by July 7, 2000 0 comments

Patch for vulnerability in Office 2000
Microsoft has released a patch for a vulnerability in Office 2000, which could
potentially allow a malicious Website operator to carry out Office functions on
the machine of a visitor to his site. This vulnerability stems from an ActiveX
control–Office 2000 UA Control–that ships with Office 2000, and is used by
the "Show Me" function in Office Help files. When clicked, the
"Show Me" hyperlink demonstrates how you can perform a particular

The Office 2000 UA Control has incorrectly been marked as
"safe for scripting". The "safe for scripting" assertion
means that the control can’t cause harm to a machine that it runs on. However,
this is not the case here, because this control allows any Office function to be
executed. So, for example, if you’re visiting a Website, the control allows
the Website operator to open Word on your PC, change the macro security
settings, and then open a Word document on his site that contains malicious

The patch for this vulnerability is available at It provides a new version of the ActiveX control, with reduced
functionality, so that it’s actually safe for scripting. However, after
installing the patch, your Office Help will also have reduced functionality. The
"Show Me" function will be disabled, and you won’t see
pop-ups–text boxes that appear when you run your cursor over specially-marked

Security hole in shopping cart program
Cart32–a program to create a shopping cart for your e-com store–has a
"backdoor" password that could allow any cracker with the password to
administer your system. The backdoor was created to allow the company’s
technical support system to gain access to your shopping cart and administer
your system, in case you forgot your administration password. But an attacker
can use this password to run arbitrary commands on the server, and gain access
to all your information including customers’ credit card details, shipping
addresses, etc.

A patch for this has now been posted by the company at

Backdoor access for technical support is a common feature in
many shopping cart programs. So, if you use another shopping cart program,
it’s a good idea to check with the vendor if the program has backdoor
access.Viruses in your mail…

Also known as ResuméWorm, or W97M.Resumé, this is a Word 97 macro virus
that deletes necessary system files. It’s a variant of the W97M/Melissa
family. It arrives by Outlook e-mail, with the following subject and body text,
and an attachment called "Explorer.doc":

Subject: Resumé–Janet Simons

To: Director of Sales/Marketing

Attached is my resumé with a list of references contained

Please feel free to call me or e-mail me if you have any
further questions regarding my experience. I am looking forward to hearing from


Janet Simons


If the attached file Explorer.doc is opened, the virus will
e-mail a copy of this document to everyone in your address book, using Microsoft
Outlook. When you close the document, it’ll try to drop two copies of
itself–one in C:\data\, and the other in C:\Windows\StartMenu\Programs\StartUpExplorer.doc. It will then delete all files in the different directories on your
hard drive, in the following order–C:\*.*, C:\My Documents\*.*, C:\WindowsSystem\*.*, C:\Winnt\System32\*.*. It will also delete files from A:\*.* (this
may cause an error message), B:\*.* (this may cause an error message), and *.*
in the root of drives from D: through Z:

To protect yourself from the virus, don’t open the above
attachment if you receive it, and update your anti-virus software.

This is a macro virus that infects Word and Excel files. It spreads via e-mail.

From an infected Word document, it disables the Word 97 macro warning, or
sets the Word 2000 security setting to low. It infects the Word global template,
deletes all *.XL? files from the Excel startup directory, and drops a read-only
CyberNet.XLS file into the Excel startup directory. From an infected Excel
spreadsheet, it disables the Excel 97 macro warning or sets the Excel 2000

security setting to low, deletes the global template, drops a
read-only CyberNet.XLS file into the Excel startup directory, deletes all *.DO?
files from the Word startup directory, and drops an infected Word global

It also e-mails a copy of the infected document or
spreadsheet to the first 50 addresses in your address book. The subject and body
of the e-mail is as follows:

Subject: You’ve got mail!!!

Message: Please, save the document after you read and don’t
show to anyone else. The document is also VIRUS FREE…so DISREGARD the virus
protection warning!!!


The virus also has a malicious payload that gets triggered on
August 17 or December 25. The virus adds randomly shaped objects to the infected
document or spreadsheet, and then modifies the files autoexec.bat and
config.sys. The virus replaces the autoexec.bat with commands to format your C:
drive. It then displays a message box, clicking OK to which will shut down

To prevent your system from getting infected, don’t open
the above e-mail if you receive it. If you happen to get infected, delete the to replace the Word setting. If the virus has already replaced
autoexec.bat and config.sys, you’ll need to replace these from a backup copy.

This worm uses Outlook and mIRC to spread itself. In Outlook, it mails
itself to all the addresses in the address book. It drops the file rundll32.vbs
in the Windows directory by modifying the registry key HKEY_LOCAL_MACHINE\SoftwareMicrosoft\Windows\ CurrentVersion\Run\ MSrundll32 = "rundll32.vbs". It
also modifies the registry key HKEY_LOCAL_ MACHINE\Software\Microsoft\WindowsCurrentVersion\ RegisteredOwner = "FireburN"

The e-mail message could be in German–if the infected
machine has a German version of Windows–or English:

Subject: Hi, how are you?

Message: Look at that nice Pic attached! Watching it is a
must 😉 cu later…

The attachment is a GIF or JPG file, and its name suggests
pornographic material.

If mIRC is installed, the worm drops the file script.ini in
the mIRC program folder, and spreads through mIRC when you connect to IRC

On June 20, the worm disables your mouse and keyboard by
modifying the registry keys HKEY_LOCAL_MACHINE\ Software\MicrosoftWindows\Current Version\Run\Shut_Up = "rundll32 mouse,disable" and
HKEY_LOCAL_ MACHINE\ Software\Microsoft\Windows\ CurrentVersion\Run\Shut_Up2=

It then displays a message box with the following text:

"I’m proud to say that you are infected by FireburN

To remove the worm, delete the file script.ini. Then, remove
the following entries from your registry:HKEY_ LOCAL_MACHINE\Software\MicrosoftWindows\CurrentVersion\Run\ Msrundll32="rundll32.vbs";HKEY_
LOCAL_MACHINE\Software\Micro-soft\Windows\CurrentVersion\ Run\Shut_Up="rundll32
mouse, disable"; HKEY_LOCAL_MACHINE\ Software\Microsoft\WindowsCurrentVersion\Run\Shut_Up2= "rundll32 keyboard, disable". Then
restore the registry key HKEY_LOCAL_MACHINE\ Software\Microsoft\WindowsCurrentVersion\ RegisteredOwner to its original value.

Compiled by Pragya Madan

No Comments so far

Jump into a conversation

No Comments Yet!

You can be the one to start a conversation.