I got an e-mail newsletter today that questioned where the high-profile viruses and worms had gone. They are not actually gone (there are still reports of the worst of them each month) but they are certainly less active than they were last month. This month it looks like the virus writers are going for quantity rather than quality. There are lots of viruses and worms and other nasty things to report this month.
Glib Worm
The Glib worm is making its rounds. This one comes in an e-mail that says it is from Microsoft with a subject of "Internet Security Update Attachment: q216309.exe." It claims to be a security patch that will fix all kinds of security holes. The e-mail is quite convincing and looks like a patch that would be good to have, but it is a worm instead. Microsoft does not send out patches as attachments. This one does not do too much damage because they made an error in the script; expect a variant to appear with the script fixed. Apparently firewalls and virus detectors saved the day here because this one looked very tempting. Do not trust an address; it is too easy to make a message look like it came from a legitimate account.
MyLife Worm
The MyLife worm comes with a subject line that reads "my life ohhhhhhhhhhhhh." The message says:
:Hiiiii
How are youuuuuuuu?
look to the digital picture
it's my love
vvvery verrrry
ffffunny :-)
my life = my car
my car = my house
It includes an attachment called "My Life.scr". If you open the file, the worm will display a picture of a young girl sniffing a flower. The active worm will appear as the item My Life in the Windows Task Bar. MyLife copies itself to the Windows System directory and adds itself to the following Registry key. The worm will attempt to delete SYS and COM files from the root directory; COM, SYS, INI, and EXE files from Windows directory; and SYS, VXD, EXE, and DLL files from the Windows System directory. This one also had an error in the script so it did not deliver the intended payload.
Sharpei
The Sharpei virus, designed to attack Microsoft .NET framework, has been circulated but I get the impression that it was developed just to show that it could be done, since no users have been infected. The virus was written in Microsoft's newest computer language, C#. The worm has mass-mailing capabilities, but no damaging payload.
Klez.e
The Klez.e virus I reported last month activated itself on the 6th (of March) without affecting too many computers. It will not do its damage again until May 6th.
Viruses Made To Order
A Web site that creates custom viruses has been found by experts (they do not say where for obvious reasons). The Instant Macro Virus Maker V1.2 is capable of generating Microsoft Word macro viruses that enable a user to name their virus, create text to display as a payload, and tell it what day of the month to activate. The Web form then generates a simple virus the user copies and pastes into a Word document and attaches to e-mail for distribution.
It is believed that kids who find out how to build viruses on the Web create many of the viruses that make the rounds. That is the reason there are duds like Glib and MyLife that do not deliver their payloads because of coding errors. This is scary stuff because they do not have to do any learning.
Java Hole
Microsoft discovered a hole in its Java virtual machine that could expose some information from your computer. If you have kept up to date with your Windows updates, this will not be a problem. If you have not, do it now.
Note that this hole affected all Java virtual machines, not just the Microsoft one. Even you Linux users can be affected. It has been fixed but you need to download the latest version to fix it on your machine.
PHP Hole
A hole has been discovered in the Personal Homepage scripting language, more commonly known as PHP. The language is widely used among sites built on open-source software and allows such sites to create Web pages on the fly. It is estimated that over a million Web sites can be affected by this hole. It is just a matter of time before a worm is written to take advantage of this hole.
If you host a web site using PHP, please update it when it is fixed. The rest of us just have to expect the next denial of service attack to use this hole.
Security Hocus Pocus
I read two articles in that last week that told me about people who claim they can determine what you are doing on your computer through lights. I find both of them to be ridiculous but worth mentioning anyway.
The first reports that someone with a telescope and appropriate connection could record the blinking lights on your modem and determine what was being received and sent. This may have been possible when modem speeds were slower but I do not think that the LEDs vary enough at the 115,000 bits per second being sent from your computer and the modem. If you are concerned put a piece of tape over the LEDs.
The second claims they can reconstruct a screen from the light reflected off your face and the wall behind you. I do not think there is even a remote chance of this working. It will be interesting to see what the security experts say after they test it. I guess you lose that window in your office.
Nigerian Scam
In the past month I have received many versions of an old e-mail scam, the Nigerian scam. The quality of the messages varied but they were just variations of the same message. The e-mail is a plea for help to help recover millions of dollars that they can not get out of Nigeria because they are not allowed to open foreign bank accounts. But they can transfer to existing accounts and they want to put it in your account until they can recover it. In return, you get to keep a nice percentage. What they want is your account number and an access code so they can make the deposit. They can then empty your account of the money you have in your account and then disappear.
I do not expect any of our members to fall for this scam but you may know some that will. Please warn them that this scam is making the rounds.
Protecting Your System
As viruses become even more powerful, you must make your defenses even more powerful.
- The first level of protection depends upon you. NEVER open an attachment that you get in your e-mail unless you know what it is. Often these attachments will insert a virus onto your system. It may not be apparent that it is doing harm at this point; it may do its harm much later (when you least expect it). The attachment may even be useful.
- Be aware that viruses will probably come from someone you know who let their system become infected. Many of these viruses spread themselves by sending new messages to everyone in your address book.
- Update your Windows system. There have been lots of security holes found in the various versions of Windows that are possible entry points into your system. Keep your system up to date by running Windows Update. If you deleted the icon, you can just go to the Web site at Windows Update and click the link to get you the product update. It will check your system and tell you which updates are available. Be sure to get at least the security updates.
- Turn off the preview pane in Outlook Express. Most of the viruses require you to do something, but at least one virus has been launched automatically when the message was viewed. Just pointing to the message and previewing the message also launched the virus.
- Delete strange messages. If you suspect a message, delete it before reading it. Spam is pretty easy to detect from the subject and the from: and to: addresses. I do not know how many viruses come in on spam, but why take chances.
- Increase your security settings. If you are using Outlook Express, go to Tools/Options and select the security tab. Set the Internet Explorer security zone to Restricted sites zone. This will protect you from ActiveX functions running from the e-mail. You will get a warning each time an e-mail tries to get through. There is no good reason to allow ActiveX in e-mail. If you use a different e-mail client, search for an equivalent setting.
- Run a firewall. A firewall can hide your system from many intruders. This is even more important if you have a high-speed link, but it is valuable for any system. I recommend the free ZoneAlarm program, although there are lots to choose from. Keep this program up to date for better protection; a flaw was recently found in a different firewall and you need to download the patch to complete your protection.
- Use an anti-virus program. I am not as hardcore about anti-virus programs as others are. I think the above precautions will protect you pretty well. I do not run all the automatic checks that these programs wish to enable. I do a periodic manual check of my systems and always come up clean. I often run a check after something strange happens just to eliminate viruses as a possible cause.
- In case you missed it the first time, DO NOT OPEN ATTACHMENTS. Opening attachments is how most of these viruses get into systems.
That is all I can think of now. I will continue to add tips as the months go on.
Virus writers are very busy these days. The best protection is knowledge. If you know what is happening you can adapt accordingly. This column highlights the new viruses and tells you how to avoid being infected.
Ken Hopkins is a software developer who writes mission critical applications, including security products. If you have comments or suggestions please send them to him at virus@hopkinscomputing.com. If you would like to write this column, let him know and he will help you learn enough to take over.
