From prestonh@home.com Thu Nov 29 11:41:37 2001 Received: from mailscan4.cac.washington.edu (mailscan4.cac.washington.edu [140.142.33.15]) by lists.u.washington.edu (8.11.6+UW01.08/8.11.6+UW01.10) with SMTP id fATJfYn65410 for ; Thu, 29 Nov 2001 11:41:34 -0800 Received: FROM mxu2.u.washington.edu BY mailscan4.cac.washington.edu ; Thu Nov 29 11:41:33 2001 -0800 Received: from femail7.sdc1.sfba.home.com (femail7.sdc1.sfba.home.com [24.0.95.87]) by mxu2.u.washington.edu (8.11.6+UW01.08/8.11.6+UW01.10) with ESMTP id fATJfX415433 for ; Thu, 29 Nov 2001 11:41:33 -0800 Received: from c931275-a.home.com ([24.0.234.36]) by femail7.sdc1.sfba.home.com (InterMail vM.4.01.03.20 201-229-121-120-20010223) with ESMTP id <20011129194132.IOIE7814.femail7.sdc1.sfba.home.com@c931275-a.home.com> for ; Thu, 29 Nov 2001 11:41:32 -0800 Message-Id: <5.1.0.14.2.20011129103709.011f9d90@mail.sttln1.wa.home.com> X-Sender: prestonh@mail.sttln1.wa.home.com X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Thu, 29 Nov 2001 11:40:34 -0800 To: indknow@u.washington.edu From: Preston Hardison Subject: Virus Updates - Don't Ignore! Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Thanks to Ishgooda for pointing out that this is a Badtrans problem. This virus is a pretty bad one, and has been propagating pretty quickly on the net, so I think people should spend a few minutes trying to deal with it. Bottom line: 1. Badtrans will execute automatically on computers using unpatched versions of Outlook Express, Outlook and Microsoft Explorer 5.1.5.5. You don't need to click on the attachments for the virus to install. Others receiving the virus without this software can still activate it by clicking on the attachments. 2. The newest variant of the virus install a Trojan Horse on your computer that sends information to the virus writer and could make your private information vulnerable. 3. Update, now (and forever): a. Your email software (especially if using Microsoft Outlook or Outlook Express) b. Your browser software (especially if running Microsoft Explorer 5.1-5.5) c. Your anti-virus software's virus definition files 4. Configure your browser and email programs to provide you with protection. 5. (Optional, but recommended): Get a firewall, and keep it updated. Regards, Preston ----------------------------------------------------------------------- Badtrans is actually a new kind of virus, that attacks in a new ay that allows attachments to self-execute in some kinds (read Microsoft) browsers. There are now four major ways for viruses to enter your system: 1. Self-Inflicted wound: You grab a file from the Internet or are handed a file on floppy or CD-ROM that is a binary (non-text) file that is infected with the virus, and launch it without scanning it for viruses or failing to detect a virus. 2. Attachments: You get an attachment in an email from someone, often seemingly from a close personal friend, and click on it. The older versions of this relied on clever social engineering to get you to click on the attachments (the letter was addressed from SOMEBODY who sent you a FUNNY JOKE or COOL SCREENSAVER. People started to get wary of clicking on attachments from anonymous sources, so the next generation of viruses go into user's addressbooks to get addresses and nicknames, and send a personalized message from that user's mail account to send a FUNNY JOKE or COOL SCREENSAVER. Many (not all) people have started to learn it is not a good idea to click on these, no matter who they come from. The latest generation now goes to the mailbox, grabs a real message, and either replies to it, appending the virus attachment, or forwards it to addresses and nicknames it gets out of the address book. The attachments now often have more cryptic, camouflaged names - rather than trying to appeal to your sense of humor or prurience, they try to disguise the file as a workaday transmission that appears to have been sent by a close personal friend. In all of these cases, the virus is activated by manipulating you into clicking on the attachments. So there's no confusion - most of these problems with address books - which have resulted in billions of dollars of damage - have been caused by Microsoft's Outlook and Outlook Express. 3. Embedded files: Browsers and most current email software have decided to make your Internet experience so much more fun by allowing all sorts of software programs to be installed on your computer, often without your knowledge. Much of this is quite benign. But - many web sites now secretly download "spyware" applications, or create cookies on your computer to track your activities and movements on the Internet. Much of the "freeware" you get either installs spyware or alerts you to it while requiring you to accept it as a term of use - mostly because they rely on advertising to make their product freely available. Leaving your browsers and email at their default levels so that you can see Flash animations and the like gives your software permission to install these programs without your explicit consent. Virus writers have learned to exploit this buy writing virus-code that they embed in web pages, so that when you simply view them, the code is automatically downloaded and executed - installing and launching the virus program. This is why it is a VERY GOOD (read essential if you care about your privacy or vulnerability to viruses) to go into your browser or email program and modify the default security settings and options for downloading Java script, cookies and other software code. It is also a VERY GOOD idea to regularly check for updates to your browser software, since imbedded scripts often exploit particular security holes that get patched by browser makers when they are discovered. The embedded files problem is not uniquely Microsoft's, as most of the automated email vulnerability problems above. 4. Self-Activating Attachments: The Badtrans virus is a variant on the second type of virus. It's not actually an embedded file like you might get on a web page, but comes as attachment. But rather than requiring you to click on the attachment, the virus exploits vulnerabilities in Microsoft Outlook, Outlook Express, and Microsoft Explorer versions 5.1 - 5.5. Normally, when you click on an attachment, this sends a message to your computer using MIME (Multipurpose Internet Mail Extensions) that scans your computer for the appropriate application to manage the file, then issues commands to launch that application and feed the contents of the attachment into it so that the image can be seen, the song can be played and the electronic document can be read. This new worm is able to trick Outlook or Outlook Express and Microsoft Explorer to start a MIME conversation automatically. Like embedded viruses, this new method is passive - it requires no behavior on the part of the user to install it. YOU DO NOT HAVE TO CLICK ON THE ATTACHMENT for this virus to work. The newest variant also installs a Trojan Horse program on your computer, which attempts to send your Internet location back to the virus programmer, who can use the information to break into your computer to steal data, passwords, credit information, etc. Take it seriously. -------------------------------------------- W32.Badtrans.13312@mm W32.Badtrans.B@mm Worms: Despite patching, infection continues. Why? By Robert Vamosi, AnchorDesk Within the last few weeks, several worms have taken advantage of a single vulnerability in Internet Explorer to assault computers worldwide. It's a vulnerability that allows the worm's code to execute automatically on some computers. Instead of requiring a user to open an infected e-mail in Outlook and then actually click on the attached file to launch the program, these new worms work differently. They take advantage of the so-called "Incorrect MIME Header Can Cause IE to Execute E-mail Attachment" vulnerability in Internet Explorer 5.01 and 5.5, which allows the worms to automatically execute upon arrival - no clicking necessary. WHAT IS ODD is that Microsoft patched this vulnerability earlier this year. Nevertheless, the Incorrect MIME vulnerability is hot, hot, hot within virus-writing circles. The vulnerability affects certain Multipurpose Internet Mail Extensions (MIME) types. For example, if someone sends a video e-mail, a viewer will open to display the video. In this case, if someone sends certain types of executable files, these also open automatically, even if they contain malicious code. As I write this, Badtrans.B has replaced Sircam as the #1 virus on Messagelabs' Top Ten daily graph. Badtrans.B achieved this distinction because it recycles existing e-mail, sending copies to people as though you were replying. RUNNING A CLOSE SECOND is Aliz, a pithy little file, just 4KB, that simply automatically executes copies of itself, flooding e-mail servers with excess junk mail. In recent weeks there was also the Klez worm, which appears to be nothing more than a job request, and Finaldo, short for Final Doom, which appears to be a worm in progress. The text within its code promises even greater damage from a future variation. Fortunately, Microsoft's MS01-020 patch for the Incorrect MIME vulnerability has been available since March 29, 2001. What? Never heard of it? Well, neither did I, until Nimda came along in September. YES, THE SAME PATCH that prevents Nimda can also prevent these new worms from spreading. So why haven't more people patched their systems? The answer's kind of complicated, like the solution. Virus outbreaks like Badtrans.B, Sircam, and ILOVEYOU get their biggest boosts from office environments, not home users. Offices warehouse millions of e-mail addresses, so infecting one company can send copies of a virus all over the world. Also, offices are less likely to have upgraded or patched their Internet Explorer programs because IT departments first evaluate new releases of software before installing them. Nevertheless, I think the whole Internet Explorer patch process is messed up--and the virus writers know that. In the past, I've advocated better methods of alerting users and installing patches. So far, no one method is without its own faults. Here, the patch itself is confusing as hell to install. For example, if you are still running Internet Explorer 4 or before, you're fine but missing much of the Internet. If you are using Internet Explorer 5.01, then download the MS01-020 patch. HOWEVER, if you already loaded the Service Pack 2 for 5.01, then you don't need to run the MS01-020 patch. If you're running Internet Explorer 5.5, then download the MS01-020 patch. Now that you have figured out whether you should or should not download the MS01-020 patch, you scroll through the lengthy digressions on the Microsoft site only to discover that MS01-027 has superseded MS01-020. What? While it is not immediately clear that these bulletins are discussing the same flaws, the patch described in "Flaws in Web Server Certificate Validation Could Enable Spoofing" also handles minor variations on the above-mentioned MIME vulnerability. So, really, you should download MS01-027, yet none of the antivirus sites says skip GO and head directly to MS01-027. MICROSOFT EXPLAINS the MIME problem in MS01-020, and has asked that readers start with that bulletin before jumping into MS01-027. Given the whole patch morass, you might decide to chuck the whole process and simply download a new version of Internet Explorer. But be careful: failure to chose full or typical install with version 6.0 could mean that your machine is still vulnerable. And, as mentioned in a recent AnchorDesk column, there's virtually no way to burn a disk with all the CAB files required for Internet Explorer, so office IT departments will have to download it one machine at a time. For the moment, while Badtrans.B and Aliz are loose, I think Microsoft should offer one clearly labeled patch and stop complicating things. In the future, perhaps Microsoft could work with the antivirus companies. One idea that's been suggested: have Microsoft patches included with any antivirus signature file. Might not be a bad idea. .