|
Viruses; Nasty Pain In the Butt! #2 |
W97M/Melissa Virus
==================
Probably most of you may have received at one time or another a warning
about some sort of virus which was rapidly spreading around the Internet...
something which would eat your hard drive and render your system useless.
Fortunately most of those warnings have proven to be hoaxes. Hoaxes like
the "Good times" virus. In fact, if you receive such a warning, there
are several good places to go to check out the validity of the warning:
http://korova.com/virus/hoax.htm
http://www.symantec.com/avcenter/hoax.html
http://www.datafellows.fi/news/hoax.htm
Bookmark those and check them next time you receive a virus warning.
Our warning to you today, however, was first brought to our attention by Datafellows, one of the sites listed above and a leader in Anti- Virus Research. The U.S. Dept of Energy released an Information Bulletin on this on Saturday March 27 at 17:00 GMT. According to the DOE:
"A new Word 97 macro virus named W97M.Melissa has been detected at multiple DOE sites and is known to be spreading widely. The virus uses Microsoft Outlook to e-mail the infected document to the first 50 people from each of your Outlook address books. Windows 95 or Windows NT running Microsoft Word 97 (version 8) or Word 2000 (version 9) and Microsoft Outlook. Word 98 on the Macintosh is probably not vulnerable because the virus uses the Windows registry, but that has not been verified yet. Outlook Express and other mail readers are not vulnerable.
Melissa overwrites the first macro in open documents and in the normal.dot
template with the macro virus code. It turns off macro detection in Word.
It sends copies of the infected document to up to 50 people from each of
your Outlook address books."
A new macro virus known as W97M.Mailissa is sweeping the internet. You want to know what it is and how to remove it or avoid getting it.
Solution:
W97M.Mailissa is a common macro virus with a unique payload. This virus was first discovered Friday, March 26, 1999. Symantec updated Norton AntiVirus definitions to remove and repair files infected with this virus the same day. If you have not yet run LiveUpdate to add new virus definitions, we strongly recommend that you do so now. Further information about this is available later in this document.
Similar to W97M.Pri, the W97M.Mailissa virus turns off the security protection upon opening an infected document in Microsoft Word 2000. This disables the Word 2000 macro prompt the next time the original document is opened. It infects Word 97 documents by adding a new VBA5 (macro) module named Melissa. Although there is nothing unique in the way this macro virus infects Word files, it has a payload that utilizes Microsoft Outlook to send an attachment of the infected Word 97 document to multiple users.
Technical Notes
This payload will enact whenever the system date matches the system time. For example, when the system time is 3:27 (a.m. or p.m.) on 3/27/1999 the payload will trigger. When opening or closing an infected document, the Mailissa virus determines if there has been a previous mass emailing by checking the following Windows registry key:
"HKEY_CURRENT_USER\Software\Microsoft\Office\" as "Melissa?" value.
The value data is set to "...by Kwyjibo" if the mass emailing has been performed on the current machine. If the virus does not find the previous registry entry, it will do the following:
1. Open Microsoft Outlook.
2. Use standard application calls to retrieve the user's profile so
it can use Outlook.
3. Create a new email message that sends the virus to up to 50 addresses
listed in the Outlook address book.
4. Give the email a subject line of : "Important Message From USERNAME"
where USERNAME is taken from the Microsoft Word profile.
5. Create an email message that says, "Here is that document you asked
for ... don't show anyone else ;-)"
6. Attach the active document (the infected document being opened or
closed) to the email message.
7. Send the email.
NOTE:
"HKEY_CURRENT_USER\Software\Microsoft\Office" is a registry entry created
by MS Office. The virus simply adds a new value into this registry entry
as follows: "Melissa?".
As stated earlier, the value is set to "...by Kwyjibo" if the virus has successfully mass emailed infected documents from the system. Once the value is set, the virus does not try another mass emailing. The second payload replaces the currently selected text of the document with this:
"Twenty-two points, plus triple-word-score, plus fifty points for using
all my letters. Game's over. I'm outta here."
According to Datafellows, this is a very serious concern. In a press release on Saturday, March 27, 1999 4:42 PM, they reported that, "This virus has spread all over the globe within just hours of initial discovery, apparently spreading faster than any other virus before." "We've never seen a virus spread so rapidly," comments Mikko Hypponen, DataFellows' Manager of Anti-Virus Research. "We've seen a handful of viruses that distribute themselves automatically over e-mail, but not one of them has been as successful as Melissa in the real world."
Datafellows goes on to report that "After sending itself out, the virus continues to infect other Word documents which the user accesses, i.e. it is not restricted to the initial LIST.DOC file. Eventually, these infected files can end up being mailed to other users as well. This can be potentially disastrous, as a user might inadvertently send out confidential data to outsiders."
"The virus won't spread much during this weekend. We will see the real problem on Monday morning," continues Hypponen. "When a big company gets infected, their e-mail servers are seriously slowed down and might even crash, as computers start e-mailing large document attachments without the sender realizing it."
Datafellows also reports that, "Melissa can infect both Windows and Macintosh users. If the infected machine does not have Outlook or Internet access at all, the virus will continue to spread locally within the documents the user accesses."
Data Fellows provides a free solution to the W97M/Melissa virus problem. Evaluation copies of the F-Secure Anti-Virus toolkit as well as an update to detect and disinfect the virus are available from the company's website at http://www.DataFellows.com. Because of the critical and virulent nature of this virus, both McAfee and Norton are expected to issue updates to include detection of Melissa early next week.
In the meantime, we would suggest you avoid opening any word documents sent to you unless you know exactly what is contained in them. If you don't opened the infected document, it cannot attack your system.
Happy99.exe Worm
===================================
Although not related to the W97M/Melissa virus, it bears mentioning
again here that another self propagating menace or "worm" has been rampant
in recent weeks, called Happy99.exe. We have received numerous copies
of it as email attachments people who did not know they had this worm.
This is sent as an exe attachment which, when run, shows a fireworks display
on your screen while it proceeds to change system files which will result
in you passing it along to others. If you did not read this article in
our regular March 6 newsletter, may I suggest you take a look it at http://www.infinisource.com/Newsletter/06march1999.html
and or look at our page on The Cleaner http://www.infinisource.com/cleaner.html,
our software utility which detects and eliminates Happy99.
Internet Explorer
5 Security Flaw
===================================
Another startling development in the last few days is a serious security
flaw in IE5 which allows any hacker or unscrupulous webmaster to log the
contents of your Windows clipboard to their server! Anyone using IE5 with
standard Microsoft configuration is vulnerable to this breach of security.
Juan Carlos Garcia Cuartango discovered the flaw this past week and announced
his find via a mailing list.
Our good friend Scott Wainner, owner and Editor-in-chief of the System Optimization website, has posted a very informative page on this problem at http://www.sysopt.com/ie5flaw.html and has a *very* convincing demo of how it works. Try it and you will see the exact contents of your clipboard immediately displayed in a separate window... Since most of us use cut and paste all the time without even thinking about it, it's not too difficult to imagine that some very sensitive information could very easily find its way into the wrong hands.
Fortunately Scott has posted the very simple instructions on how to
disable this "feature" in IE5 which you can then test again with his very
intriguing demo. Highly recommended!
by Judy Heim
Is there such a thing as a Web virus? The answer depends on whom you ask. At this writing, not one case of Web infection has been recorded, though several hackers have proved it's possible to create a "malicious" or "hostile" applet that crashes your system or causes data loss when you open it. Fortunately, Java, the most popular language for creating Web applets, is extremely secure and can't access critical system areas. ActiveX controls, on the other hand, can potentially gain access to your hard disk and wreak havoc, but they are not as widespread as Java programs.
Still, it's conceivable you might run into a malicious applet. And if you do, you probably won't know that you've been infected until it's too late, since Web applets run behind the scenes while you visit a Web site that contains them. In that respect, they're considered more dangerous than traditional viruses because you can't protect yourself against them as you can against other viruses (say, by never downloading any files). But here are some safety measures you can take.
Run the latest version of your browser and e-mail client to keep all known security holes plugged. In the past year Qualcomm released a security patch for Eudora, and Netscape released one for Messenger. http://home.netscape.com/smartupdate/su1_40.html For its part, Microsoft has posted numerous security patches for Internet Explorer 3.x and 4.x--which are downloadable at the IE Security page. You can also subscribe to Microsoft's Product Security Advisor e-mail notification program.
Some people disable both Java and Javascript in their browsers as an
additional safety precaution; but because Java is a secure environment,
that isn't necessary. If you use IE, however, you should be wary when you
download any ActiveX controls. You can configure IE to exercise different
levels of caution when downloading these applets (when you go to sites
that feature them, you'll be prompted to confirm the download): Select
View, Internet Options and click the Security tab. For the Internet Zone,
set the security level to medium or high. At the high setting, IE will
not permit you to download any uncertified controls. Also, Microsoft's
original implementation of Java in IE 4 falls short of Sun's strict specifications;
a new patch makes this environment somewhat safer for IE users.
Data Fellows' mailing list policy, see end of message.
Press release
For immediate release
A new e-mail worm spreading globally
'ZippedFiles' or 'ExploreZip' spreads like Melissa
Espoo, Finland, June 10, 1999 - A new e-mail worm has been found and is spreading rapidly through the Internet. This virus works like a chain letter and carries a destructive payload. So far, it has been reported from a dozen countries, including USA, Germany, Norway, Israel and the Czech Republic. The virus is expected to spread globally within hours.
This virus is known as either 'ZippedFiles' or 'ExploreZip'. It arrives to a user via an e-mail attachment. When the attachment is opened, the virus will browse through the inbox of the Microsoft Outlook e-mail program and will send a reply to every message.
As a result, if a user called John Doe has recently received an e-mail from Jane Smith with the subject 'Please check these numbers', John's machine will automatically send a message which will look like this:
From: John Doe
To: Jane Smith
Subject: RE: Please check these numbers
Hi Jane
I have received your email and I shall send you a reply ASAP.
Till then take a look at the attached zipped docs.
Sincerely
John.
Attachment: zipped_files.exe
The attachment looks like a WinZip archive file. When the received tries to unpack it by double-clicking it, he will get a WinZip error message complaining about a broken archive:
Cannot open file: it does not appear to be a valid archive.
If this file is part of a ZIP format backup set, insert the
last disk of the backup set and try again.
Please press F1 for help.
In addition to spreading like a chain letter, the virus will try to overwrite the user's files on any accessible drives, including all network drives. The files that are overwritten must have one of these extensions:
DOC - Microsoft Word documents
XLS - Microsoft Excel spreadsheets
PPT - Microsoft PowerPoint presentations
ASM - Assembler source files
CPP - C++ source files
If the recipient is using an e-mail system other than Microsoft Outlook, ZippedFiles will not spread further. However, it will damage the recipient's files. ZippedFiles operates under the Windows 95, 98 and NT operating systems.
"This seems to be spreading fast," Mikko Hypponen, Manager of Anti-Virus
Research at Data Fellows Corporation, comments, "but not as fast Melissa.
The key issue here is that messages sent by ZippedFiles are very credible
- they
are normal-looking replies to messages you have sent earlier. You're
quite likely to trust these messages and open the attachment."
Data Fellows has analysed ZippedFiles and has provided an update to
detect and disinfect it. More technical information on the virus and the
update are both available from
http://www.DataFellows.com
or
http://www.europe.datafellows.com/v-descs/zipped.htm
For more details see
http://www.symantec.com/avcenter/venc/data/worm.explore.zip.html
This covers the Worm.ExploreZip, a Trojan horse virus that releases destructive files into your system.
If you're an Outlook or Exchange user and you receive an e-mail that reads, "Hi [recipient's name]! I received your e-mail and I shall send you a reply ASAP. Till then, take a look at the attached zipped docs. Bye." DON'T OPEN the attached file (zipped_files.exe), regardless of who sent you the message. Instead, delete this message (and then remove it from your Deleted Items folder, if necessary).
If it's too late and you've already received the message, Windows 95 and 98 users can prevent the virus from doing any more damage by following these steps:
1. Delete the line
run=C:\WINDOWS\SYSTEM\Explore.exe
from the WIN.INI file. (You'll find WIN.INI in your Windows folder.)
2. Delete the file C:\Windows\System\Explore.exe from your system. (Don't just send it to your Recycle Bin. Give it the ol' Shift-Delete to send it into oblivion.)
3. Restart Windows and you'll be worm-free!
Finally, the best way to protect yourself against a computer virus is
to never, ever, detach, open, or install a file on your PC from a source
unknown to you, especially a file with the EXE extension.
The partition sector [Master Boot Record or MBR] is the first sector on the hard disk. It is made up of partition executable code, error messages ['Invalid partition table Error loading operating system Missing operating system'] and the partition table.
When the PC is booted normally, and control is passed to the partition sector, the executable code in this sector is executed automatically. It's job is to check the partition table, to ensure that it is present and that it contains valid data. [The partition table contains information on the number of sectors on the disk, the number of partitions into which the disk is divided and the location of the boot sector for the active partition.] If the data in the partition table is valid, control then passes to the boot sector. If the partition table is missing, or if it contains invalid data, an error message is displayed.
FDISK /MBR [the /MBR parameter is available in MS-DOS 5.x onwards] replaces the partition executable code, without changing the partition data. Since most partition sector viruses replace [or modify] the partition executable code, leaving the partition table unchanged, FDISK /MBR is often considered to be an easy way of removing partition sector viruses. However, FDISK /MBR is not a virus removal utility and its use for this purpose may result in loss of data, as the following examples show.
1. FDISK makes no check of the partition table [to ensure that it contains valid data]; it assumes that anything in this location is a valid partition table. If any virus has overwritten the partition table, the use of FDISK /MBR will render the disk inaccessible. Empire Monkey virus encrypts the partition sector and re-locates it to cylinder 0, head 0, sector 3; it then replaces the partition sector with its own code. When the PC is booted from the hard disk, Empire Monkey loads into memory, decrypts the partition sector and the PC boots normally. However, if the PC is booted from a clean DOS system disk, the hard disk is inaccessible [the user will see the message 'Invalid drive specification' if he or she attempts to access the hard disk]. If FDISK /MBR is used, most of the virus code is replaced with good partition executable code [a 'stub' is left, which FDISK assumes to be a valid partition table]. In effect, FDISK removes the only mechanism available for decrypting the good partition sector.
2. If any disk management software, or security software, is installed on the hard disk, the partition sector may have been modified [or re-located]. If FDISK /MBR is used, in an attempt to remove a partition sector virus, the disk management software may be damaged and the drive may become inaccessible.
3. One-Half virus writes its code into the partition executable code and leaves the partition table unchanged. On the face of it, it would appear that FDISK /MBR could be used to remove the virus successfully [the virus code would be replaced with good executable code; and the partition table would be unchanged]. However, One-Half also encrypts data on the disk [every time the PC is booted, one cylinder is encrypted]. The virus decrypts this data 'on-the-fly' when the infected PC is booted. Since the virus is the only mechanism available for decrypting this data, FDISK /MBR will result in data loss.
If Dr Solomon's Anti-Virus Toolkit is unable to remove a virus [it will report 'Repair Failed'], you should contact Technical Support for further guidance.
FDISK /MBR SHOULD NEVER BE USED AS A VIRUS REMOVAL UTILITY.
Marker is a peculiar Word 97 macro virus, reportedly spreading, that grows in size as it spreads by collecting the user's name and other information (system time, date, address) from Word and adding that information to itself. Then it attempts to send that information via FTP over the Internet to the codebreakers.org Web site.
Like Ethan and similar macro viruses, it creates files for its use in the root of the C: drive hsfxxxx.sys (xxxx represents randomly generated characters) and netldx.vxd. Marker stores the virus code in the SYS file, and the information it sends in the VXD file.
Around July 25, Marker may display a message asking the user if he or
she wished someone called Shankar a happy birthday, and generates replies
based on the user's response, if any. The virus may vandalize documents
the user creates at this time, inserting a birthday message for Shankar.
Freelink is a Windows 98 and 2000 worm written in Visual Basic Script. It can spread among users of Internet Relay Chat, and can also spread via e-mail. When run, it creates a script file in the Windows System folder and modifies the Registry to execute the script whenever Windows starts.
It looks for Microsoft Outlook 98 or Outlook 2000 e-mail clients, and creates its own mailing list from Outlook's address book entries. This is similar to the way Melissa spreads. Recipients receive an e-mail message from someone they know that says "Have fun with these links," along with a Links.vbs icon.
If the user clicks the icon, Freelink displays a message to the user, offering to add a shortcut to free X-rated links on the Windows desktop, and asks, "Do you want to continue?" If the user is gullible enough to give an affirmative response, Freelink creates the shortcut and starts its work behind the scenes, spreading from that user's Outlook program to other users.
To enhance its chances of spreading further, Freelink searches for the
widely used IRC programs mIRC and pIRCh. If it finds them, it creates a
script file for them that sends infected links.vbs scripts to other IRC
users via the infected computer's IRC channel.
Data Fellows warns the public of potential future threat
Espoo, Finland - November 10, 1999 - Data Fellows Corporation, a leading provider of Internet security solutions, today announced the first virus found which activates by opening an e-mail message. VBS/Bubbleboy is the very first worm that is able to infect without opening an attachment. The worm will execute immediately after the user has opened the message in Microsoft Outlook.
As of Tuesday afternoon, Data Fellows had received no reports of this virus being in the wild, and it is not considered a big threat. However, Data Fellows wishes to warn the public of this new infection mechanism. The worm propagates as a Microsoft Outlook message. This message does not have a separate attachment, but the worm code is included in the message itself. However, if active scripting is disabled, the worm will not work. The worm uses ActiveX features to open Microsoft Outlook and uses it to send itself to all recipients in all address books, like the Melissa virus.
The message contains the following:
From: (name of infected user)
Subject: BubbleBoy is back!
Body: The BubbleBoy incident, pictures and sounds
The reference to Bubbleboy and the above link are references to a character in an episode of the TV show "Seinfeld".
The receiver of the e-mail becomes infected and spreads the worm without opening any attachment. The message does not contain any attachments. The mass mailing is executed only once per infected machine.
After the mass mailing, the worm will display a message box with the following text:
System error, delete "UPDATE.HTA" from the startup folder to solve the problem.
Bubbleboy is only able to spread under Microsoft Outlook 98, Microsoft Outlook 2000 and Microsoft Outlook Express that comes with Internet Explorer 5. It does not replicate under Windows NT. Bubbleboy uses a known security hole in Microsoft Outlook to create the local HTA file.
Microsoft has more information on this problem available at:
http://www.microsoft.com/Security/Bulletins/MS99-032faq.asp
They also have a patch to fix this problem at:
http://www.microsoft.com/security/Bulletins/ms99-032.asp
More technical information and screenshots of the virus are available
at:
http://www.DataFellows.com/v-descs/bubb-boy.htm