ad info




CNN.com
 MAIN PAGE
 WORLD
 U.S.
 LOCAL
 POLITICS
 WEATHER
 BUSINESS
 SPORTS
* TECHNOLOGY
   computing
   personal technology
 SPACE
 HEALTH
 ENTERTAINMENT
 BOOKS
 TRAVEL
 FOOD
 ARTS & STYLE
 NATURE
 IN-DEPTH
 ANALYSIS
 myCNN

 Headline News brief
 news quiz
 daily almanac

  MULTIMEDIA:
 video
 video archive
 audio
 multimedia showcase
 more services

  E-MAIL:
Subscribe to one of our news e-mail lists.
Enter your address:
Or:
Get a free e-mail account

 DISCUSSION:
 message boards
 chat
 feedback

  CNN WEB SITES:
CNN Websites
 AsiaNow
 En Español
 Em Português
 Svenska
 Norge
 Danmark
 Italian

 FASTER ACCESS:
 europe
 japan

 TIME INC. SITES:
 CNN NETWORKS:
Networks image
 more networks
 transcripts

 SITE INFO:
 help
 contents
 search
 ad info
 jobs

 WEB SERVICES:

COMPUTING

From...
InfoWorld

Viruses anew pop up post-Y2K

Image

1/5/00
Web posted at: 10:02 AM

by Stephanie Sanborn and Michael Lattig

(IDG) -- Computer Associates this week posted three alerts about viruses and a worm, all of which are unrelated to the Y2K rollover, while Panda Software is alerting users about a virus that arrives as an HTML document.

  MESSAGE BOARD

Insurgency
 

CA released alerts about three potential threats to businesses: Feliz.Trojan, a Portuguese "Happy New Year" Trojan, a Word macro virus called "Armagidon," and "Wscript/Kak," an e-mail worm virus that targets Microsoft Windows 98 systems running Outlook Express 5.0.

So far, only Wscript/Kak has been reported in the wild, said Simon Perry, security business manager at CA.

Wscript/Kak spreads through e-mail and does not require a user to open an attachment. Using a known Internet Explorer 5 exploit, the worm writes its code in the Windows startup directory and creates a copy of itself in the System directory. The worm then changes installed Outlook Express 5.0 "Identity" settings to default signatures and attaches its script code to every e-mail message.

"[Wscript/Kak] does require a reasonably specific environment, Windows 98 using Outlook Express," Perry explained. "However, it must be realized that [environment] is the vast majority of home users and it's a reasonable percentage of the desktop environments in businesses as well, so there is reasonably high potential that it can cause infection in the general user community and cause some kind of damage there."

Armagidon infects Word documents and is also spread through e-mail, as well as shared drives and floppy disks. Once an infected document is opened, an execution of the "FilePrint" function will trigger a payload that replaces one ASCII character with another.

The "Happy New Year" Feliz.Trojan is "a fairly specific and primitive virus in that it's hard-coded," according to Perry. The Trojan virus deletes several system files and then produces an image of a face with the message "Feliz Ano Novo!" which means "Happy New Year." Once the user hits "exit," several message boxes in Portuguese will pop up before exiting and the computer may not be able to boot up afterward.

"[Feliz.Trojan] is going for the default settings, and most systems are installed in the default manner," said Perry. "If it does delete these files, then that computer is basically going to be left in an unusable state - it will require quite a lot of work to get that system up and running again."

Although these attacks are not Y2K-related, their timing may fool those who believe any glitch in their systems is related to the date rollover.

MORE COMPUTING INTELLIGENCE
IDG.net   IDG.net home page
  InfoWorld home page
  Y2K bug squashed, Feds say
  CA debuts worldwide version of antivirus software
  E-BusinessWorld
  Reviews & in-depth info at IDG.net
  IDG.net's personal news page
  Year 2000 World
  Questions about computers? Let IDG.net's editors help you
  Subscribe to IDG.net's free daily newsletter for IT leaders
  Search IDG.net in 12 languages
  News Radio
  * Fusion audio primers
  * Computerworld Minute

"I personally think that people are a little bummed that not more happened [for Y2K] - it's very anticlimactic," said Abner Germanow, an analyst at International Data Corp. in Framingham, Mass. "The virus hype around Y2K was pretty intense. Because of that, because it's been so anticlimactic, I think there's a desire to attach anything to Y2K. In terms of what are we going to be seeing over the next couple of weeks, I think we'll see the Trojan horse-type viruses, the viruses that are very much network-based, e-mail-centric, and are typically focused on replicating themselves in an attempt to flood systems or create lots of unwanted mail or messages."

Perry advised companies to make sure their anti-virus solutions are up-to-date and to practice caution with their e-mail messages.

"It must be remembered that a lot of businesses haven't opened up and a lot of PCs haven't been turned on, and it is very, very important that people maintain a sense of heightened caution through the following weeks," he added. "New viruses are always coming out and I think the danger is that people will take their eye off the ball because they think everything is okay. What we're saying to people is, celebrate the fact that we've gotten this far, but realize that it's not all over yet, and it's worth keeping a focus on."

Another virus being reported by Panda Software on this first workday post-Y2K, officially called W32/HTM.H4[H04.2048, arrives as an HTML document and searches users' hard drives for directories containing documents with HTM, ASP, HTT, and HTML file extensions. Once that is done, the virus infects EXE, CPL, and SCR files in the current folder and in system directories such as C:\Windows and C:\Windows\System documents, increasing them in size by 23549 bytes.

The damaging effect of this virus, which has yet to be found in the wild and is classified as a low-risk for potential infections by Panda, is the deletion of external vaccine files and the virus signature files of several anti-virus manufacturers.

The virus accomplishes this by first creating a file in the root directory called [H4[h04.DLL, then creating three new BAT files that, when executed, compile [H4[h04.DLL and convert it into a Windows virus. The virus does not infect files smaller than 10,000 bytes, and is encrypted using an XOR operator with a Dword mask.

Protection against possible infection from W32/HTM.H4[H04.2048 is already available to registered Panda Antivirus users through an upgrade at www.pandasoftware.com.


RELATED STORIES:
Y2K hits ATF and other agencies
January 4, 2000
De Jager defends Y2K hype
January 4, 2000
World spent $200 billion on Y2K
January 4, 2000
Electric power still running smoothly in North America
January 4, 2000
Reaping the benefits of the Y2K scare
January 3, 2000
Charities tap leftover Y2K disaster supplies
January 3, 2000
Y2K worriers: Too soon to say all OK
January 3, 2000
Two glitches hit Microsoft Internet services as New Year rolls over
January 3, 2000
Y2K bug hits heating system in Korean apartments
January 3, 2000
Computer problems hit three nuclear plants in Japan
January 3, 2000
Feds sound Y2K all-clear
January 3, 2000
Arlington County, Va. faces strict Y2K deadline
December 31, 1999
Alaska always alert; Y2K just another day
December 31, 1999
Confident yet cautious, industries await Y2K
December 31, 1999
Japan makes final preparations for Y2K
December 31, 1999
LA might be most Y2K-ready city in the World
December 31, 1999
New Year's Eve on the Net
December 31, 1999
Overlooked patches cause last-minute Y2K glitches
December 31, 1999

RELATED IDG.net STORIES:
Year 2000 World
(Year 2000 World)
CA warns of Y2K-triggered virus
(IDG.net)
Y2K bug squashed, Feds say
(InfoWorld.com)
German gov't group warns of Y2K attacks
(IDG.net)
CA debuts worldwide version of antivirus software
(IDG.net)
Happy Holidays, your PC's dead
(PC World)
It's virus season again
(Solutions Integrator)
FAA: Y2k not to blame for mainframe failure in Northeast
(InfoWorld.com)
Note: Pages will open in a new browser window
External sites are not endorsed by CNN Interactive.

RELATED SITES:
Computer Associates
Panda Software
Note: Pages will open in a new browser window
External sites are not endorsed by CNN Interactive.
 LATEST HEADLINES:
SEARCH CNN.com
Enter keyword(s)   go    help

Back to the top   © 2001 Cable News Network. All Rights Reserved.
Terms under which this service is provided to you.
Read our privacy guidelines.