Back
Note: This is only a draft. Some errors may still be in here and this is only as information about firewalls itself.
Viruses
Computer viruses are mysterious and grab our attention.
Every time a new virus hits, it makes the news if it spreads quickly.
On the one hand, viruses show us how unknowingly vulnerable we are. A properly engineered virus can have an amazing effect on the world-wide Internet. On the other hand, they show how sophisticated and interconnected human beings have become. For example, the "Melissa" virus -- which became a world-wide phenomenon in March of 1999 -- was so powerful that it forced Microsoft and a number of other very large companies to completely turn off their e-mail systems until the virus could be contained.
The "ILOVEYOU" virus in 2000 had a similarly devastating effect. That's pretty impressive when you consider how simple the Melissa and ILOVEYOU viruses are!
We will discuss viruses -- both "traditional" viruses and the newer e-mail viruses -- so that you can learn how they work and also understand how to protect yourself. Viruses in general are on the wane, but occasionally a person finds a new way to create one and that's when they make the news!
Viruses -
A virus is a small piece of software that piggy-backs on real programs. For example, a virus might attach itself to a program like a spreadsheet program. Each time the spreadsheet program runs, the virus runs too, and it has the chance to reproduce (by attaching to other programs) or wreak havoc.
Email viruses -
An email virus moves around in email messages, and usually replicates itself by automatically mailing itself to dozens of people in the victim's email address book.
Worms -
A worm is a small piece of software that uses computer networks and security holes to replicate itself. A copy of the worm scans the network for another machine that has a specific security hole. It copies itself to the new machine using the security hole, and then starts replicating from there as well.
Trojan Horses -
A Trojan horse is simply a normal computer program. The program claims to do one thing (e.g. - it claims to be a game) but instead does damage when you run it (e.g. - it erases your hard disk). Trojan horses have no way to replicate automatically.
What's a "Virus"?
Computer viruses are called viruses because they share some of the traits of biological viruses.
A computer virus passes from computer to computer like a biological virus passes from person to person.
At a deeper level there are similarities as well.
A biological virus is not a living thing. A virus is a fragment of DNA inside a protective jacket. Unlike a cell, a virus has no way to do anything or to reproduce by itself -- it is not alive. Instead, a biological virus must inject its DNA into a cell. The viral DNA then uses the cell's existing machinery to reproduce itself. In some cases, the cell fills with new viral particles until it bursts, releasing the virus. In other cases the new virus particles bud off the cell one at a time and the cell remains alive.
A computer virus shares some of these traits. A computer virus must piggyback on top of some other program or document in order to get executed. Once it is running, it is then able to infect other programs or documents. Obviously the analogy between computer and biological viruses stretches things a bit, but there are enough similarities that the name sticks.
Virus History
Traditional computer viruses were first widely seen in the late 1980s and they came about because of several factors. The first factor was the spread of personal computers (PCs). Prior to the 1980s, home computers were non-existent or they were toys. Real computers were rare and "experts" locked them away for use. During the 1980s, real computers started to spread to businesses and homes because of the popularity of the IBM PC (released in 1982) and the Apple Macintosh (released in 1984). By the late 1980s, PCs were widespread in businesses, homes and college campuses.
The second factor was the use of computer "bulletin boards." People could dial up a bulletin board with a modem and download programs of all types. Games were extremely popular, and so were simple word processors, spreadsheets, etc. Bulletin boards led to the precursor of the virus known as the Trojan Horse. A Trojan horse is a program that sounds really cool when you read about it. So you download it. When you run the program, however, it does something uncool like erasing your disk. So you think you are getting a neat game but it wipes out your system. Trojan horses only hit a small number of people because they are discovered quickly. Either the bulletin board owner would erase the file from the system or people would send out messages to warn one another.
The third factor that led to the creation of viruses was the floppy disk. In the 1980s, programs were small and you could fit the operating system, a word processor (plus several other programs) and some documents onto a floppy disk or two. Many computers did not have hard disks, so you would turn on your machine and it would load the operating system and everything else off of the floppy disk.
Viruses took advantage of these three facts to create the first self-replicating programs!
Follow the Trail
Early viruses were pieces of code attached to a common program like a popular game or a popular word processor. A person might download an infected game from a bulletin board and run it. A virus like this is a small piece of code embedded in a larger, legitimate program. Any virus is designed so it runs first when the legitimate program gets executed. The virus loads itself into memory and looks around to see if it can find any other programs on the disk. If it can find one, it modifies it to add the virus's code to the unsuspecting program. Then the virus launches the "real program." The user really has no way to know that the virus ever ran. Unfortunately, the virus has now reproduced itself, so two programs are infected. The next time either of those programs gets executed, they infect other programs, and the cycle continues.
If one of the infected programs is given to another person on a floppy disk, or if it is uploaded to a bulletin board, then other programs get infected. This is how the virus spreads.
The spreading part is the "infection" phase of the virus. Viruses wouldn't be so violently despised if all they did were replicate themselves. Unfortunately, most viruses also have some sort of destructive "attack" phase where they do some damage. Some sort of trigger will activate the attack phase, and the virus will then "do something" -- anything from printing a silly message on the screen to erasing all of your data. The trigger might be a specific date, or the number of times the virus has been replicated, or something similar.
As virus creators got more sophisticated, they learned new tricks. One important trick was the ability to load viruses into memory so they could keep running in the background as long as the computer remained on. This gave viruses a much more effective way to replicate themselves. Another trick was the ability to infect the boot sector on floppy disks and hard disks. The boot sector is a small program that is the first part of the operating system that the computer loads. The boot sector contains a tiny program that tells the computer how to load the rest of the operating system. By putting its code in the boot sector, a virus can guarantee it gets executed. It can load itself into memory immediately and it is able to run whenever the computer is on. Boot sector viruses can infect the boot sector of any floppy disk inserted in the machine, and on college campuses where lots of people share machines they spread like wildfire.
In general, both executable and boot sector viruses are not very threatening any more. The first reason for the decline has been the huge size of today's programs. Nearly every program you buy today comes on a compact disc (CD). CD’s cannot be modified, and that makes viral infection of a CD impossible. The programs are so big that the only easy way to move them around is to buy the CD. People certainly can't carry applications around on a floppy disk like they did in the 1980s, when floppies full of programs were traded like baseball cards. Boot sector viruses have also declined because operating systems now protect the boot sector.
Both boot sector viruses and executable viruses are still possible, but they are a lot harder now and they don't spread nearly as fast as they once could. Call it "shrinking habitat," if you want to use a biological analogy. The environment of floppy disks, small programs and weak operating systems made viruses possible in the 1980s, but that environmental niche has been largely eliminated by huge executables, unchangeable CDs and better operating system safeguards.
E-mail Viruses
The latest thing is the e-mail virus, and the Melissa virus in March of 1999 was spectacular. Melissa spread in Microsoft Word documents sent via e-mail, and it worked like this. Someone created the virus as a Word document uploaded to an Internet newsgroup. Anyone who downloaded the document and opened it would trigger the virus. The virus would then send the document (and therefore itself) in an e-mail message to the first 50 people in the person's address book. The e-mail message contained a friendly note that included the person's name, so the recipient would open the document thinking it was harmless. The virus would then create 50 new messages from the recipient's machine. As a result, the Melissa virus was the fastest-spreading virus ever seen! As mentioned earlier, it forced a number of large companies to shut down their e-mail systems.
The ILOVEYOU virus, which appeared on May 4, 2000, was even simpler. It contained a piece of code as an attachment. People who double clicked on the attachment allowed the code to execute. The code sent copies of itself to everyone in the victim's address book and then started corrupting files on the victim's machine. This is as simple as a virus can get. It is really more of a trojan horse distributed by e-mail than it is a virus.
The Melissa virus took advantage of the programming language built into Microsoft Word called VBA, or Visual Basic for Applications. It is a complete programming language and it can be programmed to do things like modify files and send e-mail messages. It also has a useful but dangerous auto-execute feature. A programmer can insert a program into a document that runs instantly whenever the document is opened. This is how the Melissa virus was programmed. Anyone who opened a document infected with Melissa would immediately activate the virus. It would send the 50 e-mails, and then infect a central file called NORMAL.DOT so that any file saved later would also contain the virus! It created a huge mess.
Microsoft applications have a feature called Macro Virus Protection built in to them to prevent this sort of thing. If you turn Macro Virus Protection on, then the auto-execute feature is disabled. By default the option is ON. So when a document tries to auto-execute viral code, a dialog pops up warning the user. Unfortunately, many people don't know what macros or macro viruses are, and when they see the dialog they ignore it. So the virus runs anyway. Many other people turn off the protection mechanism. So the Melissa virus spread despite the safeguards in place to prevent it.
In the case of the ILOVEYOU virus, the whole thing was human-powered. If a person double-clicked on the program that came as an attachment, then the program ran and did its thing. What fueled this virus was the human willingness to double-click on the executable.
Origins
People create viruses. A person has to write the code, test it to make sure it spreads properly and then release the virus. A person also designs the virus's attack phase, whether its a silly message or destruction of a hard disk. So why do people do it?
There are probably at least three reasons. The first is the same psychology that drives vandals and arsonists. Why would someone want to bust the window on someone else's car, or spray paint signs on buildings or burn down a beautiful forest? For some people that seems to be a thrill. If that sort of person happens to know computer programming, then he or she may funnel energy into the creation of destructive viruses.
The second reason has to do with the thrill of watching things blow up. Many people have a fascination with things like explosions and car wrecks. When you were a kid there was probably a boy in your neighborhood who learned how to make gunpowder and who then built bigger and bigger bombs until he either got bored or did some serious damage to himself. Creating a virus that spreads quickly is a little like that -- it creates a bomb inside a computer, and the more computers that get infected, the more "fun" the explosion.
The third reason probably involves bragging rights, or the thrill of doing it. Sort of like Mount. Everest. The mountain is there and no one has climbed it, so someone is compelled to do it. If you are a certain type of programmer and you see a security hole that could be exploited, you might simply be compelled to exploit the hole yourself before someone else beats you to it. "Sure, I could TELL someone about the hole. But wouldn't it be better to SHOW them the hole???" That sort of logic leads to many viruses.
Of course, all of the virus creators miss the point that they cause real damage to real people with their creations. Destroying everything on a person's hard disk is real damage. Forcing the people inside a large company to waste thousands of hours cleaning up after a virus is real damage. Even a silly message is real damage because a person then has to waste the time getting rid of it. For this reason, the legal system is getting much harsher in punishing the people who create viruses.
An Ounce of Prevention
You can protect yourself against viruses with a few simple steps:
- If you are truly worried about traditional (as opposed to e-mail) viruses, you should be running a secure operating system like UNIX or Windows NT. You never hear about viruses on these operating systems because the security features keep viruses (and unwanted human visitors) away from your hard disk.
- If you are using an unsecured operating system, then buying virus protection software is a nice safeguard.
- If you simply avoid programs from unknown sources like the Internet, and instead stick with commercial software purchased on CDs, you eliminate almost all of the risk from traditional viruses. In addition, you should disable floppy disk booting -- most computers now allow you to do this, and that will eliminate the risk of a boot sector virus coming in from a floppy disk accidentally left in the drive.
- You should make sure that Macro Virus Protection is enabled in all Microsoft applications, and you should NEVER run macros in a document unless you know what they do. No normal person adds macros to a document, so avoiding all macros is a great policy
- In the case of the ILOVEYOU e-mail virus, the only defense is a personal discipline. You should never double-click on an attachment that contains an executable that arrives as an e-mail attachment. Attachments that come in as Word files (.DOC), spreadsheets (.XLS), images (.GIF and .JPG), etc. are data files and they can do no damage (noting the macro virus problem above in Word and Excel documents). A file with an extension like EXE, COM or VBS is an executable, and an executable can do any sort of damage it wants. Once you run it, you have given it permission to do anything on your machine. The only defense is to never run executables that arrive via e-mail.
By following those simple steps, you can remain virus free!
Famous viruses.
Elk Cloner
The world’s first computer virus created 1980 for the Apple II.
It typed out a verse and how many times it had been copied. Probably there have been viruses
before this one but none was documented
Internet Worm
The first email bombing. 1988 the virus Internet Worm so much emails
Between American universities so large portions of the Internet had to shut down. The virus used a bug in the OS and could work undetected until the harddrive filled up and the servers died.
Jerusalem
br>
Signs tells us that the creator didn’t have control over where the virus was. The virus had signs of ongoing programming. Once released it was detected 1987 in Hebrew university in Jerusalem. The virus infects on all days except Friday the 13:th when it instead deletes files. 1989 it gave big headlines in the media when Friday the 13:th was coming up.
Stoned
Every 8:th day you start the computer it types out "Your PC is now Stoned" on the screen. It is very small and well made and was therefor the most common virus for a while.
Cascade
The first ciphered virus. The largest portion was encrypted so the virus was gonna be harder to detect. The virus was NOT to infect IBM computers but that little feature didn’t work, so in 1988 an IBM office had to shut down because they were infected. There after the "Big blue" started to take viruses serious.
Tequila
1991 the first antivirusprograms had been out for a couple of years and the virus creators had to hide them better. One of the first polymorph viruses
was Tequila that’s not just ciphered as Cascade, polymorph means that the virus could change its cipher on random so the antivirus programs became useless. It took one month after it was launched before an antivirus program could detect it.
NetBus
In September 1998 the first virus spread that gave a totally different result. The virus lets someone else remote access and control your computer. The virus was spread mostly in a program where you could throw pie on Bill Gates.
Melissa
The first macrovirus that the media wrote about in may 1999 because it spread thrue the world n a few days shutting down mail servers all over the world. Melissa sends itself to the first 50 in your adressbook in the program Outlook. Note: In the second version of Melissa it was rewritten so Outlook express also gets affected.
CIH-virus
Or the Chernobyl, created by Chen Ing-hau (born 1974) on the technical university Tatung in Taiwan. The most common version of the virus, CIH 1.2, activates on the 26th of April. At this time, it can overwrite the hard disk and the flash BIOS of an infected computer -- causing complete loss of data, and possibly rendering the computer unusable.
Its been reported from jail that two even worse viruses never was released among those one for WinNT.
On IRC the most common is:
Movie.avi.pif
This is an IRC worm which relies on user assumptions of file type in
order to be run. The file arrives as "movie.avi.pif" however due to
some standard machine configurations, the file may be determined
incorrectly by users to be an ".avi" file type, or movie file. This worm is currently being seen on IRC channels.
A significance of this worm is that even if "show extensions" is
selected in Windows, the extension does not show for this file. As an
attachment it might be seen as "movie.avi" without the .pif
extension. Also in a browse of the folder where the file may be
located, the .pif extension is not visible.
Judgement Day:
This is an IRC worm which relies on user assumptions of file type in order to be run. The file arrives as ".jpg.js" however due to some standard machine configurations, the file may be determined incorrectly by users to be an ".jpg" file type, or picture file. This worm is currently being seen on IRC channels. This Javascript worm will look for mIRC and create the two files DEFAULT.INI and DEFAULT2.INI.
The MIRC.INI is then modified to load the two INI files. The JavaScript file then copies itself to "C:\WINDOWS\WIN.JS" and modifies the registry so that WIN.JS loads every time Windows starts. The JavaScript then displays the message "[JavaScript file name] appears to be corrupted. If this file was downloaded, try redownloading it." The DEFAULT.INI and DEFAULT2.INI contain several backdoors into mIRC, which give an attacker complete control over the computer. The mIRC scripts try to propagate the worm further, by sending the javascript file under semi-random file name ending with ".jpg.js". The Javascript portion of the worm contains the text which is not displayed: // -------===Judgement Day===------- // -------==IGNORANCE IS THE MOST DANGEROUS THING IN SOCIETY==------- // Judgement Day .js ver 1.0
DWSetup.exe
This is another variation of DMsetup.exe but it's nastier to get rid of. Dwsetup hides in more places than Dmsetup and also uses some little known dos commands to permanently delete whole directories at a time if you remove it incorrectly. Removal and prevention instructions are very similar to those for Dmsetup . It is unclear at this time if Dwsetup.exe also attacks the system registry.
Exbuz
Once run, the trojan copies itself to C:\Windows\ using a random file name from the list above. It creates a file called profiles.ini in C:\mirc\ and changes mirc.ini to load it the next time mIRC is run.
Profiles.ini replaces these defualt mIRC commands: /unload, /remove, /remote, /events, /sreq making it harder to remove profiles.ini in mIRC.
When you connect to IRC, a notice is sent to #lb_world saying the server the infected person is connected to. Anyone that joins a channel that the infected person is on will automaticly be sent the trojan. When the file transfer of the trojan is successfully completed, the trojan sends another notice to #lb_world, saying the file name of the trojan sent and both the nickname and address of the person who recieved it
Doly
Doly is a fairly damaging trojan, which is also one of the most difficult to get rid of.
Some of the features of this trojan are:
Trojan comes in setup.exe installer form pretending to be a memory manager.
Single button 'format harddisk' command
FTP server of harddrive
Can change 'owner name' shown in System control panel.
Change window names, close, move, etc windows.
Change most monitor settings.
And much more...
Pretty Park
This worm program behaves similarly to Happy99 Worm. It was originally spread by email spamming from a French email address. The original report of this worm was submitted through our exclusive Scan&Deliver system on May 28, 1999 from France. When the attached program file, PrettyPark.exe, is executed, it may display the 3D pipe screen saver.
It also creates a file called files32.vxd in the Windows\System directory and modifies the following registry entry value from "%1" %* to files32.vxd "%1" %* without your knowledge: HKEY_LOCAL_MACHINE\Software\Classes\exefile\ shell\open\command Once the worm program is executed, it tries to email itself automatically every 30 minutes (or 30 minutes after it is loaded) to email addresses registered in your Internet address book. It also tries to connect to an IRC server and join a specific IRC channel. The worm sends information to IRC every 30 seconds to keep itself connected, and to retrieve any commands from the IRC channel. Via IRC, the author or distributor of the worm can obtain system information including the computer name, product name, product identifier, product key, registered owner, registered organization, system root path, version, version number, ICQ identification numbers, ICQ nicknames, victim's email address, and Dial Up Networking username and passwords. In addition, being connected to IRC opens a security hole in which the client can potentially be used to receive and execute files.
Dmsetup.exe
Dmsetup.exe is different to script.ini in a fundamental way. Dmsetup is an .exe file, not a script. This has good points (in that you must run the file before it can do any harm) and bad points (the range of damage that an .exe can cause is much greater). Dmsetup does the following when run :
Re-writes your mIRC.ini to allow it's-self to spread by dcc.
Enables access by others to your PC by DCC Server.
Enables others to run any program on your PC.
Allows others to force you to quit IRC with a keyword.
Allows others to take control of your IRC session.
Copy's it's self to several places on your hard disk.
Appends a line to your autoexec.bat file.
Attempts to modify the system registry.
There are several versions of Dmsetup, not all of which do all of the things listed above. The nastiest one is the largest in size - this is the one which alters the registry settings.
Buny.exe
Also known as The Mutator this is the worst incarnation of the Dmsetup series yet seen. More than 5 different versions have already been discovered, their sole purpose being to clog hard disks with acres of garbage. The buny.exe series also make use of the ascii-255 character in the filenames - making those files or folders impossible to delete from within windows and had to remove even from the command line. Once again buny.exe re-writes the mIRC.ini file, with the following results :
If you are on any of the following channels you will automatically part from them. If you try to join, you will be unable to do so. The channels affected are #nohack, #mirchelp, #operhelp, #irchelp, #help, #helpdesk, #help-desk, and #dalnethelp
If you get sent a notice with "I hate your guts with a passion" in it, you will quit IRC with this message : Waa! Some one told me off!
Another notice (withheld) allows access via fserv to your c drive's root directory (c:\)
Another notice allows the sender to run ANY program on your computer (including format etc!)
A particular join command (which can be triggered by a notice) will produce the following MSG :
START UP ERROR: Can not find vital data! Attempting safe close down (This may take several minutes).
This is a lie. What it is actually doing is copying yet more files all over your disk!
There are loads of other triggers which mostly produce annoying notices etc.
Buny.exe has another annoying feature - while not totally name independent, it can (and does) choose one of several different file names from a list when it's run. These names are very offensive and crude.
Subseven
An email with an attachment called "server.exe" was spammed to Japanese computer users. The attachment claimed to be an antivirus program for a virus called Pinkworm, but it was actually a trojan called SubSeven 2.0 Server. The email was sent from a Japanese Hotmail account claiming to be from Microsoft Japan Service. The email requests the recipient to run the attachment called "server.exe" which will protect the computer from the Pinkworm virus. Please note that there is no virus called Pinkworm.
LIFE_STAGES.TXT.SHS
The worm sends an email to addresses listed in your Microsoft Outlook address book. The email contains the LIFE_STAGES.TXT.SHS attachment.
The subject of the email is randomly generated and can be one of twelve strings. In some, but not all cases, the subject begins with "Fw:" It will, in any case, contain one of the following:
- Life stages
- Funny
- Jokes
In some cases, this is followed by the word "text." The following are examples of possible subject headings:
- Fw: Life stages
- Jokes text
- Fw: Funny text
As soon as they are sent, the worm deletes copies of the messages so that there is no record of its presence.
Upon executing this worm, your system is modified as follows:
The following files are created in the Windows\System folder:
- Scanreg.vbs
- Vbaset.olb
- Msinfo16.tlb
- The Scanreg.vbs value is added to the following registry key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
This will run the next time the computer is started.
- The Life_Stages.txt.shs file is created in the \Windows folder.
- A randomly named file is added to the following locations:
- The root directory of all mapped drives
- The \My Documents folder.
- The \Windows\Start Menu\Programs folder.
This randomly name file is created using the format of Random 1+ Random 2 + Random 3.txt.shs where:
- Random 1= Important, Info, Report, Secret, or Unknown.
- Random 2 = - or _ (Hyphen or underscore)
- Random 3 = a random number between 1 and 1000
For example, Report_439.txt.shs or Important-707.txt.shs.
- The Regedit.exe file is moved into the Recycle Bin as a hidden system file named Recycled.vxd.
- The following files are added to the Recycle Bin as hidden, system files:
- Msrcycld.dat
- Rcycldbn.dat
- Dbindex.vbs
Msrycld.dat is a copy of the original .shs file. Rcycldbn.dat is a copy of the Scanreg.vbs file. Dbindex.vbs is set to be run when ICQ is run. The script for mIRC is modified to call the Sound32b.dll file, which causes the worm to spread through mIRC and PIRCH.
Script.ini
Script.ini was created primarily to steal channel and nickname passwords on those networks which run Services. It was quickly modified by numerous people to do many other duties, including but not limited to :
Relaying private conversations to a third party or channel.
Providing access to your hard disk by means of a DCC server.
Attempting (unsuccessfully) to grab your windows password file.
Allowing others to take control of your IRC session.
Allowing others to force you off the network by issuing a keyword.
Deleting key windows system files if you attempt to remove it incorrectly.
Forcing you to leave channels when certain words are used on the channel or are present in the channel title bar.
Allowing others to run programmes on your computer.
A large part of the problem with script.ini is that it is so easy to modify. This has resulted in countless variations of the file being circulated, some of which are more dangerous than others. Of some consolation is that those who attempted to use this method to spy on private conversations or to steal passwords quickly found that they were banned from the network completely and their channels closed.
Popups5.exe
This is another variation of DMsetup.exe.
*.jpg.exe
This is the latest (and hopefully last) incarnation of the Dmsetup strain. It is a spacefiller virus which, posing as a screensaver/graphics display utility, writes thousands of folders to your hard disk, continuing until your system crashes due to lack of disk space.
Links.vbs
VBS.Freelink is an encrypted worm that will work under Windows 98, Windows 2000 and all the other Windows supporting VB Scripting language. Once the worm is launched, it will use MS Outlook to automatically send an email with an attachment of itself. Similar to the Melissa virus, this worm uses MAPI calls to get user profiles from MS Outlook. The contents of the email generated by this worm are:
Subject: Check this
Have fun with these links. Bye.
When the attached file is executed, it will create the following two files:
- C:\WINDOWS\LINKS.VBS
- C:\WINDOWS\SYSTEM\RUNDLL.VBS
It will also create a file called LINKS.VBS in the root of all network drives that are currently mapped. Next, the worm will modify the following registry to execute every time the machine boots up:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run\Rundll=RUNDLL.VBS
After infecting a system, it will displays a dialog box title "Free XXX links" with following content:
This will add a shortcut to free XXX links on your desktop. Do you want to continue.
If the user selects yes, it will create a shortcut pointing to an adult web site.
It also searches for MIRC32.EXE and PIRCH98.EXE chat programs in C:\MIRC , C:\PIRCH98, C:\PROGRAM FILES and the sub directories of each of these directories. If it finds either of these programs, it will modify the corresponding SCRIPT.INI file or EVENTS.INI located in the same directory. These INI files will cause LINKS.VBS to be sent to other people during the IRC sessions.
DO NOT accept files from people you do not know. If you do accept files, even pictures always scan it first with a virus scanner. (can we stress this enough?) To learn how to get a virus scanner go to Useful Information in the Protection section.
To protect yourself from this virus, all Norton AntiVirus customers should ensure their virus definitions are up to date by using the LiveUpdate feature. In order to detect the VBS.Freelink virus, it is necessary to scan files with the VBS filename extension. It is recommended to use the options in NAV to scan "All files" rather than using the "Program Files" option. Please note that this may cause performance issues depending on the software, hardware and configurations you are using. Newer versions of Norton AntiVirus are shipped with scan "All files" as default configurations. If you choose only to scan "Program Files", please make sure that the configurations in Norton AntiVirus includes the "VBS" file extension as well as the following file extensions in the "Scanner" and "AutoProtect" options.
Recommended Extension List as of Oct 5, 1999:
386, ADT, BIN, CBT, CLA, COM, CPL, CSC, DLL, DOC, DOT, DRV, EXE, HTM, HTT, JS, MDB, MSO, OV?, POT, PPT, RTF, SCR, SHS, SYS, VBS, XL?
KAKworm
VBS.KakWorm spreads using Microsoft Outlook Express. It attaches itself to all outgoing messages via the Signature feature of Outlook Express and Internet Explorer newsgroup reader. The worm utilizes a known Microsoft Outlook Express security hole so that a viral file is created on the system without having to run any attachment. Simply reading the received email message will cause the virus to be placed on the system. The worm appends itself to the end of legitimate outgoing messages as a signature.
When receiving the message, the worm will automatically insert a copy of itself into the appropriate StartUp directory of the Windows operating system for both English and French language versions. The file created is named KAK.HTA. The worm utilizes a known Microsoft Outlook Express security hole, Scriptlet.Typelib, so that a viral file is created on the system without having to run any attachment. Simply reading the received email message will cause the virus to be placed on the system. Microsoft has patched this security hole. The patch is available from Microsoft's website.
If you have a patched version of Outlook Express, this worm will not work automatically. HTA files are executed by current versions of Microsoft Internet Explorer or Netscape Navigator. The system must be rebooted for this file to be executed. Once executed, the worm modifies the registry key: HKCU/Identities//Software/ Microsoft/Outlook/Express/5.0/signatures in order to add its own signature file, which is the infected KAK.HTA file. This causes all outgoing mail to be appended by the worm. In addition, the registry key: HKLM/Software/Microsoft/Windows/ CurrentVersion/Run/cAgOu is added which causes the worm to be executed each time the computer is restarted. Finally, if it is the first of the month and the hour is 17 (5:00pm), the following message is displayed: Kagou-Anti-Kro$oft says not today! and Windows is sent the message to shutdown
Back Orifice
Back Orifice is another remote control trojan running on windows 95. Released in mid 1998 by a hacker group called the Cult of the Dead Cow, it has become one of the most popular remote access hacks on the internet.
Back Orifice (BO) can :
Allow a hacker to access your PC via the internet (or any tcp/ip network)
Allow unauthorised copying, deletion, addition and renaming of files.
Allow a hacker to start and stop programs on your PC.
Capture and transmit all the keystrokes made at your PC to a remote location.
Allow the hacker to modify (or delete) the system registry.
Automatically alert a hacker when you go online.
Capture and transmit a screnshot from your PC.
Back Orifice 2000
Back Orifice 2000 is a new version of BackOrifice.Trojan. When installed on a Microsoft Windows system, this backdoor trojan horse program allows others to gain full access to the system through a network connection. Similar to the original BackOrifice, it consists of two pieces: a server and a client application. However, now both applications are capable of running under Windows NT. The client application, running on one machine, may be used to monitor and control a second machine running the server application. The port number through which the client controls the server is configurable. However, as long as the port is blocked by a firewall, this trojan horse will not be able to infiltrate the server.
It does not matter whether the TCP or UDP protocol is implemented. There have not been any reports of this program being able to break through a firewall.
Back Orifice 2000 (BO2K) can :
Allow a hacker to access your PC via the internet (or any tcp/ip network)
File and directory commands - list directory, find file, delete file, view file, move file, rename file, copy file, make directory, remove directory and set file attributes
Allow a hacker to start and stop programs on your PC.
Capture and transmit all the keystrokes made at your PC to a remote location.
View and edit the registry - create a key, set a value, get a value, delete a key, delete a value, rename a key, rename a value, enumerate keys and enumerate values
Automatically alert a hacker when you go online.
Lockup the target machine
View the contents of any file on the target machine
Display the screen saver password of the current user of the target machine
Capture and transmit a screnshot from your PC.
Ping and query the server
List cached and screen saver passwords
Display a message box
Map a port to another IP address, application, HTTP file server, or filename
List ports mapped by BackOrifice 2000
Share a drive, unshare a drive, list shared drives, list shared devices on a LAN, mapped a shared device, unmap a shared device and list all connections
List current processes, kill a process and start a process
Server control - shutdown server, restart server, load plug-in, remove plug-in and list plug-ins
Resolve host name and address
Compress and uncompress files
Receive and send files
Sockets de trois
Is yet another backdoor. Like all the remote control trojans it allows unauthorised people to access your PC and cause damage.
Sockets de Trois can :
Access, add, remove and copy files on any hard drive in your PC.
Allow remote alterations to the registry.
Access your printer.
Reboot windows remotely.
Access mIRC scripting.
Back