KCNET NEWSLETTER 08/24/03 TECHNICAL PAGE
VIRUS AND OTHER STINKY STUFF TECHNICALLY SPEAKING INTERESTING SITES
VIRUS AND OTHER STINKY STUFF: This is for Windows XP, 2000, and NT users only. KCnet has, on disk, the removal tool and the executable file (MS03-026 security fix) that installs the windows patch for the MSBlast worm also referred to as the LovSan virus. KCnet also has this link for the Security Patch:
Hey! A little grin in times of turbulence can't hurt. Thanks Gary n' Patti! Thought you would want to know about this email virus. Even the most advanced programs from Norton or McAfee virus protection programs cannot take care of this one. It appears to mostly affect those of us who were born prior to 1960. Symptoms: 1. Causes you to send the same e-mail twice. 2. Causes you to send a blank e-mail. 3. Causes you to send e-mail to the wrong person. 4. Causes you to send it back to the person who sent it to you. 5. Causes you to forget to attach the attachment. 6. Causes you to hit "SEND" before you've finished. 7. Causes you to hit "DELETE" instead of "SEND." It is called the "C-Nile Virus."
'Good' worm, new bug mean double trouble By Robert Lemos Staff Writer, CNET News.com August 19, 2003 A "good" Internet worm and a new malicious mass-mailing computer virus are creating an enormous amount of network traffic, slowing some corporate systems, security experts said Tuesday. The Internet worm--called MSBlast.D, W32.Welchia or W32/Nachi--started compromising computers Monday and has overwhelmed some corporate networks with its aggressive scans for vulnerable hosts. Meanwhile, a new variant of the mass-mailing Sobig virus, called W32/SoBig.F, took off on Tuesday, swamping many companies' mail servers. The double whammy caused problems on some corporate networks but not for the Internet at large. SoBig.F disrupted e-mail systems at the Massachusetts Institute of Technology, while the MSBlast variant, Nachi, disrupted the ticketing systems of Air Canada and the corporate networks at Lockheed Martin. "This is local clogging as opposed to worldwide Internet clogging," said Jimmy Kuo, a research fellow at security software company Network Associates. "There are many areas of local pain." The MSBlast variant, Nachi, infects computers using the same widespread vulnerability in Microsoft Windows that previous versions of the worm exploited. The program then downloads a patch to protect systems against future infections of the MSBlast worm. The worm's goal of patching systems resulted in some pundits labeling it a "good" worm. While the intentions of the unknown worm writer seem to have been good, its aggressive spread has clogged many networks. "It's faster," Kuo said. Previous versions of MSBlast tried to spread to 20 different network addresses at a time but had to wait for each attempt to fail, if no computer was at that address. The Nachi variant tries to spread to 300 different addresses at a time and doesn't wait, letting it spread very fast. Lockheed Martin and Air Canada were among the many companies that suddenly found their networks inundated with data, as the Nachi worm searched for vulnerable hosts to infect. Although the worm infected less than one percent of the company's 110,000 desktops, Lockheed Martin had some disruptions, said Elaine Hinsdale, director of communications for the company. "Lockheed Martin, like many others around, has had to deal with this worm," she said. Air Canada had more serious issues. The Nachi virus disrupted the airline's reservation center, forcing the carrier to delay and cancel flights. "As a result of the virus, the impact of which is not limited to Air Canada, a number of the airline's computer systems are affected, including its reservations and airport check-in systems," the company said in a statement it released Tuesday. "While the airline's on-time performance has been good up to (11 a.m. PDT), in addition to longer wait times customers should expect some flight delays and cancellations for the remainder of the day." SoBig, so far The latest version of the SoBig mass-mailing computer virus also caused headaches for network administrators. E-mail service provider MessageLabs stopped more than 100,000 messages carrying the latest virus in the first few hours of the attack. "It is definitely a quick spread," said Brian Czarny, marketing director of MessageLabs. Administrators at MIT had to deal with blocking the avalanche of copies of the SoBig.F worm. "It is just causing long delays," said Jeffrey Schiller, manager of the university's network. Because so many messages had hit MIT's e-mail gateways, the computers had long queues of messages waiting to be processed by the antivirus filters. Combined with the effort of stomping out Nachi, the administrators had their hands full, Schiller said. "There is a special section of hell reserved for the guys that write these things," Schiller said. Rick Stratton, president of Web software company 1871 Media, said the virus hit his business and his clients' Web sites hard, because many sites had public e-mail addresses posted on their pages. "Before I turned (the transmission of those e-mails) off, I probably got about 200 in an hour," he said. "The Web mail interface can't even process the volume." The SoBig.F virus spreads by harvesting e-mails from Web pages and from the address book of an infected computer. It sends a copy of itself to the addresses in an e-mail message with a subject lines such as "Your Details" "Re: Approved," and "Thank you!" The virus also spreads by copying itself to shared network hard drives that are accessible to the infected computer. Stratton said he doesn't think his company nor his clients were infected with the virus, but the amount of e-mail generated by SoBig.F caused enough of a headache. "Once I figured it out, I was fine. But I found our customers were getting killed with the number of e-mails created," he said. The SoBig variant isn't all that different from previous versions of the worm. The family of viruses is thought to have been created so that spammers can use victims' computers to send bulk e-mails anonymously. Compromised systems connect to an Internet server specified by the virus and download a Trojan horse, Kuo said. While the mass-mailing virus hasn't changed much, people still open the attachment and infect their computers, he said. "The education is slow," Kuo said. "We would have figured that this mechanism should have died out a year ago, but people still do click on e-mail attachments."
This e-mail message is being sent to you by Microsoft Corporation. To verify the authenticity of this e-mail message, please visit: http://go.microsoft.com/?linkid=222103 (this was an email I received on August 16, 2003. From Microsoft. It identifies the new download pages for upgrades and patches. Dear Microsoft Customer, On August 11, 2003, Microsoft began investigating a report of a worm, known as W32.Blaster.Worm, that exploits the vulnerability addressed by Microsoft Security Bulletin MS03-026. Microsoft released this critical security bulletin and corresponding patch for Windows operating systems on July 16, 2003. While some customers may not notice the presence of the worm infection at all on their computer systems, typical symptoms may include Windows XP and Windows Server 2003 systems rebooting every few minutes without user input or Windows NT4 and Windows 2000 systems becoming unresponsive. If you applied security patch MS03-026 prior to the discovery of the Blaster worm, your system is secure from the vulnerability that W32.Blaster is using. For the most current information on determining if your systems are infected and how to recover from the infection, please go to the following Web site and perform the prescribed steps: http://go.microsoft.com/?linkid=222104. This site will be updated as more information regarding the W32.blaster worm becomes available. Our goal is to provide you with the information and tools you need to help run your company safely and reliably. When we become aware of these types of vulnerabilities, it is our goal to share protection and remediation information with you as quickly as is possible. In order to help protect your computing environment from security vulnerabilities, we encourage you to use the Windows Update service by going to http://go.microsoft.com/?linkid=222105 and also subscribe to Microsoft's security notification service at http://go.microsoft.com/?linkid=222106. By using these two services you will automatically receive information on the latest software updates and the latest security notifications, thereby improving the likelihood that your computing environment will be safe from the worms and viruses that occur. Thank you, Microsoft Corporation
New MSBlast variant plugs hole By Robert Lemos Staff Writer, CNET News.com August 18, 2003 A variant of MSBlast spread on Monday August 18, but the new worm has an odd twist: It applies a patch for the vulnerability that it and other MSBlast worms use to infect Windows systems. The new worm, dubbed W32.Welchia, W32/Nachi and Worm_MSBlast.D, appears to properly download the patch for both Windows 2000 and Windows XP from Microsoft's Web site. Moreover, the variant will delete itself the first time an infected computer starts up in 2004. That doesn't mean that such worms are a good idea, said Joe Hartmann, North American director for antivirus research at security software firm Trend Micro. "This is just a regular worm like anything else," he said. "In the end, they are going to cause more trouble than they help." Despite the apparent lack of malicious intent, the worm still sends a great deal of unwanted traffic, as it tries to spread to other computers. In addition, if several computers download the patch from Microsoft at the same time, it could slow network performance, Hartmann said. "That's the way we found out about this--when our clients came to us complaining of slow network performance," he said. The original variant of the MSBlast worm continued to spread over the weekend and has likely infected more than 570,000 computers, according to security firm Symantec. The company's data measures the number of Internet addresses that show signs of a worm infection. Because Internet addresses don't correspond to single computers, the number is a rough estimate of total infections. Moreover, it is uncertain what fraction of those compromised computers has been cleaned of the infection. Oliver Friedrichs, senior manager for Symantec's security response center, agreed that worms aren't a good way to distribute patches. "I don't necessarily think whenever you infect someone's systems, install software and reboot the computer that that is a good thing," he said. "It still tries to propagate; it is still attacking people over the Internet." The patching worm doesn't install software on all computers. The latest variant of MSBlast only plugs the security holes on the English, Korean and Chinese versions of Windows XP and Windows 2000. And it doesn't remove infections that have already compromised a computer. The latest variant of the worm comes three days after Microsoft managed to dodge a denial-of-service attack promised by the original worm. The attack, which would have leveled a flood of data at Microsoft's Windows Update site, was foiled when the software giant deleted the address the worm was targeting. The worm is expected to continue to spread despite the aborted attack. Microsoft also announced on Friday that an e-mail hoax is circulating. The subject line of the e-mail is "updated," and the message appears to contain a critical update to patch systems against the MSBlast worm. In reality, clicking on the attached file will infect the recipient's computer with a Trojan horse program. Antivirus company Sophos dubbed the new program Graybird. Microsoft warned consumers that it never uses e-mail to distribute patches.
IF YOU SUSPECT THAT YOU HAVE A VIRUS OR IF YOU HAVE NOT SUCCESSFULLY SCANNED YOUR DRIVES FOR VIRUSES LATELY... THEN THE NEXT SUGGESTION IS FOR YOU. Free Virus scan. Trend Micro, more commonly referred to as Housecall, offers free virus scans and in most cases can fix damage down by a virus or worm that your computer may have contacted. The program works well. The first time one uses the free program it is necessary to download a small program. Trend Micro walks you through the process. Then the virus scans are quite simple for each return. You should disable any anti virus program that you have running. If you do not have a virus program I recommend that you use this program first and then download one of the free programs listed above of install any anti virus program you have purchased. Go to http://housecall.antivirus.com/ then choose the link "Scan without registering". Follow the directions.
Free Virus programs to download Quite a few KCnet members use these programs and like them. Be careful if you download a virus program and you already have one installed on your computer. You need to at least disable the program already installed. http://www.grisoft.com/us/us_dwnl_free.php Another good free program to take a look at is: http://www.free-av.com/
10 Most Prevalent Viruses Surveyed by Trend Micro US (week of: August 04 to August 10, 2003) note: 1. JAVA_BYTVERIFY.A 2. ADW_TENGET.A 3. JAVA_NEEDY.A 4. WORM_KLEZ.H 5. VBS_HAPTIME.A-1 6. JS_EXCEPTION.GEN 7. WORM_MAPSON.A 8. VBS_REDLOF.A 9. JAVA_NOCHEAT.A 10. WORM_SPYBOT.GEN
Tried and Untrue Viruses Believe it or not, the amount of harm done by sending false computer virus alarms to your thousand closest friends can be just as damaging as the alleged virus (if it even exists!); if you remember the story of the boy who cried wolf, you understand why. If you think you've got the scoop on the latest new devastating virus, check it out at the Web sites below before taking it on yourself to alert the world. If the virus is as terrible as you think it is, odds are the virus fighters already know about it and -- good news here! -- your antivirus software provider probably knows about it too and already has an update for it. Here are a few sites of many that can help you determine if an email is a hoax or real. http://www.snopes.com/ http://www.urbanlegends.com/ulz/ http://www.snopes.com/ http://hoaxbusters.ciac.org/HBHoaxIndex.html http://vil.nai.com/VIL/hoaxes.asp http://kumite.com/myths/ http://www.symantec.com/avcenter/hoax.html http://www.scambusters.org/VirusHoaxes.html
Microsoft announced on Friday August 15, that an e-mail hoax is circulating. The subject line of the e-mail is "updated," and the message appears to contain a critical update to patch systems against the MSBlast worm. In reality, clicking on the attached file will infect the recipient's computer with a Trojan horse program. Antivirus company Sophos dubbed the new program Graybird. Microsoft warned consumers that it never uses e-mail to distribute patches.
TECHNICALLY SPEAKING: This is for Windows XP, 2000, and NT users only. KCnet has on disk the removal tool and the executable file (MS03-026 security fix) that installs the windows patch for the MSBlast worm also referred to as the LovSan virus. KCnet also has this link for the Security Patch:
This is for Windows XP, 2000, and NT users only. Other Operating Systems will not be affected. This will be the third week I have written about this issue. It involves the Microsoft MS03-026 security fix released June 16. Affected Products: All computers that are using Microsoft® Windows® XP ISSUE: When starting your computer, you may see the following error message: This system is shutting down. Please save all work in progress and log off. Any unsaved changes will be lost. This shutdown was initiated by NT AUTHORITY\SYSTEM Time before shutdown: 00:00:59 Message: Windows must now restart because the Remote Procedure Call (RPC) service terminated unexpectedly
The most "wired" nation in the world (on a per-capita basis) is Finland, with 244.5 Internet users per 1000 persons. (Source: Guinness World Records 2000)
News: Rough Waters Ahead for Music Swappers and the RIAA The RIAA has begun to carry through on its promise to go after individuals and has delivered over a thousand requests to ISPs for the names of alleged Jack and Jill music pirates. But a group representing ISPs wonders about the RIAA's methods and the potential for abuse. Others maintain the RIAA's actions will damage the recording industry's image (is that possible?). Read about the controversy in our latest news story. http://www.pcmag.com/article2/0,4149,1217245,00.asp
Opinion: Homeland, Sweet, Secure(?), Homeland Now this is a different spin on why we should want Microsoft. This guy is probably right too. (MLF) This week's Blaster worm outbreak put a whole new perspective on Senior Executive Producer Lance Ulanoff's take on Microsoft and Dell winning a major Department of Homeland Security contract. Or maybe the outbreak just solidifies his belief that the people tasked with securing America had no other choice. Read the full story http://www.pcmag.com/article2/0,4149,1218668,00.asp
Some goodies from Langalist Two Quick Reader Recommendations I am sure that you have mentioned the site before, but it may stand repeating. I am talking, of course, about http://www.driverguide.com/ an absolute haven for device drivers and updates, particularly for older devices. Also, on the subject of free anti-virus software, I recently installed AntiVir from http://www.free-av.com/ on my daughter's PC and on its first pass, it detected and cleaned a trojan that McAfee had missed, the PC ran significantly quicker afterwards. Best wishes and carry on the good work. ---Don Armour (UK) Indeed, it's been two years since we've talked about DriverGuide http://www.langa.com/newsletters/2001/2001-08-02.htm#3 But it's an excellent site when you otherwise run into dead ends trying to find drivers for various hardware devices. AntiVir has been around for a while, but doesn't seem to generate much buzz--- I don't know why, because the readers who have commented on it have all been positive. See, for example, http://www.langa.com/newsletters/2002/2002-12-19.htm#6
I've been hearing a lot about "PayPal" lately - mostly people pretending to be them for some sort of scam. However, I have no clue what the heck a "PayPal" is. Far as I know, it could be some guy that pulls my credit card out and types in the numbers for me. This one from Worldstart. PayPal is basically an online payment service. Don’t let the scams mislead you into thinking PayPal is some sort of unscrupulous service run off that back room near exit 13 of the information super-highway. They are a legitimate company that has been around a long time (OK, a long time in "internet time"). Basically, PayPal is kind of like an online bank. You put money in using your credit card or bank account, then pay people using the money you deposited. The lucky merchant pays the fees. OK, I know what you're thinking - why bother when I can just use a credit or bank card? Well, with a credit card, bankcard, or checking account transfer, you have to surrender sensitive information to the company you're dealing with. Now, if it's a good company like WorldStart, Amazon, or Best Buy, then there's no problem giving credit card numbers and such. However, what if you're dealing with some small company you've never heard of before? Like Bob's Honest Auto Parts or Franks Flashy Fishing Lures? Sure, they may be great companies, but do you know that for a fact? Would you bet your open credit card balance on it? With PayPal, you don't have to worry about those kinds of things. Money is transferred directly from your PayPal account to theirs. You have to send the money to them - they can't "pull" it from your account like they could a credit card (nor can they get your account information). Plus, PayPal will intervene if things end up on the fraudulent side. I'm constantly buying stuff online and anytime I'm dealing with a company I've not heard of I always pay with PayPal. In fact, if the company won't take PayPal, I tend to be extremely careful around them and may bypass the purchase. For more info, check out: http://www.paypal.com And no, I'm not getting paid for saying any of this. I just think they have a good system for online payments and I know I feel better using them to pay those companies I'm a little unsure of. Never can be too paranoid online.
What is the Windows Clipboard? The following from Worldstart. Good stuff to know. The Windows clipboard is used to temporarily store stuff. This "stuff" can come in the form of just about anything. Images, files, documents, etc.—they can all be placed on the clipboard. Once something has been copied to the clipboard it can be pasted into another location. The clipboard isn't a program you can actually access and play with. It's a built-in windows component that works transparently. When you copy or cut, the info is put onto this clipboard. When you paste, the information that's on the clipboard is put into whatever it is you're working on. For instance, if I have some information on a web page that I want to put into a word processing document, this is what would happen: 1. I highlight and copy (CTRL-C) the text from the web page. When I do this, the text is placed on the clipboard. 2. Now, I open my word processor (MS Word 2000 and up must be open before you copy). Right now, the info is still sitting on the clipboard and can be pasted into my word processor or any other program that can handle text. 3. OK, now I right-click a blank area of my word processing document and choose Paste from the resulting menu (or just use CTRL-V) . This will take the info that's currently sitting on the clipboard (i.e. the web page text in this case) and attempt to put it into my word processing document. I say "attempt to put the info on the clipboard into the word processor" because sometimes the info that's on your clipboard is not compatible with the program you're using. For example, if you try to paste a picture into notepad, that just isn't going to work. For example, lets say you were working on a report in MS Word and you would like to quote some information you uncovered on the web. Rather than printing out the web page and re-typing the block of text you would like to quote, you can highlight the text on the webpage and copy it to the clipboard (highlight by holding down your left mouse button and dragging it over the section of text you would like to have. Copy it by right-clicking that section of text and selecting Copy from the menu that pops up). Now, head back to MS Word and position the cursor where you would like to insert the text. Hit CRTL-V (or click the Edit menu, Paste), and presto, the web page text you copied has now been pasted into your Word doc.
Purge Your Clipboard of Large Files More clipboard stuff from Worldstart. When you use the "copy" or "cut" command, it copies information to your Windows clipboard. That information is kept in your RAM memory until it's replaced by something else. Unfortunately, if you're copying large items, this can adversely affect your computer's performance. How? Well, that large file, picture, object, or whatever it was that you copied is floating around in your RAM, regardless of whether it's been pasted or not. For example, let's say I have 32 meg of free RAM. I copy a 10 meg file to my clipboard. Now, that file will continue to occupy 10 meg of RAM until something else is placed on the clipboard, the clipboard is purged, or I restart my computer. So what can you do? The simplest thing would be to just copy something small to your clipboard. Maybe copy a blank space in a word processor to your clipboard or possibly a short sentence. Anything small is fine. Since your clipboard can only hold one item at a time, the old 10 meg file is replaced with the new small file. You could also open the Clipboard Viewer, hit the Edit menu, then Delete. This will quickly purge the clipboard contents. You can get to the clipboard viewer by clicking Start, Programs, Accessories, System Tools. It should be under there if it's installed (it's not always installed). XP users have a similar utility called the ClipBook Viewer (MS does like to change things). I shuffled through my Accessories menus but couldn't find any hint of its existence. After a little research, I discovered how to make a desktop shortcut for it. Want one too? Here's how: Right-click a blank area on the desktop, then select New, Shortcut from the resulting menu. For the command line use: C:WINDOWS\system32\clipbrd.exe Hit Next and name the shortcut: ClipBook Viewer Hit Finish. Just double-click to see what's on your clipboard. Oh, and when mine first ran, I had to "restore" the viewer window - for some reason that only makes sense to Microsoft, it was minimized in the lower left hand corner of the viewer program. A quick click on the double boxes and I was able to view my clipboard contents. To delete the contents of the clipboard using this utility, click the black "X" on the toolbar. An additional note for MS Office 2000 users: Office 2000 saves multiple items to the clipboard, so the clipboard has a button to 'Clear All', it also enables you to paste items other than the one last copied. There appears no way to clear specific items from the clipboard. When you exit the program, you should get a prompt saying that there is a large amount of data on the clipboard and asking if you wanr to save it for other applications. To view the clipboard in MS Office 2000, go to View then Toolbars and click on Clipboard. This will allow you to see the multiple clipboard entries. There is a little icon that looks like a clipboard with an X on it. Just click there and bye-bye multiple clipboard items.
INTERESTING SITES: Watch for all your Clinton County friends at the Grange Fair. There is a Web Cam focused on the midway. If you attend the fair be sure to wave to us Wednesday morning. We will have you up and running during the User Class (9:00 am and 10:00 am). http://grangefair.net/
The Phobia List From Amanda. Well do you need to know the name of the phobias you have? Or just want to know some of them for Scrabble or conversation? Well then, this is a site you need to check out. A huge listing of phobias for your browsing pleasure in alphabetical order. Browse by letter or choose the phobia list and just scroll down from A to Z. Here are a few phobias to digest. Agrizoophobia- Fear of wild animals. Agyrophobia- Fear of streets or crossing the street. Megalophobia- Fear of large things. Melissophobia- Fear of bees. Thermophobia- Fear of heat. Tocophobia- Fear of pregnancy or childbirth. Tomophobia- Fear of surgical operations Venustraphobia- Fear of beautiful women. Verbophobia- Fear of words. Verminophobia- Fear of germs. Be very afraid! http://phobialist.com/
The Word Spy Also from Amanda It is kinda like Who sed dat? (MLF) Water Cooler Moment: (WAW.tur.koo.lur MOH.munt) n. In a television show or radio program, a controversial or exciting segment designed to get people talking about the show. Dead Cat Bounce: (ded kat BOWNS) n. A temporary recovery from a major drop in a stock's price. Also: dead-cat bounce. Heroinware: (HAYR.oh.un.wayr) n. An extremely addictive online or computer game. Also: heroin-ware. You are probably wondering what I'm defining these phrases for. Well this site is all about words, new words, words found in newspapers, magazines, book, press releases, and web sites. "This Web site and its associated mailing list are devoted to recently coined words and phrases, old words that are being used in new ways, and existing words that have enjoyed a recent renaissance." As a writer I love new words and new meanings. But you have to admit "Dead Cat Bounce" is strange. I don't think I could say AT&T is dead cat bouncing with a straight face. This site also gives ways the phrases are used and where they were coined. http://www.wordspy.com/
Hey Honey! SOME CELEBRITY IS ON THE PHONE! Washed-up Hollywood Celebrities will make a short call wishing you or a loved one Happy B'day or any other sentiment. What luck! "Q" from Star Trek The Next Generation is one of the choices! http://www.hollywoodiscalling.com/
Flip a Coin You gotta have nothing else to do to get hooked on this one. It is worthn a look though. Random anything can be interesting.(MLF) This page will flip a virtual coin for you. The outcome is truly random because it is based on true random numbers rather than pseudo random numbers commonly used in computer programs. The true random numbers are generated with atmospheric noise. If you want to know more about them, read the introduction to randomness and random numbers or go to the random.org main page http://www.random.org/flip.html