is also killed. A denial of service attack is executed against between 10am and 11am universal time.
  • W32/InvalidSSL. An E-mail worm that takes advantage of a news story about an invalid SSL certificate issued to people who said they were Microsoft employees but who were not. This worm warns you of the possibility of an invalid SSL certificate and says you should run the attachment to correct things. The message is said to come from [email protected]. If you run it, the worm will encrypt .EXE files in the default directory and then search for *.HT* files in your My Documents folder. It will search these for E-mail addresses and sent itself out to those addresses.
  • W32/Jerrym. A worm that uses MSN Messenger to spread. It is found in the file PIC1324.EXE. It sets the registry so the worm executes on system start. It’s fairly polite in that it creates the folder C:\MESSENGER1234\BRAIN and places the file 1README.TXT into that folder. The text file contains removal instructions.
  • W32/Magistr-B. A Magistr variant that spreads via E-mail and file infections. In addition to the dual spreading mechanism it is polymorphic as well. It contains its own mail client and send itself to others found in your address book, mailboxes, and other files on your system. The subject, body and attached filename are all random but the attached file will always have an extension of .COM, .BAT, .PIF, or .EXE.

In closing: Contact your local Red Cross if you wish to help New York and Washington recover from the recent attacks. Pray for peace.