W95.Hybris.gen
This worm spreads as an attachment to outgoing e-mail. The message could include
the text ‘Snow White and the seven dwarves’ and will have an EXE or SCR
attachment with a random name.
Once you click on the attachment, the worm modifies the file wsock32.dll,
which enables it to attach itself to outgoing e-mail. If your system is using
that file, however, the worm can’t modify it. In that case, it adds a registry
key to either HKEY_LOCAL_MACHINE\Software\ Microsoft\Windows\CurrentVersion\Run
Once or to HKEY_CURRENT_USER\ Software\Microsoft\Windows\Current Version\RunOnce.
The worm then connects to the newsgroup alt.comp. virus, and uploads its own
plug-ins in an encrypted form to this newsgroup. It goes through the subject
header of these messages to see if there are any attached plug-ins and their
version numbers. If it finds a newer version of its plug-ins, it downloads them
and updates its behavior. For example, some plug-ins give make the worm infect
ZIP files.
Whenever you send out e-mail to someone, the worm will also send out another
e-mail to the same person, and attach a copy of itself with a random filename.
Removal: Use your anti-virus software to repair the infected
wsock32.dll, and delete all files that are detected as W95.Hybris.
W32.HLLW.Bymer
This is a high-level language worm, and spreads via shared network drives.
There are two versions of the worm–wininit.exe and msinit.exe–but both
affect your system in almost the same way. When it’s first executed, the worm
modifies registry keys so that it can be executed every time you start your
computer. It then tries to spread itself by checking IP addresses for shared
drives. If it finds a shared drive, it checks if the Windows folder of the drive
is also shared. If it is, it inserts itself into the Windows\System folder and
modifies the Load= line in the win.ini file. The Wininit.exe worm carries a
Dnetc client with it, while the msinit.exe doesn’t. Dnetc is a client-side
software from an organization called distributed. net, and is used for
distributed computing. The organization specializes in running projects that
require lots of computing power, by combining the idle processing cycles of
members’ computers. Wininit.exe inserts the Dnetc client in the Windows
folder, while msinit.exe copies it to this folder. However, the Dnetc client is
not viral in nature.
Removal: Scan your system and delete all files detected as W32.HLLW. Bymer.
Modify the Load= line in win.ini. You’ll also need to modify the registry keys
modified by the worm, which would beHKEY_LOCAL_MACHINESoftware\Microsoft\Windows\Current Version\Run orHKEY_LOCAL_MACHINESoftware\Microsoft\Windows\Current Version\RunServices, depending on the
version. To remove the Dnetc client, download a utility called Wormfree
available at www.distributed. net/trojans.html.en. One precaution you can take
is to share folders only if you have to, and provide read-only access as far as
possible. Avoid giving full-control access, especially to system folders.
W95.MTX
This is a worm-cum-virus that spreads via e-mail as an attachment that could
have a PIF (this extension may not be visible in your e-mail client), SCR, or
EXE extension. The attachment could have one of several names, some of which are
I_wanna_see_you.txt.pif, Matrix_screen_saver.scr,Love_letter_for_
you.txt.pif,New_playboy_screen_saver.scr, Bill_gates_piece.jpg.pif, and Anti_cih.
exe. When you execute the attachment, the worm component makes a copy of
wsock32.dll and names it wsock32.mtx. It modifies the latter, to enable the
virus component to mail a copy of the worm-cum-virus to people to whom the user
send e-mail. The worm component also creates a file called wininit.ini, which
executes every time you start the computer; and enables the deletion of
wsock32.dll, and the renaming of wsock32.mtx to wsock32.dll. After creating this
file, the worm component runs the virus component.
The virus component searches to see if any anti-virus programs are running,
and doesn’t run if it finds one. If it continues to run, it decompresses the
worm component, drops a copy of it into the user’s Windows directory–called
le_pack.exe–and runs it. After this file is executed, it’s renamed to
win32.dll. The virus also drops a downloader program called mtx_.exe and runs
it. This program goes to a specific Website where plug-ins for the virus are
downloaded and executed. It also adds a registry entry that lets the downloader
run automatically every time the system is started. The downloader won’t be
visible on your system’s task list.
The virus also searches for Win32 executables in the current director,
Windows directory, and the Temp directory. If it finds a file whose size isn’t
divisible by 101, is greater than 8 kB in size, and has at least 20 import call
instructions; it infects the file. If it doesn’t find such a file, it doesn’t
cause any infection.
Removal: This virus modifies system files that may never get repaired
on some systems and is difficult to remove. Complete removal instructions for
this virus are available at www.symantec. com/avcenter/venc/data/w95.mtx.html.
Bug bash
Security holes in Windows Media Player
Windows Media Player 6.4 and 7 installed is vulnerable to two security
holes. The first one arises from a buffer overrun in the handling of ASX (Active
Stream Redirector) streaming media files, which lets users play streaming media
from Internet sites or intranet servers. The other one can happen due to script
execution in WMS files. These are ‘skins’ that let you customize the looks
of the player.
In the case of the ASX vulnerability, which occurs only on Windows 2000 with
Service Pack 1 installed, the unchecked buffer can lead to a malicious user
running code of his choice on your machine. He could send you an affected media
file by mail, or host it on a Website and cause it to launch automatically when
anyone visits that site. The code will then let him control your machine, and do
anything on it that you can do.
The WMS vulnerability affects Windows Media Player 7 only, because skins were
introduced in this version, but it can run on all Windows platforms, that is
Windows 95, 98, 2000, ME, and NT. In this case, a WMS file could include script
that will execute if Windows Media Player is run and the skin is selected. Such
a skin could be mailed to you or hosted on a Website. If it were mailed to you,
the code would be executed when you open the mail, provided you have Windows
Media Player, and HTML scripts are allowed in your mail client. The code will be
able to execute all ActiveX controls, including those not marked ‘safe for
scripting’ in your Internet Options. So, the code could take any action that’s
possible via an ActiveX control.
Patches: Microsoft has issued patches for both these vulnerabilities.
These are available at:
Windows Media Player 6.4: www.microsoft.com/Downloads/Release.asp?ReleaseID=26069
Windows Media Player 7: www.microsoft.com/Downloads/Release.asp?ReleaseID=26079
Vulnerabilities in Internet Information Server 4 and 5
Two vulnerabilities have been discovered in IIS 4 and IIS 5, which let
malicious users gain access to your server and modify the data there. Patches
were released for both vulnerabilities separately, but the patch that fixed one
on IIS 5 re-opened the security hole in the other. So, Microsoft has now
released an updated patch that fixes both holes for IIS 5.
One of these vulnerabilities lets a malicious person run programs directly on
the Web server. To do this, he has to request for a CMB or BAT file that exists
on the server (the malicious user should also execute permissions on the file)
and send certain specific operating system commands with it.
The vulnerability arises because whenever IIS receives a request for an
executable file, it passes the name of the requested file to the operating
system for processing. Due to an implementation flaw, it’s possible to create
a specific malformed request, which contains the name of a CMB or BAT file that
exists on the server and some operating system commands. When this file is sent
to the IIS and it passes it on the underlying OS, the OS processes the file and
executes the command. The ability to run operating system commands on the Web
server enables the malicious user to take any action on IIS that a user who’s
logged on to it can take. He can add, delete, or change files; run code of his
choice on the server; etc.
The other vulnerability lets a malicious visitor to your Website take
destructive actions on it. The malicious visitor can use a specific type of
malformed URL to get access to all files and folders that lie on the drive that
contains your Web folders. So, he can potentially do anything that a locally
logged-on user could do on your machine. The request would be processed under
the security context of the IUSR_machinename account, the anonymous user account
for IIS. Because it belongs to the Everyone and Users group, this account gives
the malicious visitor limited access to Web folders, but also allows him access
to data on the drive outside these folders. So, he can execute operating system
commands on your system, unless you’ve removed the Everyone and Users groups
from permissions on your server, or have hosted the Web folders on a different
drive from the operating system.
For IIS 5, a common patch for both these vulnerabilities is available at:
www.microsoft.com/Downloads/Release.asp?ReleaseID=25547
For IIS 4 users, the two patches are available at:
www.microsoft.com/ntserver/nts/downloads/critical/q277873
www.microsoft.com/ntserver/nts/downloads/critical/q269862/default.asp
Compiled by Pragya Madan