KCNET NEWSLETTER 06/20/04 TECHNICAL PAGE
VIRUS AND OTHER STINKY STUFF TECHNICALLY SPEAKING INTERESTING SITES
VIRUS AND OTHER STINKY STUFF Friday, June 11--Friday, June 18 According to Sophos, a leader in Anti Virus Software development, 19 new/improved viruses which required Anti Virus upgrades were released into cyberspace via email. & KCnet's antivirus program caught and "defanged" 2754 email viruses while 186,000 + spam messages were refused. Spam and viruses are still coming in by the big buckets.
Zafi-B From Sophos Widespread Zafi-B computer worm calls for death penalty, says Sophos Experts at Sophos have warned computer users about an increase in the number of reports of the W32/Zafi-B worm. The Zafi-B worm, which first appeared on Friday 11 June, spreads itself by peer-to-peer filesharing systems and email using a wide variety of different languages. The Zafi-B worm can display a message box on screen containing the following Hungarian text: A hajlektalanok elhelyezeset, a bunteto torvenyek szigoritasat, es a HALALBUNTETES MEGSZAVAZASAT koveteljuk a kormanytol, a novekvo bunozes ellen! 2004, jun, Pécs,(SNAF Team). The English translation is: We demand that the government accomodates the homeless, tightens up the penal code and VOTES FOR THE DEATH PENALTY to cut down the increasing crime. Jun. 2004, Pécs (SNAF Team) "The Zafi-B worm has accounted for over 60 per cent of the reports to Sophos's global network of monitoring stations over the last 24 hours, making it the most widespread email worm at the moment," said Graham Cluley, senior technology consultant for Sophos. "All computer users should ensure their defences are in place against the latest viruses. That not only includes regular anti-virus updates to protect against emerging threats, but also running a policy at your email gateway to block unwanted executable code from entering your business." The Zafi-B worm is believed to have been written in Hungary, but can send itself via email using a variety of languages. Its predecessor, W32/Zafi-A, displayed a message calling for Hungarian patriotism.
WORM_PLEXUS.C Spreads Through Email, Network Shares, Kazaa From Trend Micro WORM_PLEXUS.C is a recently discovered worm that uses its own SMTP engine to send copies of itself via email. Emails appear with subject headers like: "Order" or "Good Offer". Messages appear to be from a familiar person. Examples of messages: "Look at my new screensaver. I hope you will enjoy" "In this archive you can find all those things, you asked me" The message comes with an .EXE attachment. Once executed, WORM_PLEXUS.C drops several copies of itself onto the infected system and creates Windows registry entries to automatically execute at each system startup. To propagate, WORM_PLEXUS.C looks for files with the following extension names to retrieve email addresses and domain names: HTM, HTML, PHP, TBB, TXT. This worm can also drop copies of itself in the Kazaa (peer-to-peer network) shared folder, and propagate through network shares with full access rights. This worm's code also contains the following text: "KAV I'm Expletus !!!, Made in China" This worm is currently in-the-wild and affects Windows 95, 98, ME, NT, 2000, and XP operating systems.
IF YOU SUSPECT THAT YOU HAVE A VIRUS OR IF YOU HAVE NOT SUCCESSFULLY SCANNED YOUR DRIVES FOR VIRUSES LATELY... THIS NEXT SITE IS FOR YOU. Free Virus scans. Trend Micro, more commonly referred to as Housecall, offers free virus scans and in most cases can fix damage down by a virus or worm that your computer may have contacted. The program works well. The first time one uses the free program it is necessary to download a small program. Trend Micro walks you through the process. Then the virus scans are quite simple for each return. You should disable any anti virus program that you have running. If you do not have a virus program I recommend that you use this program first and then download one of the free programs listed above of install any anti virus program you have purchased. Go to http://housecall.antivirus.com/ then choose the link "Scan without registering". Follow the directions.
Computer Associates, another reputable and reliable anti virus developer introduced a new free program which allows anyone to do a virus scan without downloading any software or registering for an anti virus program. You must use Internet Explorer for access to Computer Associates and to perform the scan. This is a good one and very simple to operate The address is http://www3.ca.com/threatinfo/virusinfo/scan.aspx
Free Virus programs to download Quite a few KCnet members use these programs and like them. Be careful if you download a virus program and you already have one installed on your computer. You need to at least disable the program already installed. http://www.grisoft.com/us/us_dwnl_free.php Another good free program to take a look at is: http://www.free-av.com/
This list from Trend Micro represents the top 10 reported threats May 28, 2004 to June 03, 2004) 1. WORM_NETSKY.P 2. HTML_NETSKY.P 3. WORM_SASSER.E 4. WORM_NETSKY.D 5. WORM_SOBER.G 6. TROJ_AGENT.AC 7. WORM_NETSKY.Z 8. WORM_NETSKY.C 9. WORM_NETSKY.Q 10. WORM_NETSKY.B
True Viruses and Warning Letters of Impending Doom. Believe it or not, the amount of harm done by sending false computer virus alarms and letters of impending doom to your thousand closest friends can be just as damaging as the alleged virus (if it even exists!); if you remember the story of the boy who cried wolf, you understand why. If you think you've got the scoop on the latest new devastating virus or latest doom warning, check it out at the Web sites below before taking it on yourself to alert the world. If the virus is as terrible as you think it is, odds are the virus fighters already know about it and -- good news here! -- your antivirus software provider probably knows about it too and already has an update for it. Sophos supplies this current information about actual hoaxes. Look at them. Read about them. If you are sent one of them, delete it.
Here are a few sites of many that can help you determine if an email is a hoax or real. http://www.quatloos.com/ http://www.snopes.com/ http://www.urbanlegends.com/ulz/ http://hoaxbusters.ciac.org/HBHoaxIndex.html http://vil.nai.com/VIL/hoaxes.asp http://kumite.com/myths/ http://www.symantec.com/avcenter/hoax.html http://www.scambusters.org/VirusHoaxes.html http://www.sophos.com/virusinfo/hoaxes/ http://www.truthorfiction.com/
TECHNICALLY SPEAKING: Pop-up toolbar spreads via IE flaws By Robert Lemos, Staff Writer, CNET News.com - June 9, 2004 An adware purveyor has apparently used two previously unknown security flaws in Microsoft's Internet Explorer browser to install a toolbar on victims' computers that triggers pop-up ads, researchers said this week. One flaw lets an attacker run a program on a victim's machine, while the other enables malicious code to "cross zones," or run with privileges higher than normal. Together, the two issues allow for the creation of a Web site that, when visited by victims, can upload and install programs to the victim's computer, according to two analyses of the security holes. The possibility that a group or company has apparently used the vulnerabilities as a way to sneak unwanted advertising software, or adware, onto a user's computer could be grounds for criminal charges, said Stephen Toulouse, security program manager for Microsoft. "We consider that any use of an exploit to run a program is a criminal use," he said. "We are going to work aggressively with law enforcement to prosecute individuals or companies that do so." Microsoft learned of the issue when a security researcher posted an analysis of the problem to the Full Disclosure security mailing list Monday. The software giant has already contacted the FBI and is in the "early stages" of building the case, Toulouse said. The company is considering creating a patch quickly and releasing it as soon as possible, rather than waiting for its usual monthly update. The flaws are apparently being used to install the I-Lookup search bar, an adware toolbar that is added to IE's other toolbars. The adware changes the Internet Explorer home page, connects to one of six advertising sites and frequently displays pop-ups--mainly pornographic ads, according to an adware advisory on antivirus company Symantec's Web site. On Tuesday, security information group Secunia released an advisory about the problem, rating the two flaws "extremely critical." "Secunia has confirmed the vulnerabilities in a fully patched system with Internet Explorer 6.0," the group wrote. "It has been reported that the preliminary SP2 (a major security update being developed by Microsoft) prevents exploitation by denying access." The flaws could let any attacker with a Web site send an e-mail message or an instant message with a link that, when clicked on by an Internet Explorer user, would cause a program to run on that victim's computer. The original analysis, written by a Netherland student researcher, Jelmer Kuperus, who found that the type of programming needed to take advantage of at least one of the flaws required sophisticated knowledge of the Windows operating system. "While sophisticated, it's so easy to use, anyone with basic computer science can set up such a page, now that the code is out there in the open," Kuperus wrote in an e-mail interview with CNET News.com. "It's just a matter of changing two or three (Internet addresses) and uploading another" executable file. Kuperus, who used an e-mail account based in the Netherlands, wrote in a Monday e-mail that he had been tipped off to the adware Trojan horse by an unnamed individual. "Being rather skeptical, I carelessly clicked on the link only to witness how it automatically installed adware on my PC!" he wrote. The Internet address from which the adware Trojan horse was downloaded resolves to I-Lookup.com, a search engine registered in Costa Rica that antivirus firms Symantec and PestPatrol have linked to aggressive advertising software. Two of the top three searches on the site relate to removing such programs, according to I-Lookup.com's own statistics. A domain name search shows i-Lookup.com's parent company to be Aztec Marketing, but Pest Patrol links the site with iClicks Internet. E-mails sent to both companies for comment were not immediately answered. Kuperus believes that i-Lookup.com's parent company may not be directly responsible for the adware-installing Trojan horse program, but that it could be rewarding the creator through an affiliate program. "It does pass along a referrer code when downloading," he said. "Whomever created this probably is getting money for every install, so if the folks at (i-Lookup.com) would be willing, they would be able to track down the perpetrators." Microsoft's Toulouse said Internet Explorer users could harden the software against such attacks by following instructions on the company's site. Other browsers available on Windows, such as Opera and Mozilla, do not contain the flaws. Netscape not vulnerable either!
Re:newsletter comments on connection speed. Bill Myers responds to a tip in last week's Newsletter. He sends good info and I'm passing it on to the readers. If the "SLOWS" are giving problems; It may be the way windows selects drivers for 56k v90 and v92 modems. This applies if you've installed or reinstalled a modem and noticed a slowdown after: Many V.92 and V.90 modems start off by using a higher speed (really a frequency not a speed) than the line supports. They then fall back to a slower supported standard. Therefore, the initial connection speed reported by Windows is not usually the speed at which the modem is receiving data. Some 56K modems, such as the ones made by US Robotics, allow the use of the ATI11 command to be used to report the final speed of the connection session prior to a disconnection, otherwise it is very difficult to determine what the connection speed is during a session. To establish a connection in about half the usual time that is the case with V.90 and earlier standards, V.92 modems remember the connection speed used in the previous connection, and use it instead of going through the lengthy handshaking process of negotiating a connection speed with the modem at the other end of the line. In the case of your modem that would be 32Kbit/s. However, once connected, the modem tests the quality of the line, and increases the speed of the connection if the condition of the line allows it. It's possible to disable this Quick Connect feature. You can do that by adding the command +PQC=3 in the Extra settings box, under Control Panel => Modems => Properties => Connection tab => Advanced button). To get an idea of the modem's actual download speed, download a large compressed file, such as a Zip file, from a fast server, which would preferably be your own ISP's server. It has to be a compressed file or the modem will have to compress it and doing so will distort the download speed. File download speeds are reported in bytes, which are made up of 8 bits. The transmission adds approximately 10% overhead, therefore multiplying the file transfer speed - that is given in kilobytes per second (KB/s) - by nine will give an indication of what the real download speed is in kilobits per second (Kbit/s). In your case, you can experiment by downloading the same files under Linux and Windows. That way, you'll be able to determine if there really is a different download speed between the two operating systems. Note that while its download speeds are significantly faster than a 33.6K modem, even a V.92 modem would only have a slightly faster upload speed than a 33.6K modem on the same line. Windows XP is very prone to installing its own drivers for modems with Intel chipsets in preference to the latest downloaded update. The reason for this is most probably because the downloaded Intel driver file doesn't possess a Windows Hardware Quality Labs (WHQL) digital signature. Windows will always install the qualified, signed drivers instead of a file that has no such signature. You have to follow the instructions made available on the modem manufacturer's website (Intel does not manufacture modems, only the chipsets for modems). Some modem drivers are installed via their own setup program, and others have to have the driver files unpacked to a destination folder, and then have to be installed from it. To force the issue, open the Device Manager by right-click on My Computer, click Properties and then the Hardware tab. Select the entry for the modem as shown in the image below, and click Update Driver... Thanks Bill!!!!
The next two are from Worldstart and timely too. I lose my dial up connection each time I send an email using Outlook Express. How do I fix this? OE can be set to hang up after it sends or receives email. This is a great feature if you have limited monthly hours online, but can be really annoying if you decide to check your mail while your surfin' the web. Fortunately this feature can be turned on or off. Go to Tools / Options, then click the "Connections" tab. If you want Outlook Express to hang up after sending or checking mail, check the box. If you DON'T want it to hang up after, just uncheck the box. NOTE: If you are someone who downloads their email then reads it offline (hang up after receiving), keep in mind that this can cause you to get a red X where a graphic should be. We get email from readers all the time who complain that the pictures are missing from the newsletter. Since our pictures load from the server, you must be online when reading or printing to get the pictures.
What's This? Also from Worldstart. We often tell you ways to configure Internet Explorer or Outlook Express for maximum efficiency or how to stop annoying default features. Many times you end up in the "Options" menu where you are faced with a long list of features. What does each one do? Guess what, there is a very easy way to find out what different features do in Microsoft products. Just right-click the item and a little box comes up that says "What's This?". Click that box and you get a little description. Try it. If you are using Internet Explorer, go to Tools / Internet Options and click the "Advanced" tab. Go to any item in the list (I chose "Enable Page Transitions"), put your arrow over it and right-click. See the "What's This?" box? Click it and your description should appear. This also works with the Option menus in Outlook Express and MS Word. Give it a try with other program option lists. It's a great way to find out what you're
Cingular systems open door to fraudulent credit card transactions By David Berlind Tech writer for ZDNET June 8, 2004 Having often reported on issues relating to how easy it is to violate a consumer's privacy and the lengths to which enterprises must go to ensure the privacy of all of their constituents (customers, employees, stockholders, etc), I perked up when ZDNet reader Kevin Priester alerted me to a rather astonishing flaw in Cingular's newly launched online account management system. In an e-mail to me, Priester wrote, "I figured you might like this. Cingular has now implemented a new feature on their site that will allow you to look up basic account information with only a cell number and a zip code." That, by itself, is of course a privacy violation. But it gets worse. Kevin's note went on to say, "Once you find that basic account information, if the account holder has ever paid on Cingular.com you can pay their bill for them using their Credit Card or bank account. You can also pay their bill with their funds and as much of their funds as you would like." Later, via telephone, Priester informed me that the same security hole was available for exploitation via Cingular's telephone-based interactive voice response (IVR) system through 1-866-CINGULAR. To help readers visualize the problem, this story links to several screen images that demonstrate how easy it was to do as Kevin says: execute a fraudulent transaction on Cingular's Web site using a credit card. [Editor's Note: Since notifying Cingular of the problem late yesterday (June 8th), company spokesperson Tony Carter issued the following comment: "Cingular Wireless recently implemented some trial improvements on its customer facing Web site. While the improvements had the desired effect of enhancing our customers' experience, primarily by simplifying the access, it had adverse affects as well. We demonstrated this in our trial which we concluded, and made the appropriate adjustments. We appreciate being alerted however, and apologize for any inconvenience to our customers." Although the company has shut down the easily hacked path into its customers' accounts, at the time this column was published on June 9, the hole was still open in the company's IVR system.] More of this article: http://snipurl.com/72hs
Media Files and Players Repeat from an old Worldstart tip awith additional suggestions from Mike. These are some of the most common types you'll run into: .wav the oldest Microsoft type of sound files. Most sounds that you hear at startup and such, inclucing "You've got mail" are waves. .mid Most instrumental music on web pages are MIDI files. Rather than representing musical sound directly, MIDI files transmit information about how a song should sound that is then processed by your sound card. WAV files represent musical sound directly. .mp3 these files started the current digital music revolution. Songs can be saved in near CD sound quality and they are compact, thus easy to share (much to the chagrin of the RIAA). .mpg usually MPEG-4 Video (MP3's big brother) .ra /.rm RealAudio/RealMedia (RealOne Player) .mov Quicktime Movie File .asf Active Streaming File. A Windows Media Audio or Video stream. .avi Audio Video Interleaved. A Microsoft multimedia format used for Windows Video clips. .wma Windows Media Audio File .wmv Windows Media Video file .ogg Ogg Vorbis is a completely open, patent-free, professional audio encoding and streaming technology. It compresses to an even smaller size than MP3 without loss of quality. IT was officially released July 2002 so it's still pretty new. There are many players that can be used to encode and play these file types. These are my favorites based on features and functionality: MusicMatch Jukebox My personal favorite. Nice GUI and easy to use controls. I can tag (add song info) my music files and create playlists. What I like best is that I can use it to convert my WAV files into mp3. http://www.musicmatch.com/ Jet Audio - What I like best about this one is that I can play all my media files whether mp3, wma, RealMedia, or OGG Vorbis. It also allows the user to slow down, speed up, and add effects to a song so you don't just listen, but interact as well. http://www.jetaudio.com Windows Media Player Often ignored since it comes standard with Windows, but it's not a bad little player. If you just want to listen to mp3 and burn the occasional CD, then you already have a good tool "bundled" with Windows. http://www.microsoft.com/windows/windowsmedia/9series/player.aspx WinAmp A favorite music player with many users. http://www.winamp.com RealOne Player A necessity for playing most streaming content that has a .ra or .rm file extension. http://www.real.com/ Quicktime - Many movie trailers open in this format. IE and NS both have QT plug ins so that the clips play right in your browser. http://www.apple.com/quicktime/ You can head on over to the individual sites for all these players and compare features yourself. They all offer free downloads, however, some of them (like RealOne) make it harder to find the free download version. The KCnet Advanced Users have investigated some other players and highly recommend them for specific purposes. Crescendo - This player is specifically used online. It plays .mid and .mp3 files only. Unfortunatly it cannot be downloaded from the internet anymore. An executable file for Crescendo can be forwarded or picked up on disk from Mike at mfoust@kcnet.org. You need to identify your browser and operating system, i.e. Windows 98 - Internet Explorer or XP - Netscape 7.1. This player opens fast and can be configured to repeat play and can be used to save .mid or mp3 files from an internet site, something some of the other players cannot do. vanBasco's Karaoke Player - This player was specifically designed to be used for .kar (Karoake) files and can play .mid files. It is fast opening and simple and it has some very nice unique options. One can change the speed that a file is played. The various instruments used in the file can be identified. Play lists can be saved. Lyrics can be run if supplied with the files. This is a neat windows player but does not function as a plug in for online use. http://vanBasco.com Important: Pay attention when installing any new player. Most of these players will want to change your default settings for playing the different sound extensions. This includes the possibility of wiping out a default player for the internet. Installers should check the options or configuration opportunities anytime a new sound player/recorder is installed. You can choose which extensions you want the new player program to act on.
INTERESTING SITES: Kim Komando suggested this site. It is kind of appropriate for Father's Day. Bringing up father There are numerous blogs out there. Most are interesting only to the people who write them. Very few are written well enough to be read by strangers. Today's site is an unusual blog. It's funny, different and sweet. The Trixie Update is a blog created by a first-time father. Diaper changes, feedings and sleeping schedules are recorded with scientific precision -- often with disastrous results. For example, Trixie's father surmised that his baby would weigh 779 pounds at age 1, based on one month of growth. Do yourself a favor; start at the beginning and read up to the latest entry. It's hysterical, loving and well-done. http://www.trixieupdate.com/
LIVE IMPLOSION WEBCAST Over the past century, explosive demolition has grown from an uncommon experimental procedure into an industry that successfully performs hundreds of projects each year. However, despite the large number of these events worldwide, the vast majority of the general public has still never seen an implosion first-hand. Which is why we developed Implosion Live. The webcasts archived below are designed to bring you, the viewer, on location to experience the final minutes leading up to a blast in real time. And you're not just standing with the other spectators-- you're watching alongside part of the demolition team. Sometimes we will speak with the blaster during the countdown. Other times we may chat with the general demolition contractor, or a resident whose house is closest to the implosion, or we'll actually travel inside the doomed building to show you what types of explosives and methods the blaster is using to fell the structure. As you'll see, each webcast is different-- and a little unpredictable-- because you never know exactly what will happen when watching an Implosion Live. These events are designed for viewing with the RealPlayer system. http://www.implosionworld.com/gallery.htm
Wanna know what's on the tube? This is bigger than TV Guide and there are bloopers too. TV Tome has over 2,100 complete guides covering almost all the current shows and many of your favorite classics. There's also an additional 3,000+ guides that are partially complete or under development. Use the search box to find your favorite or browse through the list of all shows. TV Tome features reviews for some of your favorite shows. Look for a reviews link on your the show's main page or check out some recent reviews. If you'd like to volunteer to share your views on the episodes of your favorite show see being a TV Tome writer. TV Tome is more than just a collection of episode guides. The site also features over 200,000 people associated with TV. Actors, writers, directors and producers can all be found here. With each person is at least a partial list of their credits and many have biographies and additional information. http://www.tvtome.com/
This is an interesting food site, foods not to eat that is. http://www.cspinet.org/nah/10foods_bad.html
Gary n' Patti sent this site it is loaded with sites for interesting publications. Ogden Publications publishes magazines and books for people interested in self-sufficiency, sustainability, rural lifestyles and farm memorabilia. We also provide valuable products to our readers, including insurance and financial services. http://www.ogdenpubs.com/
Celebrating American Imagination and Industry! Plan a tour as part of your vacation travel this summer. Factory Tours USA - 453 tours and counting! This site celebrates American imagination and industry. What better way to appreciate those qualities than to visit and tour America at work. The information on this site is maintained by many people throughout the United States who enjoy visiting American industry. http://factorytoursusa.com/Index.asp