Virus Info..
>>> Turn off the accept JAVA option if you surf unknown sites.
"Strange Brew" -- the first true Java environment virus
A new Java virus has been discovered which represents the first implementation of a replication mechanism written in Java and specifically targeted at Java applications. Although this virus is only capable of replicating in certain limited environments, it is the first of a new kind of malicious code.
The virus attaches itself to Java .class files in environments where Java applications have access to local resources and local files, so the Java development community is the most vulnerable. It cannot spread from an infected .class being loaded and executed in typical web browsers, indicating that Strange Brew is unlikely to spread at high speed, unlike the last major new virus type, macro viruses.
Strange Brew has no `payload' other than replication, and will not cause significant damage. The worst-case scenario is that some infected Java classes may not run properly.
There have been no reported incidents of infection from this virus to date. However, Trend Micro researchers have updated the company's malicious code pattern files to include the ability to detect Strange Brew. We recommend using Trend InterScan to protect corporate networks at the Internet gateway so that infected applets are blocked before they can spread through internal networks. Trend Micro's free on-line scanning service, HouseCall, will also detect Strange Brew in Java .class files.
>>>>
NE_IE.TROJAN - An e-mail has been circulating recently that purports to be from a Microsoft support organization and includes a program, called Ie080898.exe, which is touted as an update to Microsoft's Internet Explorer. This e-mail is a hoax, and the program attached to it is not legitimate. Microsoft does not send updates by e-mail.
The program attached to this hoax mail is actually a type of malicious program called a Trojan. The program installs itself as part of Windows system and randomly sends e-mail messages to the Internet. These messages are sent to a list of addresses. Evidently one of the purposes was to annoy the recipients.
>>>>
What is the e-mail security flaw?
Researchers at the University of Oulu in Finland and elsewhere discovered a flaw in e-mail readers from Microsoft and Netscape that allows certain types of e-mail messages to crash the e-mail client. Worse, theoretically, an e-mail could contain a malicious program that executes automatically when the e-mail is received. There have been no reported incidents of hackers taking advantage of these flaws. Both Microsoft and Netscape have announced patches that address this problem.
The specific issue has to do with the length of MIME tags. MIME tags are used to describe the non-text data such as images, sound clips, binary files, etc. associated with an e-mail message. MIME tags beyond a certain length lead to an error condition called "buffer overflow". In most cases a buffer overflow will cause the e-mail client program to fail. By taking advantage of this error condition, hackers could embed programs in e-mail that run automatically and without user control.
Closing the loophole
The best solution is for users to download and apply fixes from Netscape and Microsoft. However, relying on users to download and install the fixes themselves may not be the best route to take..
Trend Micro's InterScan works at the Internet gateway to identify and block e-mail with excessively long MIME tags. InterScan will also block computer viruses, Trojans, malicious applets and other unwanted traffic. With Trend's solution, network administrators won't have to rely on end users to update their e-mail software or to run anti-virus products.
>>>>
The Cult of the Dead Cow's BackOrifice Trojan
A group of hackers calling themselves The Cult of the Dead Cow has recently announced a program called BackOrifice that they claim will allow a remote user to stealthily gain control over computers running Microsoft's Windows 95 and Windows 98 operating systems.
Since BackOrifice must be run on the local machinetargeted for takeover, it is unlikely that it will pose a serious security threat. However, there are ways to surreptitiously distribute malicious software. BackOrifice could be distributed in the form of a "Trojan", i.e. a malicious program that poses as a benign tool or utility. More seriously, BackOrifice could be distributed as type of mobile software called an ActiveX control. ActiveX controls can be embedded in web pages so that they run automatically when someone using Microsoft's Internet Explorer opens the web page.
Microsoft's Outlook 98 is an e-mail client that can send and receive web pages as e-mail. If an ActiveX control is embedded in an e-mail sent to someone using Outlook 98, that control may run automatically when the e-mail is opened.
>>>>
Win32/CIH/Spacefiller Alias: (PE_CIH)
Variants: 1.2-1.4
File virus.
Infects: EXE files of the PE [Portable executable] format Windows 95 and Windows 98.
This family of viruses, written in South-East Asia, first appeared in June 1998. Currently there are three known variants; and at least two of these have been found 'in the wild'. The viruses infect Windows 95 and Windows 98 executable files (PE format), but not Windows NT.
Win32/CIH viruses are able to split up the body of the virus code and place it within unused parts of the infected file [PE files usually contain lots of unused space].
The viruses contain a very dangerous payload, which triggers on the 26th of any month. On this date, they attempt to overwrite the flash-BIOS. If the flash-BIOS is write-enabled [and this is the case in most modern computers with a flash-BIOS] this renders the machine unusable because it will no longer boot. At the same time, they also overwrite the hard disk with garbage.
The viruses contain the following [unencrypted] strings:
CIH v1.2 TTIT, .EXE
CIH v1.3 TTIT, .EXE, zip_
CIH v1.4 TATUNG, .EXE, nZip
Dr Solomon's FindVirus 7.86 is able to detect these viruses. So too are weekly drivers dated 19 June 1998 (variants 1.2 and 1.3 are detected as 'like Win32/CIH'). Drivers dated 26 June 1998 positively identify all known variants of this virus.
Further Information on Flash BIOS
Most recent machines, from later 486's through to Pentium II's have a Flash BIOS. On most machines there is no easy way to tell other than reading the manufacturer's documentation or referring to their website or technical support service.
Some machines have hardware write protection for the BIOS (via a jumper on the motherboard) but most don't, and although there are software calls to write protect the BIOS, these are easily circumvented.
Again depending on the BIOS author and the computer or motherboard manufacturer (refer to the documentation) it may be possible to backup the BIOS, and if you know what you're doing you may be able to recover from this situation, but in most instances erasure of the BIOS is likely to be catastrophic and require the machine or motherboard being returned to the manufacturer or replaced.
>>>>>
Windowx Excel Virus
XF/Paix
Excel macro virus
XF/Paix is a new macro virus which infects Excel for Windows spreadsheets. Unlike other Excel for Windows macro viruses, XF/Paix does not use VBA (Visual Basic for Applications) macros, but is programmed in the old-style Excel 4 macro language.
The virus gets control when an infected Excel file is opened. The virus then checks the path name of the current document; and creates a file named XLSHEET.XLA, in either the same directory as the document or in C:\WINDOWS, depending on whether the document's path name starts with 'C' or not. The virus is copied to the file XLSHEET.XLA and the file is registered as an Excel Add-In, so that it is automatically loaded every time Excel is started. After this, every Excel file opened is infected with the virus.
The virus triggers with a probability of about 1/50, displaying the text Enfin la paix ... (French for `Peace at last ...') in the title-bar of the application.
>>>>
It is scarey to go out without protection..
drsolomon.com |
