TEC Computer Virus Alerts
Email Greeting VIRUS
 UPDATE:
January & February 2004
posted by: TEC WebAdmin
MY DOOM VIRUS - Feb. 2004
A new variant of the "MyDoom" worm has been released
called MyDoom.b. It looks much the same, but it will also block
access to several Web sites, including anti-virus sites. Even if
you just updated the virus definitions on your virus protection
software to handle the first MyDoom virus, you should do so again,
since the older definitions may not catch this new variant. For
more specifics on MyDoom.b, go to:
http://vil.nai.com/vil/content/v_100988.htm
Again, always be wary of email attachments that you were not expecting,
even if you know the person who sent the email. You should always
avoid opening attachments that end in .exe, .vbs, .bat, .pif, .cmd
and .scr, since these are the file types that are most commonly
used to spread viruses and worms. In addition, viruses and worms
can arrive as compressed (zipped) files with extensions of .zip.
Thank you.
top
Greeting card virus licensed to spread
By Robert Lemos
Staff Writer, CNET News.com
This article can be read from CNet's
Website.
The FriendGreetings electronic greeting card has all the hallmarks
of a mass-mailing computer virus.
The e-mail misleads a victim into downloading an application--ostensibly
to view a Web card--and then sends itself to every e-mail address
in the victim's Outlook contacts file. At least a few systems administrators
have complained in Usenet postings that the mass-mailing e-card
was to blame for swamping their network.
Yet the creators--Permissioned Media, a company apparently based
in Panama--will be hard to prosecute: The viral card is protected
by a license agreement that tricks unsuspecting users into clicking
"Yes" and consenting to have the program send itself to
all their e-mail contacts.
"They are deliberately trying to hide something in a wrapping
that they know people won't read," said Vincent Gullotto, vice
president of security company Network Associates' antivirus emergency
response team.
Without the license agreement, the program would be considered
a virus, but with the code wrapped in what could be a prosecution-proof
vest, Gullotto is careful to avoid the term. "The unofficial
name we have for it is a 'fishy program,'" he said.
The power of a button-click to transform a virus into a legal--albeit
questionable--program has some attorneys worried that future Internet
attackers could get protection using one of the software industry's
best weapons: the click-wrap license.
"This is a legal hack," said Jennifer Granick, a lawyer
and clinical director for the Stanford University Center for Internet
and Society. "It really raises the problems of online licensing
and contracting. Companies haven't wanted to admit (that problems
exist), because they get to write the licenses and it benefits them."
The viral e-card is just the latest example of questionable software.
In April, Kazaa users inundated Brilliant Digital Entertainment
with complaints when they discovered that the most recent version
of the company's 3D ad technology software, which is bundled with
the Kazaa file-sharing program, contained licensing terms that allowed
the company to claim "unused computing power and space"
on a person's PC.
Another program, Gator, which tracks users and tailors ads to them,
had been roundly criticized by users and advertisers alike.
Is it illegal?
However, if protected by a properly crafted license, such applications
aren't actually doing anything that's legally considered wrong.
In the precedent-setting case Specht et al. v. Netscape Communications,
the court found that two tests must be satisfied for a license to
be binding: The user must be aware of the license, and the user
must be required to accept it in some way.
The license included in Permissioned Media's FriendGreetings e-card
passes both tests.
The viral Web greeting card attracts users with an e-mail masquerading
as a message from an acquaintance and stating that an e-card awaits
at a Web site, such as "Friendgreetings.com" or "Friend-card.com."
The e-mail contains a link that, when clicked, will begin to download
the infectious program. A dialog box says the program is necessary
to view the e-card.
The installer requires that the user accept two end-user agreements
that contain the following text, among other legalese: "As
part of the installation process, Permissioned Media will access
your MicroSoft(r) (sic) Outlook(r) Contacts list and send an e-mail
to persons on your Contacts list inviting them to download FriendGreetings
or related products."
Many companies have already blocked access to Friendgreetings.com,
but Permissioned Media has repeatedly changed the site's address
and sent out a new batch of unsolicited e-mail to users.
"It's getting sneakier," said Alex Shipp, senior antivirus
technologist for U.K.-based e-mail service provider MessageLabs.
The latest iteration of the e-mail--the fifth, said Shipp--caused
a spike in the number of messages blocked by the company's anti-spam
filter this past weekend.
Yet, the license gave Shipp pause. "It's a very difficult
call," he said. "It behaves exactly like a virus but because
it has this disclaimer, some companies think they could get sued
if they stop it like a virus."
In 1998, some antivirus companies started blocking a utility called
NetBus, which allowed an administrator to control a remote system.
Like BackOrifice, the utility soon became a favorite way for hackers
to send commands to systems over which they had gained control.
However, when the program's creator decided to start a company to
sell the product, he hired a lawyer to go after any company that
blocked the tool.
"Antivirus companies learned that they have to be careful
what they block," Shipp said.
This time the lesson may be different, however; click-wrapped viruses
may spotlight the flaws in the system.
The laws under which online vandals and cybercriminals are prosecuted
specify that intrusions into computer systems have to be unauthorized.
Yet, a Trojan horse or virus wrapped in a click-accept license could
make the access authorized, and therefore not a crime.
"The question is that, when most people admit they don't read
them, can licenses really give authorization?" said Stanford's
Granick. "If you are a prosecutor in a cybercrime case, you
argue not."
But courts may have a tough time justifying that what goes for
Microsoft and Brilliant Digital shouldn't also go for any other
programmer, including a virus writer, Granick points out.
Not everyone is so sure, however. Network Associates' Gullotto
wouldn't bet just yet that the laws are what will be altered. Users
might just have to adapt instead, he said.
"Times are changing," Gullotto said. "People have
to know what they are opening up in e-mail."
top
UPDATE POSTED: OCTOBER 8, 2002
posted by: TEC WebAdmin
Start of the description:
This link will give you a DESCRIPTIONS
of the BUGBEAR Virus.
This multithreaded worm propagates via shared network folders and
via email. It uses its own SMTP (Simple Mail Transfer Protocol)
engine to send copies of itself. It terminates antivirus processes,
acts as a backdoor server application, and sends out cached system
passwords – all of which effectively compromise the security
of the infected machine.
This worm opens a port 36794 on the target system. It allows a
connected remote user to obtain information, manipulate files, and
execute programs on the compromised machine via the port.
The email that it sends out contains no message body and uses any
of the following as its subject:
- $150 FREE Bonus!
- 25 merchants and rising
- Announcement
- bad news
- CALL FOR INFORMATION!
- click on this!
- Confirmation of Recipes…
- Correction of errors
top
'Bugbear' worms in, opens doors to hackers
By Jeordan Legon (CNN)
(CNN) -- The stealthy "Bugbear" worm continued on a ravenous
digital path this week, prompting anti-virus firms to escalate warnings
from moderate to high and leaving thousands of computers worldwide
at the mercy of hackers.
While experts hoped the bug would be contained at its source in
Malaysia on Monday, the virus rapidly made its way around the world
as users in Asia, Europe, Canada and the United States fired up
their computers to check e-mail. At least 120,000 people reported
infections to British anti-virus firm MessageLabs by Friday. Thousands
more logged attacks in Ireland, Australia, Canada and the United
States.
The number of new cases reported daily is rivaling, and even exceeding,
that of the better-known Klez virus, a similar bug that hit millions
of computers this year.
"This is a global epidemic and it's not slowing down,"
said George Stagonis, a researcher for anti-virus company Central
Command. Central Command received 5221 reports of new infections
Thursday -- evenly split between the United States and Europe. The
company booked an average of 4,000 daily Klez infections when that
virus was at its height, Stagonis said.
"We don't think it's peaked yet because it's staying way ahead
of people updating their anti-virus software," he said of the
new culprit.
How does it work?
Bugbear, also known as Tanatos, doesn't destroy files like its
viral cousins "Melissa," "Michelangelo" and
"Iloveyou." Instead, it disables popular firewall and
anti-virus protections and prepares a port that can receive instructions
from remote users.
That is what makes the virus so dangerous, experts say. Hackers
aware of this vulnerability will search for open ports on infected
computers. Once found, attackers can access passwords, view or destroy
data and get reports of keystrokes being entered – including
credit card numbers and other sensitive information. All of this
happens without the knowledge of the hacked computer owner or business.
Silent spread
When the virus first appeared, anti-virus gurus were unable to
mirror the spread of the bug in their labs. Many thought Bugbear
would remain a minor threat.
"We still haven't managed to replicate it in our labs, but
obviously it's replicating," said Alex Shipp, a tech with MessageLabs.
"One of the theories is that this requires an Internet connection
in order to spread."
The virus spreads quickly by disguising infected messages as "replys"
or "forwards" to an existing message. It targets known
vulnerabilities in Windows systems and has no trouble moving through
banks of networked office computers, said Vincent Weafer, of Symantec
Security Response.
"Once it gets into a machine it will try to replicate itself
from machine to machine," Weafer said.
Avoid infection
While the virus is difficult to spot, there are ways to avoid it.
The file can arrive in mails with varied subject headings, but
almost always it has an attachment that is 50,668 bytes, Shipp said.
Also, computer owners should make certain that Internet Explorer's
I-FRAME patch is installed, which prevents the bug from automatically
downloading itself from an infected message. And they should update
to new versions of Microsoft Outlook message program, which are
less prone to infection.
The one bright spot in all of this, said Shipp, is that many people
are updating their anti-virus software and making sure firewalls
are up, which appears to be killing off the Klez virus.
The bad news is "this new one is just as bad, if not worse
than the Klez.
top
|
