VIRUS AND OTHER STINKY STUFF TECHNICALLY SPEAKING INTERESTING SITES
December14, 2004 Latest Zafi worm spreading in the wild as email Christmas greeting, Sophos reports Zafi-D is nothing to smile about, as mass-mailing virus spreads Christmas fear rather than cheer.. An enlarged version of the smiley faces animated graphic used by the Zafi-D worm The Zafi-D worm can embed an animated image of two "smileys" into its malicious emails. Anti-virus experts at Sophos have detected a new in-the-wild email worm which is spreading via email disguised as a Christmas greeting. The W32/Zafi-D worm, which is believed to have been written in Hungary, spreads an attached file inside emails offering seasonal greetings to the recipient. The emails can use a variety of different languages including English, French, Spanish and Hungarian. Emails can contain messages as "FW: Merry Christmas", "Joyeux Noel!" and "Feliz Navidad!". Embedded inside the email is a crude animated GIF graphic of two "smiley" faces. If the attached viral file is launched, the Zafi-D worm displays an error message ("CRC: 04F6Bh Error in packed file!") in an attempt to fool the user that it was simply a program that has failed to work properly rather than a disguise for virus infection. A typical message sent by the W32/Zafi-D worm A typical message sent by the W32/Zafi-D worm "Despite its disguise, Zafi-D isn't much of a Christmas present. Users who open the attached file will trigger the virus into action, infecting their PC and potentially opening it up to hacker attack," said Graham Cluley, senior technology consultant for Sophos. "Heartless hackers and virus writers can attack at any time of year, and every computer user should be on the lookout for unusual emails and be wary of ever opening any unsolicited file they are sent via email." Sophos advises companies to be as suspicious during the holiday season as they would be at any other time of the year. "Having a business environment where it's seen to be acceptable to send and receive joke programs, screensavers, and electronic greetings cards increases the risk of virus infection at any time - but can prove particularly risky during the holiday season," continued Cluley. "When your computer data is at risk it may be wiser to avoid electronic wellwishing, and use paper and ink instead." Sophos recommends companies protect their email gateways with a consolidated solution to thwart the virus and spam threats as well as secure their desktop and servers with automatically updated anti-virus protection. Other versions of the Zafi worm have successfully spread in the wild: W32/Zafi-C Attacked the website of the newly appointed Hungarian Prime Minister. W32/Zafi-B Calls for the introduction of the death penalty in Hungary. W32/Zafi-A Displays a message calling for Hungarian patriotism, timed to coincide with the country joining the European Union.
Multitasking MASLAN - WORM_MASLAN.A (High Risk) WORM_MASLAN.A is a memory-resident worm that spreads via email, and typically arrives in an attachment called "PlayGirls2.exe. The worm harvests target recipients from certain files found in the system. It also exploits the Remote Procedure Call (RPC) Distributed Component Object Model (DCOM) vulnerability, possibly to aid in its propagation. In addition, this worm has backdoor functionalities that allow remote users to gain virtual control over the infected system. It terminates certain processes associated with antivirus applications, lowering security on the affected system. It also performs denial of service (DoS) attacks on certain Web sites. This worm runs on Windows 95, 98, ME, NT, 2000, and XP. Upon execution, it drops the following component files in the Windows system folder: * ___r.exe * ___n.exe * ___synmgr.exe It creates two autostart registry entries that allow it to automatically execute at every Windows startup. But, an error in the program then prompts the operating system to report an error message. Clicking OK in the error message terminates the worm component. This worm's code allows it to propagate via email. It gathers email addresses from files with the following extensions, and sends itself: * adb * asp * cfg * cgi * dbx * dhtm * eml * htm * jsp * mbx * mdx * mht * mmf * msg * nch * ods * oft * php * sht * shtm * stm * tbb * txt * uin * wab * wsh * xls * xml The email it sends contains the following details: Subject: <Name> Message Body: Hello <Name>, Best regards, <Name> Attachment: PlayGirls2.exe <Name> is one of the following: * Alan * Andrew * Angel * Anna * Arnold * Bernard * Carter * Chris * Christian * Conor * Ghisler * Goldberg * Green * Helen * Ivan * Jackson * John * Kramer * Kutcher * Liza * Lopez * Mackye * Maria * Miller * Nelson * Peter * Robert * Ruben * Sarah * Scott * Smith * Steven This worm also has backdoor functionalities that allow it to connect to an IRC server, where it listens for commands from a remote user, allowing the remote user to perform the following functions: * Download and execute files * Log keystrokes * Perform denial of service attack through SYN flooding * Terminate processes * Update itself * Exploit WORM_MASLAN.A also exploits the Remote Procedure Call (RPC) Distributed Component Object Model (DCOM) vulnerability to remotely execute programs in vulnerable systems. The RPC DCOM Buffer Overflow (MS03-026) allows an attacker to gain full access and execute any code on a target machine by sending a malformed packet to the DCOM service. Read more on this vulnerability from Microsoft Security Bulletin MS03-026 at http://www.microsoft.com/technet/security/bulletin/ms03-026.mspx. The worm also terminates several processes associated with antivirus applications, and performs a Denial of Service attack on the following Web sites: * chechenpress.com * chechenpress.info * kavkaz.org.uk * kavkaz.tv * kavkaz.uk.com * kavkazcenter.com * kavkazcenter.info * kavkazcenter.net This worm also searches the Program Files folder and its subdirectories for .EXE files with a path that contains any of the following substrings: * distr * download * setup * share When such an .EXE file is found, it recreates the path of the file in the ___b directory and copies the file afterward. The file’s contents are then replaced with zeroes. The following text strings are found in the worm body: * -{ Hah… MyDoom, Bagle, etc… since then you do not have future more! }-
IF YOU SUSPECT THAT YOU HAVE A VIRUS OR IF YOU HAVE NOT SUCCESSFULLY SCANNED YOUR DRIVES FOR VIRUSES LATELY... THIS NEXT SITE IS FOR YOU. Free Virus scans. Computer Associates, a reputable and reliable anti virus developer introduced a new free program which allows anyone to do a virus scan without downloading any software or registering for an anti virus program. You must use Internet Explorer for access to Computer Associates and to perform the scan. This is a good one and very simple to operate The address is http://www3.ca.com/securityadvisor/virusinfo/scan.aspx
Trend Micro, more commonly referred to as Housecall, offers free virus scans and in most cases can fix damage down by a virus or worm that your computer may have contacted. The program works well. The first time one uses the free program it is necessary to download a small program. Trend Micro walks you through the process. Then the virus scans are quite simple for each return. Go to http://housecall.antivirus.com/ then choose the link "Scan without registering". Follow the directions.
You should disable any anti virus program that you have running. If you do not have a virus program I recommend that you use one of the programs offered above first and then download and install one of the free programs listed below or install any anti virus program you have purchased.
Free Anti Virus programs to download. Quite a few KCnet members use these programs and like them. Be careful if you download a virus program and you already have one installed on your computer. You need to at least disable the program already installed.
AVG Free AVG Free Edition is the well-known anti-virus protection tool. AVG Free is available free-of-charge to home users for the life of the product! Rapid virus database updates are available for the lifetime of the product, thereby providing the high-level of detection capability that millions of users around the world trust to protect their computers. AVG Free is easy-to-use and will not slow your system down (low system resource requirements). http://free.grisoft.com/freeweb.php/doc/2/lng/us/tpl/v5
Avast Avast has been "anti virusing" for quite awhile. The following info comes from their download page: Avast! Home is now free of charge for HOME users for NON-COMMERCIAL use. You can find more info here. http://www.avast.com/eng/down_home.html Note: This product is free for home non-commercial use after registration! HINTS: Click on the English Version Link and download the installation file. Then click on the installation file and follow the directions. You will need to return to the download page and click on the link to get the registration key. It will be sent to you in an email after you provide some registration information. This will give you 14 months of coverage including any updates which can be set to auto download. You can reregister for additional free coverage at the end of the 14 months. You will want to browse around and choose from the many options available for operation. This process will take some time and digging.
Another good free program to take a look at is: http://www.free-av.com/ This one installs a bit easier than Avast.
Top 5 Viruses for December 03 to December 10 from Trend Micro 1. PE_BUGBEAR.DAM 2. WORM_NETSKY.P 3. HTML_NETSKY.P 4. WORM_NETSKY.D 5. WORM_SOBER.I
True Viruses and Warning Letters of Impending Doom. Believe it or not, the amount of harm done by sending false computer virus alarms and letters of impending doom to your thousand closest friends can be just as damaging as the alleged virus (if it even exists!); if you remember the story of the boy who cried wolf, you understand why. If you think you've got the scoop on the latest new devastating virus or latest doom warning, check it out at the Web sites below before taking it on yourself to alert the world. If the virus is as terrible as you think it is, odds are the virus fighters already know about it and -- good news here! -- your anti virus software provider probably knows about it too and already has an update for it. Sophos supplies this current information about actual hoaxes. Look at them. Read about them. If you are sent one of them, delete it.
Here are a few sites of many that can help you determine if an email is a hoax or real. http://www.quatloos.com/ http://www.snopes.com/ http://www.urbanlegends.com/ulz/ http://hoaxbusters.ciac.org/HBHoaxIndex.html http://vil.nai.com/VIL/hoaxes.asp http://kumite.com/myths/ http://www.symantec.com/avcenter/hoax.html http://www.scambusters.org/VirusHoaxes.html http://www.sophos.com/virusinfo/hoaxes/ http://www.truthorfiction.com/
TECHNICALLY SPEAKING: 10 Million can't all be wrong! Firefox surpasses 10 million download mark By Steven Musil Staff Writer, CNET New Published: December 12, 2004 Firefox, the open-source challenger to market heavyweight Internet Explorer, has surpassed 10 million downloads in a little more than a month since the browser was released in November. The free Web browser from the Mozilla Foundation surpassed 10 million downloads on Saturday as Web surfers continue to move away from Microsoft's market-dominating IE. The milestone highlights growing frustration with the security vulnerabilities that have dogged IE during the past few months. Nearly two dozen holes in the Web browser have been discovered during the fall, ranging in degrees of seriousness. Firefox's surge has helped Mozilla cut into Microsoft's dominance of the Web browser market, with the software giant's market share dropping to less than 90 percent. Dutch market researcher OneStat.com reported last month that IE's market share had slipped to 88.9 percent in the third week of November, down 5 percentage points from its share in May. Mozilla-based browsers, including Firefox, rose to 7.4 percent, up 5 percentage points from May. "It seems that people are switching from Microsoft's Internet Explorer to Mozilla's new Firefox browser," Niels Brinkman, co-founder of OneStat.com, said in a statement in November. Microsoft has disputed these numbers, claiming that they do not represent corporate users. "It doesn't jibe with what WebSideStory shows, and what neither of these count is corporate intranets where users aren't actually hitting the Web," Gary Schare, Microsoft's director of product management for Windows, said of OneStat's statistics. On Wednesday, the information technology services department at Pennsylvania State University recommended that students drop IE in favor of Firefox and Apple Computer's Safari to reduce attacks through vulnerabilities in the Microsoft software. The university said "media reports" and a string of warnings by Carnegie Mellon University's computer emergency response team led to its recommendation. Malicious code writers have targeted security holes in the browser to launch attacks or install spyware. These attacks are often launched when a victim clicks on a specific Web link, opening the door for intruders to take over the person's computer. Once the PC is compromised, the attacker could access account information, load other software and delete files.
There is still time to take advantage of the CREATE YOUR OWN E-MAIL ADDRESS offer.
Create your own e-mail address! KCnet is NOW able to offer personalized e-mail addresses. Choose the name you want people to see when they get a message from you – easy to remember, professional, fun, or descriptive. Examples: greatcook@mikesdiner, ed@buckhunter
Or create your own family/organization/ball team/church/company/group: Sally@thejonesfamily.com, Mom@thejonesfamily, and auntbea@thejonesfamily Use your imagination and order NOW.
Each package comes with a starter pack of 10 personalized business cards in a ready-to-give gift box. All this for $30 and your gift will continue giving all year long. And as an extra December special, we are offering a free KCnet computer class (value up to $35), when you order before December 31. You may stop at 18 East Main Street, Lock Haven or call 570-893-8111. This offer of $30 per year is good for KCnet members only. Price for non-KCnet members is $60 and includes an e-mail account.
The next two are from a recent Worldstart. I missed them somehow but Richard Barkman alerted me to their existence. They are good and worth reading and using, I get this annoying message asking if I want to send an error report to Microsoft. Is there any way to disable it? Beginning with Windows ME, the brains at Microsoft added a feature that allows you to send a report to the mothership any time an error occurs. Maybe I'm paranoid or read too many conspiracy theories, but I don't want to send anything about my computer to anyone—whether it's Big Brother or Uncle Bill. Of course I can just choose not to send the report, but I'm trying to save my clicker finger for more important things like deleting gigabytes of spam that slithers through my message rules. Here's what to do... In the Control Panel, choose "System". Go to the Advanced tab and click "Error Reporting". In the Error Reporting window, click "Disable error reporting". If you still want to know if an error occurs, then select "But let me know when critical errors occur". There you go—now you can keep your errors to yourself!
What's This? We often tell you ways to configure Internet Explorer or Outlook Express for maximum efficiency or how to stop annoying default features. Many times you end up in the "Options" menu where you are faced with a long list of features. What does each one do? Guess what, there is a very easy way to find out what different features do in Microsoft products. Just right-click the item and a little box comes up that says "What's This?". Click that box and you get a little description. Try it. If you are using Internet Explorer, go to Tools / Internet Options and click the "Advanced" tab. Go to any item in the list (I chose "Enable Page Transitions"), put your arrow over it and right-click. See the "What's This?" box? Click it and your description should appear. This also works with the Option menus in Outlook Express and MS Word. Give it a try with other program option lists. It's a great way to find out what you're getting into before you click or unclick a feature.
Trouble with a capital T Adware cannibals feast on each other By Stefanie Olsen, Staff Writer, CNET News Published: December 7, 2004 Read this and you'll get an idea of how important that Tracking Cookie is to the company that placed it on your computer. I've been on machines that are practically dead. I install anti spyware programs for them and have found hundreds of these trackers on one machine trying to operate and send personal information back to the setting company. If you don't have and use Anti Spyware you are asking for trouble, Trouble with a capital T. (Mike) Companies that use free software downloads to target Web surfers with annoying ads are turning on each other to keep customers--and the cash they generate--for themselves. The tactic is in the spotlight in a little-noticed legal dispute unfolding in Seattle. Caribbean-based ad company Avenue Media last month accused New York-based DirectRevenue of using competing software to detect and delete Avenue Media's Internet Optimizer program from its customers' computers. According to the Nov. 24 complaint, DirectResponse's software detects Internet Optimizer and then sends a command to "kill" the program, a process that deletes its files from the PC registry and from the computer altogether. Avenue Media said DirectRevenue's tactics have caused it to lose about 1 million customers--about half its installed base--and as much as $10,000 a day in revenue. "DirectRevenue, knowingly and with intent to defraud, exceeded its authorized access to users' computers...by automatically uninstalling Avenue Media's Internet Optimizer upon installation or update of DirectRevenue's competing browser," according to the complaint, which was filed in a district court in Seattle. Avenue Media's lawsuit offers the latest twist in the tangled and sometimes seedy tale of programs--known as adware, malware or spyware--designed to deliver advertisements from an all-seeing and sometimes inextricable place on the PC. Though there are many useful applications for the desktop and the Web, the industry associated with it is much like the Wild West, with no real rules or self-regulation, and can taint even responsible companies. Legal experts said Avenue Media's lawsuit is important because, if the charges hold up, it may shed light on the rights of software makers when it comes to changing users' personal PC settings. The suit also could turn up the volume on the outcry from consumers and privacy watchdogs over the plague of spyware and malware applications online. "Once the computer is infected with 10 different unwanted programs, the person is likely to take some action to address the situation," said Ben Edelman, a researcher at Harvard University. Edelman says he has recorded instances of DirectRevenue's software uninstalling Avenue Media's program. "Assuming you could get away with this, it could be highly lucrative." Founded in 2002, DirectRevenue makes software to monitor Web surfing behavior and send targeted ads while people are at a particular Web site. For example, it might deliver a Hertz ad while a visitor is at the Web site of Dollar. DirectRevenue acknowledges that it may uninstall competing applications in its user license agreement: "You further understand and agree, by installing the software, that the software may, without any further prior notice to you, remove, disable or render inoperative other adware programs resident on your computer." It also makes Web game applications or other such software, including a plug-in to keep track of U.S government atomic time, so that people are enticed to download a bundle of applications that includes its adware. The company's software is identified by several different names including A Better Internet, BI, Twaintek and Thinstall, according to the complaint. DirectRevenue has raised as much as $26 million from investors Technology Investment Capital and Insight Venture Partners. Industry experts said the charges reflect a wider trend, as makers of stealthy software downloads increasingly target and uninstall rival applications once their own programs are downloaded on a user's PC. Because many such programs are designed to track consumer behavior online to deliver targeted ads, ridding a user's PC of rival applications could mean more revenue or prove helpful in avoiding detection down the road. DirectRevenue did not immediately return calls for comment. In a posting on DirectRevenue's Web site, the company said its software is not spyware, or software that collects personally identifiable information for nefarious purposes. Avenue Media, based on the island of Curacao, did not respond to an e-mail request for comment.
PHISHING A couple of weeks ago we discussed the phishing letter being emailed locally. It looked like it came from SunBank. It directed the reader to a site that was not Sun's. Vital personal information was asked about the readers account under the pretense that Sun had a glitch with the readers bank account and needed verification. The mailing was so damaging that Omega Bank released the following announcement: Fraud Alert There have been reports of an email scam involving a bogus website, which appears to be from SunTrust. SunBank is now part of Omega Bank, but is not affiliated with SunTrust. Omega Bank will never ask you to update your personal, account or financial information through email. So that is an example of Phishing.
HELP HELP HELP HELP HELP HELP with Phishing Scams. A spoofed website is typically made to look like a well known, branded site (like ebay.com or citibank.com) with a slightly different or confusing URL. The attacker then tries to trick people into going to the spoofed site by sending out fake email messages or posting links in public places - hoping that some percentage of users won't notice the incorrect URL and give away important information. This practice is sometimes known as “phishing". I know of two programs that will assist users in determining whether a site is legitimate. (Mike)
1. Spoof Stick: It is a toolbar addon created for a browser (works for Netscape, Mozilla, Firefox, and Internet Explorer.) SpoofStick is a simple browser extension that helps users detect spoofed (fake) websites. SpoofStick makes it easier to spot a spoofed website by prominently displaying only the most relevant domain information. It's not a comprehensive solution, but it's a good start. Spoofstick will say: "You're on ebay.com". If you get fooled by going to a spoofed site, for example http://signin.ebay.com@10.19.32.4/ (a "spoof" example used by ebay in their customer outreach), Spoofstick will say: "You're on 10.19.32.4" You can customize the color and size of the SpoofStick display to suit your tastes and make it harder for a fake site to try to “spoof” SpoofStick with a static graphic. SpoofStick contains no adware, spyware, nagware or other unhealthy additives. Download SpoofStick: http://www.corestreet.com/spoofstick/
2. TrustWatch: It is also a toolbar addon created for only Internet Explorer. TrustWatch is a web site rating system that gives Internet users information on the security and trustworthiness of domains and web sites. Before you exchange sensitive information, such as a providing a credit card number, personal identification information or other confidential data, TrustWatch allows you to check that the site has been verified by a trusted third party and is using appropriate safeguarding measures. TrustWatch is a free, publicly-available utility that checks several sources and then reports back to the user a verification rating for that domain or web site. Based on a variety of factors, TrustWatch reports a rating very much like a credit bureau reports an individual's credit score. TrustWatch has been developed by GeoTrust, a leader in identity and trust services, and the world's second largest Certification Authority. GeoTrust's business is helping individuals and organizations obtain trusted digital identities - whether that's for a person, device or an application. Download TrustWatch http://trustwatch.com/
INTERESTING SITES: We'll be tracking Santa Claus December 24th, 2004! NORAD is the bi-national military organization of Canada and the United States responsible for the aerospace defense of the two countries. This is the 50th season that NORAD and its predecessor, the Continental Air Defense Command (CONAD) have tracked Santa. The tradition began after a Colorado Springs store's advertisement for children to call Santa on a special "hotline" included a misprinted telephone number. Instead of Santa, the phone number put kids through to the CONAD Commander-in-Chief's operations "hotline." The Director of Operations, Colonel Harry Shoup, received the first "Santa" call on Christmas Eve 1955. Realizing what had happened, Colonel Shoup had his staff check radar data to see if there was any indication of Santa making his way south from the North Pole. Indeed there were signs of Santa and children who called were given an update on Santa's position. Thus, the tradition was born. In 1958, the governments of Canada and the United States decided to create a bi-national air defense command for the North American continent called the North American Air Defense Command. Canada and the U.S. believed they could better defend North America together as a team instead of separately. The Command carried out its first Santa tracking in 1958 after inheriting the tradition from CONAD. Since that time, Canadian and American men and women who work at NORAD have responded to phone calls from children personally. Additionally, media from all over the world call NORAD on Christmas Eve for updates on Santa's location. Last year this Website was visited by millions of people who wanted to know Santa's whereabouts. This year, the information is provided in six languages. There is a ton of interesting info about the program in addition to giving children an opportunity to track Santa's wherebouts on December 24. You gotta love this site. http://www.noradsanta.org/
Another fun Santa Tracker. Our Review For Tracking Santa By Mr Mike (not KCnet's Mike) Tracking Santa is a fun game where Santa's Elves have to help Santa deliver his presents on Christmas eve. Unfortunately Santas sleigh is not big enough to hold all of the presents!! So Santa must return from his around the world trip back to the North Pole periodically to stock up on more presents! There are other interesting things to do on this site. http://www.acid-play.com/download/tracking-santa/
XC Skiing Information Season Amanda suggested this one. Attention cross country skiers, this site is for you, even those beginner's like me. Here you can find Daily Snow Reports, Resort Guides, Equipment Directory, Ski Racing, and much, much more. I loved the Snow Monsters section—it's the kids ski section. It contains a Kid's Club, Movies and Cartoons, Next X Snow, My Mountain, and a section called "Respect Nature". I love the Respect Nature section which teaches all about how to respect the danger, and ecosystem that Mother Nature provides. It also has a bunch of neat experiments that they can check out too. Down in "Media Releases" you can find the latest news, and even check out the photo gallery. One thing I want to talk about is the Daily Snow Reports. You can check both by location, and by resort. Put in the State, Region/Country, and get the snow report. Or you can put in the State, Region/Country and get the Resort Report. A very handy site for those out there who enjoy skiing. http://www.xcski.org/
Snow Crystal Photographs...Gorgeous Photos of Snow Flakes Capturing the fleeting beauty of snowflakes ... Snowflakes are temporary works of art. After just a few short minutes on the ground, a fallen snowflake will lose its ornate structure, its unique pattern that will never again be repeated. Photography allows us to preserve a few of these minute masterpieces and to examine their form up close. http://www.its.caltech.edu/~atomic/snowcrystals/photos/photos.htm
Things Other People Accomplished When They Were Your Age PUNCH IN YOUR AGE, YOU CAN'T WIN, WE'RE ALL LOSERS http://www.museumofconceptualart.com/accomplished/
Kidney Stone Photographs Ya gotta have the stomach er... the kidneys actually, to handle this one. It is interesting from a medical point of view. Scary if you never had 'em and painful memories if you have ...had 'em. I was shocked considering the path these things travel to the outside world. One of them had a staple embedded in it. http://www.herringlab.com/photos/index.html
TALK LIKE HARRY POTTER I'm not so sure this one is exciting but some may enjoy shocking the kids with their pronouncabilities capabilities. Maybe YOU don't particularly care, but your kids will be fascinated to hear how the odd names and words in the Harry Potter series are actually pronounced. http://www.scholastic.com/harrypotter/books/pronunciation/play.htm