From...

1/5/00
Web posted at: 10:02 AM

by Stephanie Sanborn and Michael Lattig

(IDG) -- Computer Associates this week posted three alerts about viruses and a worm, all of which are unrelated to the Y2K rollover, while Panda Software is alerting users about a virus that arrives as an HTML document.

	MESSAGE BOARD
Insurgency

CA released alerts about three potential threats to businesses: Feliz.Trojan, a Portuguese "Happy New Year" Trojan, a Word macro virus called "Armagidon," and "Wscript/Kak," an e-mail worm virus that targets Microsoft Windows 98 systems running Outlook Express 5.0.

So far, only Wscript/Kak has been reported in the wild, said Simon Perry, security business manager at CA.

Wscript/Kak spreads through e-mail and does not require a user to open an attachment. Using a known Internet Explorer 5 exploit, the worm writes its code in the Windows startup directory and creates a copy of itself in the System directory. The worm then changes installed Outlook Express 5.0 "Identity" settings to default signatures and attaches its script code to every e-mail message.

"[Wscript/Kak] does require a reasonably specific environment, Windows 98 using Outlook Express," Perry explained. "However, it must be realized that [environment] is the vast majority of home users and it's a reasonable percentage of the desktop environments in businesses as well, so there is reasonably high potential that it can cause infection in the general user community and cause some kind of damage there."

Armagidon infects Word documents and is also spread through e-mail, as well as shared drives and floppy disks. Once an infected document is opened, an execution of the "FilePrint" function will trigger a payload that replaces one ASCII character with another.

The "Happy New Year" Feliz.Trojan is "a fairly specific and primitive virus in that it's hard-coded," according to Perry. The Trojan virus deletes several system files and then produces an image of a face with the message "Feliz Ano Novo!" which means "Happy New Year." Once the user hits "exit," several message boxes in Portuguese will pop up before exiting and the computer may not be able to boot up afterward.

"[Feliz.Trojan] is going for the default settings, and most systems are installed in the default manner," said Perry. "If it does delete these files, then that computer is basically going to be left in an unusable state - it will require quite a lot of work to get that system up and running again."

Although these attacks are not Y2K-related, their timing may fool those who believe any glitch in their systems is related to the date rollover.

MORE COMPUTING INTELLIGENCE

IDG.net home page

InfoWorld home page

Y2K bug squashed, Feds say

CA debuts worldwide version of antivirus software

E-BusinessWorld

Reviews & in-depth info at IDG.net

IDG.net's personal news page

Year 2000 World

Questions about computers? Let IDG.net's editors help you

Subscribe to IDG.net's free daily newsletter for IT leaders

Search IDG.net in 12 languages

News Radio

Fusion audio primers

Computerworld Minute

"I personally think that people are a little bummed that not more happened [for Y2K] - it's very anticlimactic," said Abner Germanow, an analyst at International Data Corp. in Framingham, Mass. "The virus hype around Y2K was pretty intense. Because of that, because it's been so anticlimactic, I think there's a desire to attach anything to Y2K. In terms of what are we going to be seeing over the next couple of weeks, I think we'll see the Trojan horse-type viruses, the viruses that are very much network-based, e-mail-centric, and are typically focused on replicating themselves in an attempt to flood systems or create lots of unwanted mail or messages."

Perry advised companies to make sure their anti-virus solutions are up-to-date and to practice caution with their e-mail messages.

"It must be remembered that a lot of businesses haven't opened up and a lot of PCs haven't been turned on, and it is very, very important that people maintain a sense of heightened caution through the following weeks," he added. "New viruses are always coming out and I think the danger is that people will take their eye off the ball because they think everything is okay. What we're saying to people is, celebrate the fact that we've gotten this far, but realize that it's not all over yet, and it's worth keeping a focus on."

Another virus being reported by Panda Software on this first workday post-Y2K, officially called W32/HTM.H4[H04.2048, arrives as an HTML document and searches users' hard drives for directories containing documents with HTM, ASP, HTT, and HTML file extensions. Once that is done, the virus infects EXE, CPL, and SCR files in the current folder and in system directories such as C:\Windows and C:\Windows\System documents, increasing them in size by 23549 bytes.

The damaging effect of this virus, which has yet to be found in the wild and is classified as a low-risk for potential infections by Panda, is the deletion of external vaccine files and the virus signature files of several anti-virus manufacturers.

The virus accomplishes this by first creating a file in the root directory called [H4[h04.DLL, then creating three new BAT files that, when executed, compile [H4[h04.DLL and convert it into a Windows virus. The virus does not infect files smaller than 10,000 bytes, and is encrypted using an XOR operator with a Dword mask.

Protection against possible infection from W32/HTM.H4[H04.2048 is already available to registered Panda Antivirus users through an upgrade at www.pandasoftware.com.