Computer Knowledge Newsletter – April 2002 Issue

In This Issue:

Administrivia

The world of the future will revolve around software. If you’ve wanted to write software but could not get started, consider this E-book: “Software Secrets Exposed!” — “The Ultimate How-To Guide for Building Your Own Software Empire” by Ben Prater. The book does not teach you a specific programming language but it does teach you program design and subsequent marketing techniques. Take the link here to get to the book’s site (you’ll be redirected). Be advised in advance, the writing style is pure hype but the techniques outlined in the book are valid and useful.

[No longer supported]

General Security

Printer Attacks. Just when you thought everything that could be attacked was identified we now have attacks on printers! Newer LaserJet printers connect to a JetDirect card in the computer and listen for commands on port 9100. So, all one has to do is attack port 9100 with printer commands and you can intercept data coming from programs on the computer and/or send offending things to the printer. But, that’s just a single printer attached via a card. In a more general sense any network-connected device could be vulnerable. So, consider that you might need protections for your copier, fax, or that nifty all-in-one device you just bought to replace all those things. You can test all the network ports with a tool at http://www.insecure.org/nmap/Web Link. Protection may mean upgrading firmware or just limiting access (maybe with a password).

MS Security. Microsoft has issued a a number of new security bulletins this past month. Please see all current alerts at:

http://www.microsoft.com/security/default.aspWeb Link

  • 04 March 2002 Cumulative VM Update. http://www.microsoft.com/technet/security/bulletin/MS02-013.mspxWeb Link There are a couple of security vulnerabilities in the Microsoft version of their virtual machine (what they call Java). This cumulative update eliminates all past vulnerabilities and these new ones and prevent a malicious Java applet from redirecting traffic from a proxy server to a location of its choice and potentially hijack your Internet session. The other flaw is a buffer overrun problem that could allow malicious applets to run.
  • 28 March 2002 Cumulative Patch for Internet Explorer. http://www.microsoft.com/technet/security/bulletin/MS02-015.mspxWeb Link If you have not updated past vulnerabilities here is your opportunity to do it all at once. This cumulative patch includes all previous patches as well as eliminating two new vulnerabilities. These two involved the inappropriate running of scripts in cookies and the handling of object tags. A must have!

General Interest

Favors. A great many lessons were learned from the events of 11 September last year but one, reported in the Eta Kappa Nu Bridge, just has to be passed on. Since the Word Trade Center housed a number of broadcast antennas when the buildings collapsed the broadcasters had to find new locations for their antennas. One spot that WNBC found was a 425-foot tower in Alpine, N.J. The tower was originally constructed by “Major” E. Howard Armstrong. Armstrong was the inventor of FM transmission. He and RCA fought a bitter patent battle for some 20 years over the technology as RCA had invented a competing system (Armstrong committed suicide in 1954 over the fight). Do you see the irony here? NBC was RCA’s network and now NBC has to lease space on the very tower that Armstrong built for his experiments. While both NBC and the tower now have different owners you can see that you just never know who you’ll have to ask a favor of in the future. So, don’t burn all the bridges!

Report Piracy. The Federation Against Software Theft (FAST) has a new and quick way to report software piracy: a browser plug-in. The plug-in adds an icon to your IE window. While browsing, if you come upon a site that houses pirated material you press the icon. The plug-in reports the location back to FAST and takes a “snapshot” of the site for evidence. You can have the plug-in report to FAST with or without your name attached. The FAST site is [Link removed].

Yahoo! Spam. If you have a Yahoo! account they you probably know that you just “signed up” for spam (OK, not by that name, but “special offers” from business partners is the same thing). How? Yahoo! changed their privacy policy. This is becoming common; vendors will change their privacy policy and expect you to know they did so. To change your preferences in Yahoo! go to [Link removed] and login. Set you preferences and don’t forget the boxes that say “Do not contact me via postal address” and “Do not contact me via telephone.”

E-mail Cookies. Yet another reason to stay with plain ASCII text E-mail is the fact that spammers have started to place cookies into HTML E-mail. These cookies will often be set in order to track your E-mail address as it moves around the Web. This gives the marketers information about your habits you may not want them to have (or you may not care). Just be aware that it is happening and can be easily defeated if you stick to ASCII mail or E-mail readers that don’t process scripts.

Virtual Input. New technology is coming that just might replace the single hardware element that has remained relatively constant from the start of personal computing: the keyboard. A virtual keyboard (a laser-generated image of a keyboard on any surface) is about to be introduced by VKB Inc. Stay tuned as this could make the computer really portable; particularly if coupled with a virtual display that projects a large image into your eye.

Virus News

There are a number of new viruses described this month. They are listed below.

Here’s what we might learn from these various attacks:

Macro Viruses. A number of macro viruses have been announced this past month. Below is a summary of the more important ones:

  • No Payload. The following viruses have been observed but generally carry no payload: XM97/Tris-A, WM97/Titch-L
  • WM97/Marker-KQ. A Marker variant which triggers when a document is opened and again when the document is closed. The opening trigger activates between 23 and 31 July. It displays the question “Do you love mr occonor?”. When a document is closed between the same dates the application title is changed to “bob oconnor certainly is gay and does practice brown love” and the question “Did You shag mr occonnor?” is displayed. Different message display on either a “yes” or “no” answer. The document propertiesare also changed by the virus.
  • WM97/Marker-KS. A Marker-C variant that simply tries to FTP user information to the Codebreakers site on document close. This same information is added to the end of the document.

Worms. A number of worms have been announced this past month. Below is a summary of the more important ones:

  • W32/Aplore-A. An Outlook E-mail worm. It comes in a blank message with the attachment PSECURE20X-CGI-INSTALL.VERSION6.01.BIN.HX.COM. If run it copies itself twice to the Windows System directory, once as the above file name and a second time as EXPLORER.EXE. The registry is changed to run the worm on system start. The script EMAIL.VBS is dropped by the worm and used to send itself to the Outlook address book. Additionally, the worm contains its own HTTP server which runs in the background. The file INDEX.HTML is dropped by the worm and used as the home page for this server which listens on port 8180. An IRC client in the worm attempts to join one of several channels programmed into the worm. If successful it sends a message with a link back to its own HTTP server on your machine. Anyone trying to connect to that server receives the INDEX.HTML page mentioned above.
  • W32/Caric-A. An E-mail worm with the subject “bill caricature” a body that tells you the attached file is “vvvery verrrry ffffunny” and the attached file CARI.SCR. If run the worm will display a cartoon of a man with a “Bill” badge playing a saxophone. Meanwhile it sends itself to the Outlook address book and saves itself to the Windows System folder as CARI.SCR with the registry changed to run the file on system start.
  • W32/Cervivec-A. An E-mail worm with the Subject taken from one of: Vtip, Witz, blague, Joke, Zart, or Chiste. The message body is likewise taken from a selection encoded into the worm. The attached file is WORMS.ZIP. There is an executable file in the archive that, if run, displays a message box telling you to “Press restart button to close this application.” When OK is clicked the screen is covered with a worm pattern. Meanwhile, the worm copies itself to the Windows System32 folder as NTKRNL.EXE and the registry is set to run the file on system start. Each system start will cause the worm to mail itself to everyone in an ICQ contact list.
  • W32/MyLife-C. An E-mail worm that arrives with the subject “The List” and a body that indicates the attached “Notepad” is something “you asked for”. The message body ends with a notice that MCAFEE.COM found no viruses. The attached file is LIST.TXT.SCR. If run, the worm copies itself with that file name to the Windows System directory and sets the registry to run it on system start. When run, the worm displays a false error message about “Notepad.dll”, and sends itself to the Outlook address book.
  • W32/MyLife-D. An E-mail worm that arrives with the subject “New Screen Saver” and a body that indicates the attached “Screen Saver” is something “vvvery verrrry ffffunny”. The message body ends with a notice that MCAFEE.COM found no viruses. The attached file is SCREEN.SCR. If run, the worm copies itself with that file name to the Windows System directory and sets the registry to run it on system start. When run, the worm displays a false error message about “Error 1452544 File Not Found”, and sends itself to the Outlook address book.
  • W32/MyLife-E. An E-mail worm that arrives with the subject “sexxxyyy Screen Saver” and a body that indicates the attached “Screen Saver” is something “vvvery verrrry ffffunny”. The message body ends with a notice that MCAFEE.COM found no viruses. The attached file is SCREEN.SCR. If run, the worm copies itself with that file name to the Windows System directory and sets the registry to run it on system start. When run, the worm displays a false error message about “Error 1452544 File Not Found”, and sends itself to the Outlook address book. (Note, the message may vary for this version but the general character is the same.)
  • W32/MyLife-F. An E-mail worm that arrives with the subject “the list” and a body that indicates the attached “notepad” is something “vvvery verrrry ffffunny”. The message body ends with a notice that MCAFEE.COM found no viruses. The attached file is LIST480.TXT.SCR. If run, the worm copies itself with that file name to the Windows System directory and sets the registry to run it on system start. When run, the worm displays a false error message about “Notepad.dll”, and sends itself to the Outlook address book.
  • W32/MyLife-G. An E-mail worm that arrives with the subject “ox <–> sharon” and a body that indicates the attached “ox caricature” is “very sad”. The message body ends with a notice that “Attachments are automatically scanned for viruses using MCAFEE.COM” and that no viruses were found. The attached file is OX&WIFE.SCR. If run, the worm copies itself with that file name to the Windows System directory and sets the registry to run it on system start. When run, the worm displays mixed case messages, sends itself to the Outlook address book, and then attempts to delete everything on drives C: through I:.
  • W32/MyLife-H. A MyLife variant that arrives with the subject “peeeeeep” and a body that indicates the attached “movi peeeeeep” is “very ffffunny”. The message body ends with a notice that no viruses were found by MCAFEE.COM. The attached file is PEEEEEP.MPEG.SCR. If run, the worm copies itself with that file name to the root directory. The worm sends itself to the Outlook address book and MSN Messenger contact list.
  • W32/MyLife-J. A MyLife variant that arrives with the subject “sexyy Screen Saver” and a body that indicates the attached “screen saver” is “very funny”. The attached file is USA.SCR. If run, the worm copies itself with that file name and SH.SCR to the Windows System directory and sets the registry to run it on system start. When run, the worm displays mixed case messages, sends itself to the Outlook address book, and then attempts to delete everything on drive C:.
  • W32/Porkis-A. An E-mail worm with an Italian subject (one of three encoded into the worm) and an Italian body. The attached file is either BAR.EXE, PIPPO.EXE, or PORKIS.EXE. If run, a quiz in Italian displays. Meanwhile the work copies itself to the Windows folder as DLLMGR.EXE and the registry is changed to run that file on system start. An Italian message box will display on 6 September. The worm will generally fail on non-Italian versions of Windows.
  • W32/Yaha-B. An E-mail worm that arrives in a message with a subject that either talks about a friendship-joke screen saver or simply wishes you a nice day. The body of the message has many of the characteristics of a spam message (which is good since you’re more likely to immediately delete it :-)). It says it’s not unsolicited and has unsubscribe information. Unlike spam, this E-mail has the attachment FRIENDS.SCR. If you do run the file the worm will copy itself twice to the C:\RECYCLED directory. The first copy has a root name of five random characters with an .EXE extension. The second copy adds an “F” to the end of the root name. The registry is changed to run the worm on system start. In general, the worm appears to actually be a screen saver; it does its job in the background. The worm harvests mail addresses from the Windows Address Book and any HTML files found on your system and sends itself to these addresses. The worm additionally attempts to send SMS messages to phone numbers at BPLMOBILE.COM. The IE start page will also be changed to one of seven addresses programmed into the worm. Finally, a text file with the name of the worm file in the Recycled directory is dropped into the Windows directory.

In closing: Have I mentioned backing up lately? No? Well, then, BACKUP!