Absolute humbug

Oh Dear, the Internet seems to be suffering YAWA (Yet Another Worm Attack), and as a user who practices safe hex, the worm's don't bother me. But the inevitable trans-web bandwidth bottleneck and slow servers do, and will. Not to forget the also inevitable "heightened" security which mostly involves shutting off perfectly usable ports in anticipation of an attack, that never materialize. Or of targeting legitimate mail because the message body includes text strings like 'junk', 'spam' or 'virus'. I'm mot exaggerating. This has happened in the past. And will repeat itself as time goes by.

The 2 new worms are targeted at Microsoft and the RIAA. The former because they have announced a public bounty for the MyDoom virus author, the latter because they're against free exchange of MP3 music files. Actually the RIAA isn't as organized as their press releases would have us believe. Victims thus far include 13-year old girls. The real networkers (ahem, culprits) are located somewhere on the Internet; often in non-US locations. And with the its Army tied down in Iraq and Marines in Haiti, the US Government doesn't seem to have enough military assets to find a permanent solution for these ‘Osamas Dot Em Pee Threes’!

Microsoft's woes continue with another MyDoom variant on the loose. MyDoom.F (W32/Mydoom.f@MM, I-Worm.Mydoom.e, Win32.HLLM.MyDoom.based, W32/Mydoom.F.worm, Worm/Mydoom.F) launches DDoS (Distribute Denial of Service) attacks on both Microsoft and RIAA's web sites, and targets Office documents and digital entertainment media files. The original MyDoom worm forced Microsoft into changing DNS routings and switching to third-party server caching. The worm includes its own mail sending engine, and scans infected systems for specific file types to extract email addresses from them. It then cross-checks that scanned IDs don't include text strings corresponding to security web sites before it begins sending copies of itself to these addresses. The virus also includes a back door, granting the hacker full administrative rights on unpatched systems!

The Netsky.C worm (Win32.HLLM.Foo.41984, Worm/NetSky.C, I-Worm/Netsky.C, W32.Netsky.C@mm, W32/Netsky.c@MM, Win32/Netsky.C@mm, I-Worm.NetSky.c, W32/Netsky.C@mm!petite) is little different and also includes its own self-contained SMTP server. The worm searches local and shared network folders for the string "shar" and if found, stores a copy of itself: ready for the next file sharer to come along! Netsky affects all Windows variants and while the worm executes only on (the now past) February 26 between 6-9 AM, expect to see cloned versions with a longer lifespan emerging. Infected computer beep incessantly making the worm a sanity disturber as computer speakers generate truly annoying tones. The worm pay load is cleverly cloaked. The worm begins by adding itself to the system startup registry keys so every time Windows starts, the worm loads. Netsky.C searches your drives (excluding CD-ROMs) for files with .dhtml,.cgi, .shtml, .msg, .oft, .sht, .dbx, .tbb, .adb, .doc, .wab, .asp, .uin,.rtf, .vbs, .html, .htm, .pl, .php, .txt and .eml extensions for email addresses. However, it too excludes files containing the text strings "abuse", "antivi", "aspersky", "avp", "cafee", "fbi", "f-pro", "f-secur", "icrosoft", "itdefender", "orman", "orton", "spam" or "ymantec" to avoid inadvertently letting the cat out of the bag. The worm using its SMTP engine then begins sending copies of itself to the non-secure address. The mail's "From" address is spoofed and the subject uses text strings at random. The infected file attachments are .pif, .com,.scr or .exe files cleverly cloaked with a visible .txt, .rtf, .doc or .htm extension. And in some instances using blank (hidden) filenames!

The worm also includes a unique mail domain (MX record) scanner that attempts to match mail exchanges with the worm's SMTP preferences then co-opting these as enslaved SMTP servers! The reason such viruses proliferate is because the default Windows file-view hides the complete file name. And considers any text after the first period (dot) in a file name as the extension. You need to disable the Windows Explorer > Tools > Folder Options > View > Hide file extensions for known types to view complete file names to avoid viewing 'somename.txt.exe' as ‘somename.txt'.

As part of my need for better security I'm changing over from Outlook Express to Thunderbird. Yes, I need to re-learn many simple tasks. But I can preview a message's content without inadvertently launching a malicious script or a virus, and Junk mail protection is included by default. Thunderbird 0.5 is the current production build. And for the brave there's a Thunderbird 0.6 Beta too.

The third worm of the week is another Bagle variant. Dubbed Win32.Bagle.D@mm (W32.Beagle.C@mm, W32/Bagle-C, Win32.Bagle.C, W32/Bagle.c@MM) it's a modified Bagel.C version. Changes made include renaming some key files and handlers, and extending the infection launch date from March 14 until March 24. One of the better descriptions on the worm and how to remove it can be found at BitDefender.

The good news about the new Winzip9 is that the consumer version was released on February 25, 2004. The bad news is that this build contains a serious security-related vulnerability allowing remote attackers to execute arbitrary code. An attacker would need to construct a special MIME archive with a mim, .uue, .uu, .b64, .bhx, .hqx or .xxe extension that would auto-open and run any code embedded in the archive. The full details are available here.

Since I began penning this column I've often bleated (for want of a better term) about the dearth of reader response. What little mail I get are often via Google-cached copies of my writings. But I'm not going to complain any more. The flood of mail generated by worms like the 3 detailed above is a back-handed success indicator. I now receive up to 20 infected messages a day in this column's catch-all account. But at another level I've definitely failed as these are readers who didn't pay attention to the threats and are fast becoming one themselves.

So to round up, here's an absolutely free file archiving software, FreeZip 1.4.9 from Dariusz Stanislawek. With separate add-ins for encryption, making self-extracting versions and file splitting.

That wraps up this week.