Categories: Archive

Security Alert

Eudora 3.x with PGP “Spelling”

Eudora with NAI’s
(Network Associates Inc) PGP may exhibit strange behavior when you configure the Eudora
client to perform spell-check on message send.

PGP (Pretty Good Privacy) is one of the most common ways
to protect messages on the Internet. It’s effective, easy to use, and free. PGP is
based on the public-key method, which uses two keys–one is a public key that you
disseminate to anyone from whom you want to receive a message. The other is a private key
that you use to decrypt messages that you receive. To encrypt a message using
PGP, you
need the PGP encryption package, which is available for free from a number of sources.

Due to a bug in the manner in which
Eudora 3.x processes the sign and spell check commands, the document is first
signed/encrypted (with PGP) and is then spell-checked. If the user modifies a document
after it has been signed (that is, correct the spelling identified by the spell checker),
then the PGP signature will be cancelled. The solution is to upgrade to Eudora 4.x. Eudora
3.x users can disable spell checking upon “send” or manually spell-check text
prior to PGP signing the document.

Microsoft fixes bugs in Visual Studio 97

Microsoft’s fixed
another passel of bugs in Visual Studio 97 ranging from a debugger problem in Visual J++
and complier issues in Visual Basic to a memory leak in Visual FoxPro. The fixes in VS 97
SP 3 are on a CD that Microsoft is giving away, charging $7.50 for mailing and handling.
It also includes all the fixes in the first two VS 97 service packs. The VJ++ debugger
fixes a situation where Developer Studio crashes when a user clicks on the close button in
IE 4. The problem with VB was that it would sometimes compile incorrect type information.
Also found were some VB compatibility issues including one with Internet transfer. VC++
gets a few tweaks as well, as does Visual Sourcesafe.

A new worm that deletes files on your PC

A new worm has been going
around that attaches itself to outgoing e-mails and deletes files after a machine has been
infected for a week. It spreads in the form of an attachment file–Suppl.doc.

When the attached Word 97 document is
opened, the macrocode executes. It copies the active document to the Windows directory as
“Anthrax.ini” and decompresses a trojanized version of “wsock32.dll”
that’s appended to the end of Suppl.doc.

Before the system is rebooted, there are
three visible files in the Windows directory: “dll.lzh”, “dll.tmp” and
“win init.ini”. After the system has been reboo ted, “dll.tmp”
replaces “Wsock32.dll” and the original “Wsock32.dll” is renamed as
“Wsock33.dll”. “dll.lzh” (compressed “dll”) and
“wininit.ini” are deleted.

After this, the worm will attach itself to
every SMTP e-mail message sent from an infected user’s machine as

The worm DLL renamed to wsock32.DLL first
tests if it’s already installed and activated. If yes, then it checks current system
time and gets activated after 6-days, 18-hours, 59-min, 18-sec and 964-milliseconds. The
worm gets a list of all the available drives with GetLogicalDrive StringsA function and
then filters out only fixed disks after performing the GetDrive Type function. It scans
all filtered drives for the files having the following extensions: DOC, XLS, TXT, RTF,
DBF, ZIP, ARJ, RAR, and truncates these files like ExploreZip worm does. The worm calls
the CreateFileA function on an existing file and then closes it immediately.

As a result, all the affected files will be
truncated to zero bytes and will be unrecoverable.

An Internet, password-stealing trojan

According to Microworld (www.microworldsystems.com),
a new Trojan is being distributed to Microsoft customers. It comes as a Y2kCount.EXE file
attached to a message supposedly sent from Microsoft.

From: support@microsoft.com support@microsoft.com

Sender: support@microsoft.com

Subject: Microsoft Announcement Microsoft Announcement

Date: Wed, 15 Sep 1999 Wed, 15 Sep 1999

To All Microsoft Users

,We are excited to announce Microsoft Year
2000 Counter.  Start the countdown NOW. Let’s all get in the 21st century.
Let’s lead the way to the future and we’ll get YOU there FASTER and SAFER.

Thank you,

Microsoft Corporation

The message looks like this:

The attachment–Y2KCount.EXE is a
self-extracting ZIP archive that contains installation pack for the new Internet trojan.
The archive has five files (PROJECT1.EXE and four DAT files). The PROJECT1.EXE file serves
as an installer for the trojan. When run, the Y2KCount. EXE shows a fake error message.

This is a disguise. At the same time, the
trojan installs itself to the system. It copies four files into \Windows\System directory: proclib.exe, proclib.dll, proclib16.dll, ntsvsrv.dll. Then the system.ini file
is modified so that the trojan could be automatically started during next Windows bootup.
The trojan adds “ntsvsrv.dll” string after the list of drivers to start (after
“drivers=” tag). During the next Windows startup, the ntsvsrv.dll gets control
and renames wsock32.dll to nlhvld.dll and copies proclib16.dll as wsock32.dll. This allows
the trojan to monitor Internet activities on the infected system.

Being active, the trojan checks Internet
traffic for text strings—login, password, and username. This is done to get the
user’s dial-up and network passwords. This action is typical for password stealing
trojans, but the Y2KCount trojan might also function as a backdoor. The trojan works only
under Win 95 and 98.

If you’re infected, you can manually
remove the trojan from your system. This should be done only from DOS. Delete the
following four trojan files from \Windows\System folder: proclib.exe, proclib.dll,
proclib16.dll, ntsvsrv.dll.

The "ntsvsrv.dll" string should
be removed from system.ini file. You can edit this file using "edit" command at
the DOS prompt. The trojan execution string follows other drivers to be started after
"drivers=" tag (it should be the last in the list in case of recent infection).
Finally, the nlhvld.dll should be renamed to wsock32.dll. This will restore the Windows
sockets library renamed by the trojan. After this, you’ll need to restart your PC for
the changes to take effect.

PCQ Bureau: