Internet Safety by Mike Baynes - FrontPage Ezine Newsletter

AnyBackPage Article
The FrontPage E-Zine Of Choice
Current Issue 4 Vol a: 25th March 2006 Members: 2,395

Current Issue | Archives | Contributing Authors I Members
Please note: AnyFrontPage Bytes only publishes the FrontPage News and FrontPage links AFP Site - The complete issue is available to subscribers only in the Yahoo! Archives.

Internet Safety by Mike Baynes

NEW: Mike's virus page is updated with information on the blaster worm and
its removal!

Have You been away?

Something we don't always think of, you've been away for a few days and return to sit down and check the mail, or go surfing.

Be sure to check your Anti Virus program for updates, a lot can have happened while you were gone.

The safest form of email is plain text as it cannot hide HTML scripts, which may contain virus or malicious scripts.

Do not open attachments unless the sender has notified you prior to its
arrival that they are sending you one, along with its name and size. You may be wise to set your email program to just download the e-mail headers, so that you can be sure that there are no double extensions, such as .exe, .scr, or .pif.

We all like to use 'Java Script' on our web pages but not all Java Script's are safe.

Reference; "Kaspersky Labs" http://www.viruslist.com/eng/viruslist.html?id=57335

Netdex is multi-component backdoor trojan program. It allows a remote hacker to take control of infected computers. To accomplish this, the backdoor code downloads special script files from the Web site http://www.two.com.ru, processes them and then sends the result back to that Web site.

The main backdoor component is a Java Script program with the name, "zshell.js"

Other backdoor components are:

a.com - DOS COM program (helper)
netd.exe - Win32 EXE program (transfer service)
o.js, installer.php - Java Script (installer)
repost.html, sh.php - HTML page with Java Script program (additional component)"
++ There is more on the web site.

We all like to visit web sites, but before you do, you should consider your own safety.

Make sure you are running a recently updated Anti-Virus program. New viruses are being developed/discovered constantly. For your own security, check for an update to your Anti-Virus program frequently.

"The most severe virus attack this year is currently being waged by a program called BugBear. First detected on Sep 29th in an email from Malaysia, the malware (which has both worm and virus characteristics) has infected computers in more than 180 countries and has been seen crossing the Internet more than 450,000 times as of October 10th. See the MessageLabs VirusEye link below for updated statistics. http://www.messagelabs.com/Threat_Watch/Threat_Statistics

The worm propagates via email and network shares, disables security software, sets up a backdoor, and logs user's keystrokes thereby capturing passwords and credit card information. Further, the worm has caused such a panic that email hoaxters have succeeded in tricking some people into deleting a real system file in a desperate attempt to protect themselves.

The various functions of the malware are outlined below.

Email Propagation: BugBear sends itself as an email attachment and typically requires the email recipient to open the attachment before infection occurs (virus characteristic). However, the program is careful to craft its messages to take advantage of the "Incorrect MIME Header can cause IE to Execute Email Attachment" vulnerability patched in MS01-020. This vulnerability, which was also exploited by Nimda, causes unpatched IE 5.01 and 5.5 browsers to automatically execute the email attachment when the message is viewed in Outlook (worm characteristic).

All BugBear attachment files have variable names with double extensions, where the second extension is one of .exe, .scr, or .pif. The worm obtains new victim email addresses from the Windows address book, and can create entirely new messages, or may resend previously sent messages to new recipients (thereby potentially disclosing private emails to third parties). BugBear also uses variable subject lines and can spoof the "From" email header value, causing further confusion."

Another important safety feature is an active Firewall to prevent applications, adware, or Trojans from accessing your computer, or from reporting your actions.

These types of programs are often called Spywear.

Key Loggers are an application which can record all keystrokes. Key Loggers can be set to activate on certain key words, and are often used to track and report computer usage.

Reference;

BDS/WinSpyer could potentially allow unauthorized key strokes to be logged and used for malicious intent (ie. containing passwords, credit card information, etc.). If executed, the keylogger copies itself to the \windows\%system\ directory under the filename, "Spy.exe". It also creates the file "Spy.txt" (contains the logged key strokes) in the \windows\%system% directory.

http://support.centralcommand.com/cgi-bin/command.cfg/php/enduser/std_adp.php?p_refno=021023-000017

Tr/SCKeyLog.Spy.20 could potentially allow unauthorized key strokes
to be logged and used for malicious intent (ie. containing passwords, credit card information, etc.).

http://support.centralcommand.com/cgi-bin/command.cfg/php/enduser/std_adp.php?p_refno=021023-000016

BDS/Nethief.XP.C would potentially allow someone with malicious intent, a backdoor access to your computer. If executed, the trojan adds the following file to the \windows\%syste% directory, "IExplorer.exe". It stays resident in memory.

http://support.centralcommand.com/cgi-bin/command.cfg/php/enduser/std_adp.php?p_refno=021024-000012

Mike ~ It is a good day if I learned something new.

Mike Baynes is editor of MikesWhatsNews (see a sample on his web page)
as well as a Technical Support Alliance Member.

For further information on Viruses and Anti-Viruses, see Mike's pages ~ http://virusinfo.hackfix.org or subscribe to his newsletter at:
virusinfo-request@freelists.org?Subject=subscribe

↑ Top

Site Navigation

What's News