Computer Knowledge Newsletter – November 1999 Issue

In This Issue:

Virus News

Virus Tutorial. Well, I’ve finally done it: I’ve moved the virus tutorial onto the web. In the process it’s been updated somewhat but there are still some shortcomings I’ll be working on over time (particularly in the area of macro viruses) and some design issues I want to address. But, the bulk of the tutorial is in place along with a PDF download version.

Bubbleboy. This beast has gotten lots of press play over the last week or so. Despite this I decided not to include it on the “current” page because the beast has not yet been found in the wild and, if you’ve been following the advice here and keeping your anti-virus software up to date along with installing all the security patches for Windows and Internet Explorer you are safe from it. (There are web sites attempting to use the Bubbleboy code but there has been no Melissa-like outbreak.)

Bubbleboy is a new concept worm that basically takes advantage of a known security hole in the components of Outlook and Internet Explorer (and any other program that uses them to read mail) to spread itself to other computers without your taking any action other than viewing the E-mail message either by opening it or having it open in the mail preview window. Past E-mail worms required you to run an attached program or open an infected attached document; this is the first one that only requires you to view a message.

It’s important to note, however, that this worm takes advantage of a known security hole in the affected software and that Microsoft posted a patch to close that hole back on 31 August 1999. If you’ve kept your software up to date Bubbleboy is benign (even if you don’t have the patches all it will do is spread–but that’s not a reason to delay installing the patches as future versions may very well be malicious). The press hype typically ignores the fact that Bubbleboy needs the security hole to function.

Anti-virus software makers have updated their programs to detect this beast. The Microsoft link to all OS and component fixes is:

http://windowsupdate.microsoft.com/Web Link

Free AV Software. Microsoft has announced that it is working with a number of anti-virus vendors to produce free AV software that would work for 90 days. This would be in response to the significant worry about Y2K security problems that some people expect. The software was supposed to be available starting 1 November 1999 through 31 December 1999. To date, nobody seems to have released anything. I’ll change the “current virus”” page (see above) when I hear anything positive about this. [Update: I’ve never heard anything further about this. Apparently it was never implemented. Further (later): Microsoft is now talking about a combination adware/spyware/anti-virus program they will sell.]

WM97/Astia-Y. This is a macro virus that gets talked about a lot but has not been reported in the wild. It’s yet another example of how the media just can’t be bothered to talk to technical professionals (instead of marketing types) before reporting on virus problems. If this virus is found, however, there is a special step that must be taken to get rid of it: one must scan all files instead of just the default files most scanners typically scan. In addition to infecting NORMAL.DOT the virus inserts SNRML.DOT and SNRML.SRC into Word’s directory structure. The extension .SRC is not normally scanned but the file should be removed for disinfection.

WM97/Titch. An unspectacular macro virus; easily removed. If you want to look for it manually, it contains the text: “If you had looked you could have found and deleted it but.. You probably never knew it was here!”

P98M/W97M.Closer.A. This beast is listed largely because it is the first macro virus that not only infects Word files but also MS Project (.MPP) files. The virus spreads via Word documents but checks for the availability of Project and, if running, will also infect Project files.

WM97/Melissa-AD. Another Melissa knockoff that mails itself to the first 150 entries in your Outlook address book. As a payload, the virus places three files into your C-drive root directory: CMOS.COM, FAT32.COM, and DRIVES.BAT. The DRIVES.BAT file is run at startup by a modified AUTOEXEC.BAT file and tries to delete all data on drive letters D and above. The virus also changes your computer’s date and has a few other tricks.

W32/Flcss (FunLove). This is a file virus that infects .EXE, .SCR, and .OCX 32-bit files both on your local machine and any network machines you have write access to. On execution, the virus creates the file FCLSS.EXE in your Windows System directory and then executes it. This file performs the infection of other files on your computer. If run under Windows NT 4.0 with Service Pack 3 or 4 the virus will change NTLDR and NTOSKRNL.EXE in order to give unrestricted access to all users. Be certain to restore the original files if you get this beast.

WM97/Footer-J. As the name implies, this macro virus attacks the footers in Word documents. It also writes its source code to FOOTPRINT.$$$ and FOOTPRING.$$1 in the root directory of your C-drive.

RingZero Trojan. The name of this beast is taken from the name of the most basic level of operation for an operating system. Programs that run at ring zero generally have unrestricted access to the entire machine. The Trojan can be distributed under any executable file name. It installs a VxD file (RING0.VXD) and two executable files (ITS.EXE and PST.EXE) when run. The Trojan then sets the system up so that the executables run at system start. ITS.EXE creates the file ITS.DAT for some presently unknown purpose. PST.EXE scans IP addresses looking for ports 80, 8080, and 3128; ports used by HTTP proxy servers. If found, a CGI script at the site www.rusftpsearch.net is run and appears to record the proxy’s IP address. Collecting information appears to be the sole purpose of this Trojan. You can manually remove the Trojan by removing all the files mentioned above along with any references to ITS.EXE and PST.EXE in the registry “run” section. (Note: if the files are in use you may have to reboot into DOS mode and delete them from the system prompt.)

General Security

MS Security. Microsoft has issued a few new security bulletins this past month. Below is a summary:

  • IE IFRAME ExecCommand. If you downloaded the patch for IE 4 and 5 relating to this vulnerability, you should go back and get a revised patch. While the original patch fixed the problem it exposed a previously-patch hole. A new patch that closes both holes is now available.
  • Javascript Redirect. IE 4 and 5 have a vulnerability that would allow a web site operator to read files on your system. The vulnerability would require the Webmaster to know the name of the file s/he wanted to read; and reading is the only thing the Webmaster can do. An interim fix is to disable Active Scripting in the Internet Zone.
  • Excel SYLK. Excel symbolic link (SYLK) files can contain macros. The problem is that some of these macros can presently run without asking permission and we all know what that can bring on. Microsoft has a patch that closes this hole. If you use Excel (97 or 2000) you should really get this one. See:

[Link 404]

  • Java Virtual Machine. A hole in the MS Virtual Machine that processes Java applets has been closed. The hole would have allowed unauthorized actions on your computer. The applet would have had to be built by hand (current compilers would not have generated the necessary code), but even this small possibility should be patched.
  • Active Setup Control. A patch for a fairly complicated security hole where an attacker would have to plant a malicious file that appears to be secure on your system and then come back later to execute it.
  • File Access URL. This is a correction to a buffer overflow problem in Windows 95 and 98 regarding filename string processing. Buffer overflow problems need to be corrected as they can result in system crashes or malicious code running.

For all of these items and more please take a look at:

http://www.microsoft.com/security/default.aspWeb Link

BlackICE Defender. Based on the information I posted in my last newsletter I decided to add a bit of protection to my computer. After reading some reviews and talking with others I selected BlackICE Defender (http://www.networkice.com/Web Link). This program sits in the background and monitors all activity coming from networks into your computer. When it sees something its been programmed to recognize as a threat it alerts you (small flashing icon not some big dialog), logs the threat, and attempts to backtrace where the threat is coming from and logs that information as well. For serious threats the program will automatically shut out sites. It’s not foolproof, but it seems to err on the side of blocking attacks instead of allowing attacks (you may have to unblock an FTP site you use, for example). [Update: I now use a hardware firewall as well as the Windows XP firewall.]

I have no financial interest in NetworkICE and suggest that you perform your own review before jumping into using any such program. Steve Gibson, at the web site I gave you last month (http://grc.com/Web Link) has an excellent tutorial on this topic and reviews of several programs that serve as personal firewalls.

Items of Interest

Web Bug. First there were cookies and now there are Web bugs. A Web bug is basically something called from another site (today it’s usually a graphic image). The call, however, is specially constructed to monitor your activity on the Web. The graphic is typically a 1×1 pixel GIF file (or is sized to 1×1) so it is not obvious; the call to the graphic is the important part of the code. An example of a Web bug found on one site known for the practice I visited is shown here (this should be all one line; I’ve broken it up here for display purposes):

document.write(‘<IMG WIDTH=1 HEIGHT=1
SRC=”http://media.preferences.com/ping?
ML_SD=MetamucilDM_Metamucil_1x1_RunOfSite_Any&
db_afcr=6539-F0F6-1562F&event=MainPage&group=MainPage
‘, time(), ‘”>’);

This particular call was part of a script and basically sent info to media.preferences.com that would identify me and my future moves whenever media.preferences.com retrieved the cookie. What a Web bug can reveal is interesting. It can include your IP address, the URL of the page, time of viewing, your browser type, and previously-set cookie information (not a great deal more than a cookie alone; just a different technique). Look at the example above and you can see most of that. Interestingly, I’m starting to see some of these values in my BlackICE Defender log files so Web bugs are not isolated things.

Turning cookies off will generally defeat Web bugs (if you want to do that) but then you don’t have all the conveniences cookies offer. And, Web bugs are not limited to just Web pages; any system that displays HTML code can be used. That includes, but is not limited to E-mail and news postings.

Should you worry? If you don’t worry about cookies then you probably should not worry about Web bugs. Just be aware there is another thing gathering marketing information.

In closing: Everyone have a wonderful holiday season coming up. Be safe.