TUCoPS :: Malware :: ciack031.htm

Mobile Malicious Code
Mobile Malicious Code Privacy and Legal Notice


K-031: Mobile Malicious Code

March 30, 2000 19:00 GMT
Updated April 3, 2000 15:00 GMT to include 911 Worm
*** Notes updates

PROBLEM:       Malicious codes have become more mobile using e-mail to
               automatically distribute themselves to people in your e-mail
               address books. The first major outbreak of these was the
               W97M.Melissa Word macro virus.

***            A recent worm, the 911 Worm, has been listed that scans
               Windows systems for shared drives and attempts to install
               itself in those shares.  The current version only looks for
               shared C: drives.

PLATFORM:      Any system receiving e-mail with attachments. The most common
               of theses viruses and worms use Microsoft Outlook, Outlook
               Express, or Exchange to spread.

***            Windows 95/98 if file sharing is turned on.

DAMAGE:        Damage ranges anywhere from simply re-mailing itself to
               destroying data on infected systems. Special scripted commands
               could send personal information about you to an unknown

SOLUTION:      Do not open attachments to e-mail messages that you are not
               expecting, especially if they are executable files. If they are
               Word documents, be sure to have macro protection turned on and
               pay attention to it when the Macro Detected dialog box pops up.
               Do not allow unexpected macros to run. Infection from
               attachments can be avoided by not double-clicking on the
               document or .exe file even if sent by a trusted source. Check
               your mail program and web browser security setting to be sure
               that hidden scripts or applets are not allowed to run
               unnoticed. Keep patches up to date.

***            Share only individual folders.  Never share the root system
               directory (C:\ on most systems), or the system directory
               (C:\WINDOWS on most systems).

VULNERABILITY Risk of infection is high. If you receive attachments by e-mail ASSESSMENT: you have a good chance of receiving an infected document. The code's use of 'Social Engineering' tricks to lead you to believe that the infected document was sent from a trusted/known source are very effective in getting a user to open or execute the attached malicious code.
Introduction: An unwelcome development in malicious code is the addition of self propagation to computer viruses. These new viruses straddle the line between viruses and worms. While all viruses propagate themselves by infecting new files, these new viruses not only infect new files, they also transfer the newly infected files to other systems. Because of this ability, they no longer have to wait for a user to transfer the infected file for them. They still depend on a user at the attacked system to run the infected file but use various forms of social engineering and the user's lack of knowledge to get the user to do so. The most well known of these mobile malicious codes is the Melissa virus that appeared in March of 1999 (see CIAC Bulletin: J-037A: W97M.Melissa Word Macro Virus). The Melissa virus is a standard Word macro virus (See CIAC bulletins: G-10a: Winword Macro Viruses and I-023: Macro Virus Update) that runs when the infected Word document is opened and infects all Word documents that are subsequently edited on the infected system. In addition to the standard file infection mechanism, the Melissa virus opens a connection to the Outlook 98 e-mail program and begins sending e-mail messages in your name to people in your address books. Attached to each e- mail message is an infected Word document with the note: "Here is that document you asked for ... don't show anyone else ;-)". Here it is using social engineering by masquerading as you to get individuals in your address book to execute the infected document. These codes typically use social engineering to trick you into believing that the document or executable was sent to you by a known or trusted source. Many people will execute files sent by someone they know before checking to see if the files may be infected with a virus or have malicious intent. A second development in this arena is the inclusion of backdoor programs along with the virus or worm code (see CIAC bulletin: J-032: Windows Backdoors Update II). The backdoor programs are installed in a system by the virus or worm and opens your system to hidden, remote logins by the intruder and his friends. Since the outbreak of the 'Melissa' virus in March of 1999, many variants or copy-cat viruses have surfaced. Several have been classified as computer worms because the code sends itself to other systems though most still require a user's intervention to allow them to propagate. These files are being distributed as attachments to e-mail messages with most designed to work with different versions of Microsoft Outlook. Other e-mail programs, such as Eudora, could also be used but the virus writers prefer Outlook because it is usually automatically installed along with Microsoft Word. The attached files include not only infected Microsoft Word documents but also executable (.exe) variants of the viruses. *** In April of 2000 a new worm, the 911 Worm, has surfaced that is capable of scanning IP ranges in search of non-passworded, shared C drives on Windows 95 and 98 systems. If the shares on the target computer are writable, it will proceed to copy files on the system that will be executed the next time Windows starts up. Damage: The extent of the damage that these mobile malicious codes cause vary. Most over utilize your mail server, causing it to freeze or crash. Others load Trojan or backdoor programs that open your system to outside access without your knowledge or control. Damage includes destroyed data, loss of e-mail service, loss of e-mail messages, denial of service, or unauthorized access to your system. The damage done depends on the particular virus or worm. Solutions: Check to see that your system is secure and that you don't allow attachments to auto-execute. Never allow code to run on your computer that you have not authorized. Be sure that your anti-virus software is updated frequently so that it has the latest virus definitions. As of this writing, Network Associates states that there are currently over 50,000 malicious codes known. If you receive an unexpected attachment from a known source, check with the sender to insure that the attachment is OK. Attackers utilize known vulnerabilities in Internet Explorer for activating malicious codes or gain unauthorized access. Microsoft has released patches to eliminate the problems that Active-X controls can cause. J-018: HTML Viruses http://www.ciac.org/ciac/bulletins/j-018.shtml J-064: ActiveX Controls, Scriptlet.typlib & Eyedog, Vulnerabilities http://www.ciac.org/ciac/bulletins/j-064.shtml J-011: Microsoft IE 4.01 Untrusted Scripted Paste http://www.ciac.org/ciac/bulletins/j-011.shtml There have been a number of advisories and bulletins on protections against Macro Viruses. Note that Word 2000 has changed the mechanism for turning on the macro protection. Instead of using the options dialog box as specified in CIAC Bulleten J-037A "Melissa" Word 2000 uses security levels. Choose the Tools, Macro, Security command to view the security dialog box. The setting should be medium or high, never low. CIAC Bulletin J-037A included an auto execute macro to insure that all the macro protections are in place. The revised version of that macro is shown below. Install it as indicated in J-037A on the "normal" template in a module named AutoExe. Note that in Word 2000 the Macro Security setting must be done by hand. It cannot be set with code. Protection Macro Code Sub Main() ' ' AutoExec.Main Macro ' Macro created 03/30/99 by William J. Orvis ' If Val(Application.Version) >= 9 Then 'This is Word 2000 or later. 'Macro protection cannot be read or changed with code. Else 'Word 95, 97 If Options.VirusProtection = False Then MsgBox "Warning! Virus protection was turned off. I will turn it back on again.", , "WARNING!!" End If Options.VirusProtection = True End If If Options.ConfirmConversions = False Then MsgBox "Warning! Confirm Conversions was turned off. I will turn it back on again.", , "WARNING!!" End If If Options.SaveNormalPrompt = False Then MsgBox "Warning! Save Normal Prompt was turned off. I will turn it back on again.", , "WARNING!!" End If Options.ConfirmConversions = True Options.SaveNormalPrompt = True MsgBox "Security Options Set" End Sub J-037A: W97M.Melissa Word Macro Virus http://www.ciac.org/ciac/bulletins/j-037.shtml K-004: Microsoft "Excel SYLK" Vulnerability http://www.ciac.org/ciac/bulletins/k-004.shtml J-025: W97M.Footprint Macro Virus Detected http://www.ciac.org/ciac/bulletins/j-025.shtml I-023: Macro Virus Update http://www.ciac.org/ciac/bulletins/i-023.shtml G-10a: Winword Macro Viruses http://www.ciac.org/ciac/bulletins/g-10a.shtml Mobile Code Examples: The following mobile code examples were chosen to give you an overview of the operations and capabilities of mobile malicious codes and to not be an inclusive list of these codes. Mobile Codes using MS Outlook or Exchange The following mobile codes are patterned after the W97M.Melissa Word macro virus. 'Melissa' used the address books in Microsoft Outlook for distributing infected documents. ExploreZip Worm J-047: The ExploreZip Worm http://ciac.llnl.gov/ciac/bulletins/j-047.shtml ExploreZip (packed) Worm K-008: ExploreZip (packed) Worm http://ciac.llnl.gov/ciac/bulletins/k-008.shtml Papa Virus X97M/Papa is an Excel 97 macro worm. It's quite similar to the widespread W97M/Melissa virus. This one is listed by Datafellows at: http://www.datafellows.com/v-descs/papa.htm Melting Worm This worm is an executable Visual Basic program that comes in an e-mail message with the subject: 'Fantastic Screensaver'. The attachment to the e- mail message is a copy of the virus named: 'MeltingScreen.exe'. When the virus runs, it attempts to use Microsoft Outlook to send copies of itself to all your friends. This particular worm has bugs and often freezes the computer when run. It doesn't work if the Visual Basic run-time libraries are not installed on the attacked system. This worm is listed on the DataFellows website. http://www.datafellows.com/v-descs/melting.htm PrettyPark.Worm The original version of 'PrettyPark', also known as 'Trojan.PSW.CHV', is an Internet worm, a password stealing Trojan and a backdoor all in one. The file has an icon showing a cartoon character from South Park. Recently several facilities in the DOE complex have received copies of variant D of the PrettyPark.Worm. Variant D of the worm creates a file called files32.vxd in the Windows\System directory and modifies the following registry entry value from "%1%* to files32.vxd "%1%* without your knowledge: HKEY_LOCAL_MACHINE\Software\Classes\exefile\shell\open\command The file contains a copy of the worm and the registry change causes that file to be run every time you run an executable program on your system. After infecting your system, it uses the addresses in your Internet address book, and tries to e-mail itself to all your addresses every 30 minutes. This worm also tries to connect to a IRC server where it can retrieve other commands to be run from a specific IRC channel. The PrettyPark.Worm is listed by most anti-virus vendors. Wscript.KakWorm The Wscript.KakWorm utilizes a known vulnerability in older versions of Microsoft Internet Explore (used to display mail in Outlook Express). This vulnerability allows embedded code to run just by viewing the e-mail message. The script is in a html scripted e-mail message itself, you don't need an attachment to transmit the infection. Patches for this vulnerability have been available for more than a year. See the following CIAC Bulletin for more information about this vulnerability and the location of patches. J-064: ActiveX Controls, Scriptlet.typlib & Eyedog, Vulnerabilities http://www.ciac.org/ciac/bulletins/j-064.shtml photos17.exe This e-mail message is an example of Social Engineering to trick the recipient into executing the malicious code. This appears to be a renamed version of the program "ie0199.exe". It is similar to the Trojan Horse described in CIAC Bulletin I-085. I-085: Microsoft IE Upgrade Trojan Horse Program http://ciac.llnl.gov/ciac/bulletins/i-085.shtml This Trojan appeared in the United States after the mail server at a major university was spammed with messages containing the trojaned program. The program was sent as an attachment to a message that read: ***** Subject: photos Hi, I'm sending you the photos that we have told you about! many kisses, Viki! ***** There is no physical damage or lost data. The damage here is to the reputation of the victim due to spam mail sent from users machine and clogged e-mail servers. When the user restarts the computer with the Trojaned program installed an Internet connection is made to multiple remote locations and Spam e-mail is sent. When the e-mail attachment is executed it installs shell32.exe into the Windows %system root% directory (usually c:\winnt for Windows NT and c:\windows for Windows 95/98) and adds a reference to that program to the following Window's registry key (hkey_local_machine/software/microsoft/windows/currentversion/run/default). The modification causes the Trojaned shell32.exe to execute each time the machine is restarted. BubbleBoy worm BubbleBoy is a worm that spreads using email by implementing the same old Internet Explore hole as the Kak worm. It is able to replicate without the user being required to open/run any mail attachments. In case of BubbleBoy, the worm activates the moment the email is opened in Outlook. BubbleBoy infects Windows 98 and Windows 2000 computers. It will also work under Windows 95 if Windows Scripting Host is installed. On all these platforms, BubbleBoy will function only if an unprotected version of Internet Explorer 5.0 is installed. BubbleBoy does not run under Windows NT. The worm does not work when the Internet Zone security settings of IE 5 are set to "High" level. The worm comes as an email. The subject of the email is "BubbleBoy is back". The worm code is in the message itself and not as an attachment. When the email message is opened, the worm using a security loophole creates a file called "UPDATE.HTA". The worm tries to put this files in the "C:\WINDOWS\START MENU\PROGRAMS\STARTUP" and "C:\WINDOWS\MENU INICIO\PROGRAMAS\INICIO" directories. The presence of the UPDATE.HTA file in the startup directory causes the file to be executed without any security controls the next time the computer is re-started. As the startup directory names are hardcoded, the worm infects only the English and Spanish versions of Windows. J-064: ActiveX Controls, Scriptlet.typlib & Eyedog, Vulnerabilities http://www.ciac.org/ciac/bulletins/j-064.shtml *** BAT.Chode.Worm Aliases: Chode, Foreskin, BAT911 In April of 2000, a new worm has surfaced that is capable of scanning IP ranges in search of shared C drives that are not password protected. If the target computer is non-passworded and writable, it will proceed to copy multiple BAT files that will be executed the next time Windows starts up. This worm is only able to spread itself if the target computer has the directory C:\WINDOWS\ non-passworded, writable. The main startup component (a PIF, Program Information File) is installed in the Windows startup folder. The current variants of this worm are programmed to scan for specific subnets. Verify that file sharing is turned off. Windows 95/98 - select My Computer, Control Panel, Networks, and click on the File and Print Sharing button. Windows NT - check Control Panel, Server, Shares. Share only those directories or files that are needed by others and require good passwords. This does not require making the entire drive sharable. Alert: 911 Worm (Alias: bat.chode) http://www.sans.org/newlook/alerts/911worm.htm NATIONAL INFRASTRUCTURE PROTECTION CENTER INFORMATION SYSTEM ADVISORY (NIPC ADVISORY 00-038); SELF-PROPAGATING 911 SCRIPT http://www.nipc.gov/nipc/advis00-038.htm
CIAC services are available to DOE, DOE Contractors, and the NIH. CIAC can be contacted at:
    Voice:          +1 925-422-8193 (7 x 24)
    FAX:            +1 925-423-8002
    STU-III:        +1 925-423-2604
    E-mail:          ciac@llnl.gov
    World Wide Web:  http://www.ciac.org/
                     (same machine -- either one will work)
    Anonymous FTP:   ftp.ciac.org
                     (same machine -- either one will work)

This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes.
[Privacy and Legal Notice]

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH