In This Issue:
- WebTV Infected
- Aureate Hysteria
- GoHip
- SalesGate
- New DoS Software
- Porn Filters Cracked
- MS Security (Clip Art Buffer Overrun; DOS Device in Path Name; SQL Query Abuse)
- Trojans (Troj/Mine; Troj/Trinoo)
- File Infectors (W32/Melting; W32/Shoerec)
- Macro Viruses (WM97/Bablas-K; WM97/Blaster-A; WM97/Ethan-BY; WM97/Lenni-A; WM97/Marker-BT; WM97/Marker-CQ; WM97/Marker-U; WM97/Michael-B; WM97/Seliuq-A; WM97/Temp29-A; XM97/Laroux-BK; XM97/Laroux-DZ; XM97/Laroux-MF)
- Worms (VBS/Kakworm-B; VBS/Network; W32/Funtime; WM97/Melissa-AB; WM97/Melissa-AM; WM97/Melissa-AO)
Administrivia
Electronic Books. The newest E-book released is:
The Time Machine by H.G. Wells
If interested, the E-books can be found via links from:
[Sorry, E-books have been removed.]
Enjoy!
General Security
WebTV Infected. At press time C|Net is reporting that WebTV has been infected by a self-replicating program that affects its message boards and newsgroups. The “Flood Virus,” as it’s being called, affects the E-mail system and causes extraneous messages to be sent out from in infected user’s account; making it look like the user is sending the messages, ala the Melissa virus/worm. Microsoft, owner of WebTV is reporting the problem is more of a hack than a virus; this is disputed by others. The problem only affects WebTV equipment. So far, the code appears to come in via a change in a user’s signature file; the best way to avoid the problem is to open and examine that file, looking for items you did not put there. For more info…
[Story removed.]
Aureate Hysteria. In some Usenet newsgroups this past month we saw quite a bit of hysteria about a company named Aureate. The hysteria centered on the fact that Aureate serves advertising from the internet while certain programs are running on your system. No big deal there except that Aureate’s implementation leaves traces of itself running even when you are not connected and, if the program using Aureate’s technology does not do a proper uninstall, that part of their software can be left running on your system even after the uninstall. Well, software that stays and runs after a presumed uninstall is a prime candidate for an attack of internet hysteria. True to form in such things the hysteria started with postings that could not be traced back to individuals and, even so, quickly spread from there as these postings were suddenly taken as true. The theory was that since the program was running when it “should not have been” it therefore must be doing something bad; and, since it’s a program that connects to the internet, this “bad” thing was sending info about you to Aureate.
The bottom line is that while Aureate and the programs that use the latest version of their ad-serving technology (prior versions don’t have the problem) have not been particularly careful (Aureate for allowing its software to run regardless and programs for not uninstalling it when they uninstall), there is no evidence that anything unexpected is being done by the Aureate software. I expect Aureate to change its technology in the near future and, even if they don’t, there are programs to remove it already under development.
GoHip. Finjan Software, a security firm, has issued an alert regarding a video browser from GoHip.com. They say an ActiveX control with the browser changes your PC, including making a change that adds their signature to all outgoing E-mail. The GoHip site is also made your home page. The changes are easy to change back and are listed in the fine print of the agreement you click on when you install the software. While this instance of such behavior is not particularly dangerous, it demonstrates what is possible with the way Windows is set up. Other software may not tell you in advance what they are doing.
How do you avoid problems like that? The way I like to do it is to wait awhile before downloading or running any new software. By waiting two purposes are served: you let others find the major errors the maker’s testing process missed, and you let others find the odd behaviors the software may exhibit. Of course, this implies you keep up with the various information sources relating to the software.
SalesGate. The commerce site SalesGate.com is the latest to have to notify customers that their credit card database has been attacked and portions stolen. They have notified affected customers and the cards have been canceled with the credit card companies. Additionally, SalesGate has promised to refund any bogus charges.
New DoS Software. A new version of the Trinoo program, one of the programs implicated in the recent distributed denial of service attacks, has been released by a group of anonymous programmers. The new version apparently makes attacks “easier” to initiate. The new version can install itself into Windows NT, 95, and 98 systems, making it more dangerous in that people running these operating systems are even less likely to have good security than a network running UNIX with an administrator in charge of security. Anti-virus software companies are developing tools to look for this new software; be certain to keep your programs up to date.
Porn Filters Cracked. Apparently, the filter program Cyber Patrol now has a crack available that allows the filter program to be bypassed. Basically, the crack program reveals the parent’s password. For more info…
[Story removed.]
MS Security. Microsoft has issued a few new security bulletins this past month. Below is a summary (this is only a summary for Windows 95/98; it does not include NT–see the Microsoft web site for a complete listing):
- Clip Art Buffer Overrun. Microsoft’s Clip Art Gallery has a live download function that allows users to obtain additional clip art from the web. Under certain circumstances an entry in a field in the CIL file being obtained can have long entry and overrun its buffer. This could cause the program to crash or allow execution of hostile code.
- DOS Device in Path Name. DOS device names can’t be used for folder or file names. But, DOS only checks for single instances of these names. If, however, multiple names occur and the folder or file is accessed a crash will usually happen. Remote web sites can create links that attempt to access such names and potentially could crash the operating system.
- SQL Query Abuse. Argument validation is incomplete on some remote SQL statements. This could allow a user to obtain privileges not theirs or even added privileges on the operating system itself.
For all of these items and more please take a look at:
http://www.microsoft.com/security/default.asp
Virus News
Don’t forget our virus tutorial site.
Trojans. These important new Trojans appeared recently:
- Troj/Mine. An AOL password-stealing Trojan that also interferes with WinZip and Window’s regedit along with the Windows shutdown process. Like most Trojans today, this one can often be found attached to an E-mail enticing you to run the program for one reason or another; usually associated with unzipping something. For more info…
http://www.sophos.com/virusinfo/analyses/trojmine.html
- Troj/Trinoo. A Trojan that allows a remote users to access your computer and use it in distributed denial of service attacks. See related story in this issue and…
http://www.sophos.com/virusinfo/analyses/trojtrinoo.html
File Infectors. These important new file infectors have been reported recently:
- W32/Melting. Basically, this virus infects by changing EXE file extensions to BIN and substituting itself for the EXE file. The payload sends the virus to others in your Outlook address book under the guise of the file being a “fantastic screensaver.” For more info…
http://www.sophos.com/virusinfo/analyses/w32melting.html
- W32/Shoerec. An infection usually spread via an animated boxing file (BOXING.EXE, FUN.EXE, and NOSTRESS.EXE are some names of infected files). The virus does its thing behind a boxing animation. Files to be infected are based on a random selection of the first character in the file name and the payload causes your desktop icons to run away from the mouse pointer. Some files are also deleted. For more info…
http://www.sophos.com/virusinfo/analyses/w32shoerec.html
Macro Viruses. A number of macro viruses have been announced this past month. Below is a summary of the more important ones:
- WM97/Bablas-K. The virus attempts to get you to remove macro modules not part of itself from your document. For more info…
http://www.sophos.com/virusinfo/analyses/wm97bablask.html
- WM97/Blaster-A. A macro virus that changes the computer’s AUTOEXEC.BAT file on the 17th of any month. The change attempts to delete all files on your hard drives on the next boot. For more info…
http://www.sophos.com/virusinfo/analyses/wm97blastera.html
- WM97/Ethan-BY. An Ethan variant that periodically shows a summary box with the title Ethan Frome when you close a document. For more info…
http://www.sophos.com/virusinfo/analyses/wm97ethanby.html
- WM97/Lenni-A. This virus attempts to format the C: drive if the year is 2000. On certain dates during the year it also displays a message box. For more info…
http://www.sophos.com/virusinfo/analyses/wm97lennia.html
- WM97/Marker-BT. A macro virus that drops files of the form XYZ#.txt (# is a number) into the current directory. For more info…
http://www.sophos.com/virusinfo/analyses/wm97markerbt.html
- WM97/Marker-CQ. The virus attempts to create 999999991 infected document copies in C:\WINDOWS after June 2000. For more info…
http://www.sophos.com/virusinfo/analyses/wm97markercq.html
- WM97/Marker-CU. This Marker-R variant activates between 15 and 30 September when it asks a question. If you answer “yes” it says you are sexy; if you answer “no” it attempts to disconnect you from any network. For more info…
http://www.sophos.com/virusinfo/analyses/wm97markercu.html
- WM97/Michael-B. A macro virus that hijacks the Office Assistant to display one of 21 random messages. On a Friday after the 23rd of the month the virus will also try to print a document that purports to be the resume of the virus author along with a threat. For more info…
http://www.sophos.com/virusinfo/analyses/wm97michaelb.html
- WM97/Seliuq-A. A macro virus that replicates using the Visual Basic Code Module Aquiles (note that the virus’ name is the module’s name reversed). For more info…
http://www.sophos.com/virusinfo/analyses/wm97seliuqa.html
- WM97/Temp29-A. A replicator that only works in small documents. For more info…
http://www.sophos.com/virusinfo/analyses/wm97temp29a.html
- XM97/Laroux-BK. A replicating variant of the basic Laroux Excel macro virus. Every workbook opened is infected after the virus first runs. For more info…
http://www.sophos.com/virusinfo/analyses/xm97larouxbk.html
- XM97/Laroux-DZ. A replicating variant of the basic Laroux Excel macro virus. Every workbook opened is infected after the virus first runs. For more info…
http://www.sophos.com/virusinfo/analyses/xm97larouxdz.html
- XM97/Laroux-MF. A replicating variant of the basic Laroux Excel macro virus. Every workbook opened is infected after the virus first runs. For more info…
http://www.sophos.com/virusinfo/analyses/xm97larouxmf.html
Worms. A number of worms have been announced this past month. Below is a summary of the more important ones:
- VBS/Kakworm-B. A worm that exploits vulnerabilities in MS Internet Explorer and Outlook. The Microsoft site has full information and a patch that you should apply to your system…
[Link 404]
- VBS/Network. A worm that spreads but has no destructive payload. It’s chances of even spreading are low because of the method it uses. Basically, it generates a random IP address and then attempt a connection to that address a range of addresses around the one selected. If a machine is found, the worm looks for a share named “C”. If found, it is mapped to drive “J” and the worm attempts to copy itself to several directories on this mapped drive. In order for the worm to be executed on the target machine it had to have copied itself into the correct startup directory. There is a small chance of all this happening correctly.
- W32/Funtime. A distributed denial of service program for Windows. The Trojan is installed via physically planting it on the target or through use of a backdoor Trojan. Funtime bombards specific server ports at a programmed date and time. You can find Funtime by searching for an entry in the registry that contains the text “”funtimeNT.hta” or “funtime95.hta”.
- WM97/Melissa-AB. A macro virus and worm variant of the original Melissa plus several other Word macro viruses. On document close after 23 December the virus asks a question then forwards itself in the current document to 15 addresses in your address book. On other dates, it displays other messages. If further messes with Word menus on document open. For more info…
http://www.sophos.com/virusinfo/analyses/wm97melissaab.html
- WM97/Melissa-AM. A macro virus and worm variant of the original Melissa. In addition to sending itself via an infected Word document, this variant sends info about you and your system to several E-mail addresses. For more info…
http://www.sophos.com/virusinfo/analyses/wm97melissaam.html
- WM97/Melissa-AO. Another Melissa variant that sends itself to 50 people in your address book and does other things on the 10th hour of the 10th day of each month. For more info…
http://www.sophos.com/virusinfo/analyses/wm97melissaao.html
In closing: More viruses than normal this period. It’s ever more important that you keep your anti-virus software up to date and make certain you have a current emergency boot disk for restarting your system should it become infected.