by January 1, 2001 0 comments

This month, we cover two worms that have spread rapidly
through e-mail, and vulnerabilities and incompatibilities in Windows Me and
Windows 2000.

Widespread worms

W32.Prolin.Worm
Also known as Troj_Shockwave.A, Creative, and Troj_Prolin.A, this worm spreads
through Microsoft Outlook, and affects Win 9x and NT systems. It e-mails itself
to everyone in the Outlook address book. The subject of the e-mail is “A
great Shockwave Flash movie”, and the worm is sent with this by way of an
attachment called Creative.exe. The message says, “Check out this new Flash
movie that I downloaded just now…It’s great Bye.”

After this, the worm sends an e-mail to a Yahoo! mail
account. The subject line is “Job complete”, and the message says,
“Got yet another idiot”.

The worm gets executed when you double click the attachment.
After e-mailing itself and sending the above message, it creates a copy of
itself, named Creative.exe, in C:\Windows\Start menu\Programs\Startup, if
C:\Windows in your default Windows directory. So, the worm is executed every
time you start the computer and load Windows.

It then moves all your JPG, MP3, and ZIP files in the root
directory, and renames them by appending “change at least now to
Linux” to their file extension. It also drops a file called messageforu.txt
in the root directory, which contains a message signed by “The
Penguin” and a list of all the files moved by the worm. This list also
gives you the complete pathnames of the files before they were moved.

To remove the worm, scan your system with an updated version
of your anti-virus software, and delete all files that contain the worm’s
name. Use the list in the messageforu.txt file to restore the original
extensions of all files moved by the worm.

W32.Navidad
This worm spreads itself by using any MAPI-compliant e-mail client,
including Microsoft Outlook, but e-mail messages sent by the worm can be
received by any client. Navidad makes your system unusable by improperly
changing some registry keys. Systems at risk are Win 9x/NT/2000.

The worm arrives as an e-mail attachment called Navidad.exe.
When you execute the attachment, a dialog box titled ‘Error’ will appear
with the message “UI”. When you click OK, a blue eye icon appears in
your systray and a copy of the worm is saved to the file winsvrc.vxd in the
Windows System directory.

When your mouse pointer is on the icon, it displays a dialog
box with the message, “We’re watching it”. Clicking the icon
displays a dialog box with a button. The text on the button says, “Never
press this button”. If you press it, an error box titled “Merry
Christmas” appears with a message that tells you that you’ve lost your
computer. However, this is just a hoax. To terminate the worm, you can close the
dialog box by pressing the ‘X’ instead of clicking the button. The message
“Good selection” will appear, click OK. This will make the worm exit–the
eye icon will disappear, and the program will terminate.

The worm also creates the following registry keys:

If you’re running Win 9x (and your Windows directory is
C:\Windows):

HKEY_USERS\DEFAULT\Software\ Navidad

HKEY_LOCAL_MACHINE\Software\
Microsoft\Windows\CurrentVersion\
Run\Win32BaseServiceMOD=C:\
WINDOWS\SYSTEM\winsvrc.exe

It also changes the value of two other registry keys.

If you’re running Win NT/2000 (and your Windows directory
is C:\WINNT):

HKEY_CURRENT_USER\Software\ Navidad

HKEY_LOCAL_MACHINE\Software\
Microsoft\Windows\CurrentVersion
\Run\Win32BaseServiceMO
D=C:\WINNT\System32\winsvrc.exe

Again, it changes the value of two other registry keys.

After this, it begins to mail itself to other people using
your MAPI-compliant mail client. It checks all the messages in your inbox and
replies to those that have one attachment. The reply has the same subject and
body text, but has an attachment called Navidad.exe, which contains the worm.
You won’t be able to exit your mail client or shut down your computer, except
by switching it off manually.

Because of the registry keys created and modified, you’ll
see an error message whenever you try to launch an EXE file. The system will
prompt you to locate a file called Winsvrc.exe, and you won’t be able to
launch any programs.

If you’ve been infected, you can restore your system by
opening MS-DOS Prompt, going into the Windows directory, and copying regedit.exe
as regedit. com, so that you can open it on your system. You can then run
regedit from the Start menu and make the appropriate changes in your registry to
undo the damage. More details on this procedure are available at: www.
symantec.com/avcenter/venc/data/w32. navidad.html

Incompatibility between Windows Me and NAV 2001

Windows Me has a directory that can’t be scanned by
anti-virus software, and so is very vulnerable to viruses. This has been the
case when Norton AntiVirus 2001 is used with Windows Me.

This directory gets created due to the rollback facility in
the System Restore feature of Windows Me. The rollback facility lets you restore
your system to a previous state at a previous point of time. This comes in
handy, for example, when an application you’ve installed makes your system
unstable. To enable you to restore your system to a previous state, Windows Me
takes snapshots of your system at regular intervals and stores them in a
directory called C:\_RESTORE. The OS doesn’t allow anything from outside the
restore facility to change this information, because any such changes would mean
that it isn’t the exact snapshot of your system as it was in a previous state.
So, restoring it to the previous but altered state, may not solve your problem,
and may even make it worse. The downside is that if your system was infected by
a virus when the snapshot was taken, you stand the risk of being infected again,
even though you may have removed the virus subsequently.

Because of this, even when NAV 2001 is asked to scan the
whole hard drive, it leaves this directory alone. If you want to scan this
folder, you have to do so manually by pointing the anti-virus utility to
C:\_RESTORE. However, there are no guidelines available as to what to do if you
do find a virus in the folder. For more on how to remove viruses in this folder,
refer to http://support.microsoft.com/support/kb/articles/Q263/4/55.asp

Incompatibilities between Win Me and some display adapters

Windows Me doesn’t ship with the recent drivers for some
video cards, and this may cause your system to malfunction. Cards for which
problems may exist include Graphics Blaster Riva TNT, Diamond Speed Star PCI
Video Adapter with BIOS version 1.01, Diamond Viper PCI VGA Video Adapter,
Diamond Stealth Video Adapter BIOS version 1.03, and some older Trident cards.
If the OS is incompatible with your video card, your system may stop functioning
especially while you’re browsing, or you may get an error message related to
DirectX.

To check the drivers of your video card, go to
Start>Settings>Control Panel, and double click the System icon. Go to the
Device Manager tab, and click on Display Adapter to expand it. Right click your
adapter, go to Properties, and click the Drivers tab. Here, click the Driver
Details button to see the drivers. If you suspect any video card problems after
installing Windows Me, note the exact model of your video card and go to the
Technical Support site of your video card manufacturer. Here, go to the page
that deals with driver updates, and check the latest driver version for your
video card. If this is different from what you found on your system, or if there’s
a special Windows Me compatible version available, download it and follow the
instructions to update your driver.

Win 2k ActiveX vulnerability can cause IE and Outlook to crash

An unchecked buffer in an ActiveX control that ships with
Windows 2000 can cause IE, Outlook or Outlook Express to crash, and in some
cases, may allow a malicious user to gain access to your machine and run his own
code. Platforms affected are Windows 2000 Professional, Windows 2000 Server,
Windows 2000 Advanced Server, and Windows 2000 Datacenter Server.

To exploit this vulnerability, the ActiveX control has to be
called from a Web page or an HTML mail, using a specially-malformed parameter.
This will allow code to be executed on the machine via a buffer overrun. This is
an attack in which a malicious user exploits an unchecked buffer in a program,
and overwrites the program code with its own data. If the code is overwritten
with new executable code, the program’s operation will change and be
controlled by the malicious user. If it’s overwritten by other data, the
program will crash. The latter is the more likely scenario, and will cause IE,
Outlook Express, or Outlook to crash, while the OS continues to run.

Microsoft has issued a patch for this, which is available at:
www.microsoft.com/Downloads/Release.asp?ReleaseID=25532.

Compiled by Pragya Madan

No Comments so far

Jump into a conversation

No Comments Yet!

You can be the one to start a conversation.

<