Not
sure about a threat? We'll be glad to check it out for
you. Forward it to security@sdsltd.com
with
a word of explanation on how you received it. E-mails
forwarded without explanation will be treated as a virus
and deleted.
- •
VIRUS BULLETIN #38
-
CHINESE THREAT OF HACK
ATTACKS
- (29
April 01, updated on 30 April
2001)
-
- Newspapers are full
of articles concerning the threat of hack attacks on
U.S. computers and websites by Chinese hackers during
their Labor Day week, 1-7 May 2001. It could be just a
lot of media hype, it could be partially accurate, or
it could be a problem. We thought we should provide
you with the information, so you can make up your own
mind.
- National
Infrastructure Protection
Center
(NIPC)
- VMyths.com
- Please read Rob Rosenberger's VMyths.com Alert and
see why he "dismisses the weeklong 'hacktivism' as an
empty threat." (VMyths.com Virus Hysteria Alert, 27
April 2001)
- Virtual
New York -
"In an article quoting mostly unnamed sources,
21cnn.com praised Chinese hackers as "fearless
revolutionary heroes" standing up to "American
bullies" and elevated their efforts to the status of
defenders of the nation. Other Chinese sites carried
similar articles, including one on Nasdaq-listed
Sina.com that predicts the attacks would occur
anywhere between May 1 and May 7 -- the two-year
anniversary of the U.S. bombing of China's embassy in
Belgrade, Yugoslavia."
- Top
-
-
•
VIRUS BULLETIN #38A
- (30
April 2001 Update)
-
- This is the title
paragraph of the Fox News article (see link below):
"Chinese computer hackers who blame the United
States for the April 1 collision between an American
military surveillance plane and a Chinese fighter jet
launched a massive attack Monday against U.S. Web
sites, including those of United Press International,
the U.S. Department of Labor and the Navy's
communication center."
- Yahoo!
Hong Kong News
- Monday, 30 April 2001 article
-
Fox
News
- 30 April 2001 - See "Related Information" in the
right column of the article
- VMyths.com
- Update e-mail
- Vmyths.com
- Don't miss Rob Rosenberger's (VMyths.com) page on
this "China Syndrome" - Also, found on Rob's site is
this link to The Register (London). Don't miss
it!
- The
Register
- 3 April 2001, "Chinese Feds demand computer virus
samples"
- USA
Today - 30
April 2001, "Chinese Hackers Strike U.S.
Sites"
- Washington
Post - 30
April 2001, "Hackers Vandalize Two U.S.
Websites"
- (1 May
2001 Update)
- American
Foreign Policy
Council -
Click on China Reform Monitor No. 380, May 1, 2001
issue by Al Santoli - "China's military plans to use
'unrestricted warfare,' including computer viruses,
economic sabotage, stock market manipulation and
information warfare to offset America's military
advantage, the Newhouse News Service, reports.
Intelligence officials say the CIA translation of a
major book, Unrestricted Warfare, published in 1999 by
the Chinese People's Liberation Army press, shows
significant support for the strategy in Chinese
military circles." (AFPC, CRM, 1 May
2001)
-
- NOTE
(29 April
2001): One of our acquaintances who uses Norton
Personal Firewall on the home computer had a
record of a probe of the computer (access was denied
by NPF - it works!) by Chinanet Guangdong Province
Network of China Telecom, on Thursday, 26 April 2001.
Whether that was related to this upcoming threat is
doubtful; however, the coincidence is interesting.
That computer has apparently been probed
unsuccessfully several times recently (access denied)
by websites in Poland, South Korea, Japan, Singapore,
the United Kingdom and by an assortment of U.S.
-registered organizations.
-
- Unless you install
personal firewall protection software, you have no way
of knowing if, while connected to the Internet, your
personal computer is being probed by an
organization looking for specific information in your
system. Unless the firewall denies access, the prober
then obtains information without your knowledge. The
firewall software provides the date, time, type of
probe, and links to finding out who attempted to probe
your system.
- Top
-
•
VIRUS BULLETIN #39
-
I WANNA SEE YOU (or other
name...)
- AKA
W95.MTX, W95.Oisdbo
- (02 May 2001)
-
- From Norton:
"95.MTX has a virus component and a worm component.
It propagates by email. It also infects some Win32
executables in specific folders. The virus has the
capability to block access to certain Web sites.
This may prevent you from downloading new virus
definitions."
-
- We received this
virus/worm twice within a few minutes from the same
sender under the attachment name "I wanna SEE
You."
-
- To simplify your
life (we're kidding, of course!), this virus/worm
can assume different attachment names.
That
is why we suggest you follow this
procedure:
if you receive an attachment that you are not
expecting, particularly
if it is from a friend or acquaintance, try to refrain
from clicking on the attachment immediately.
Rather, reply to the sender and ask if the person
meant to send the attachment. It may save you a
whole lot of trouble if you take that simple measure.
This particular virus/worm is difficult to remove
manually.
- F-Secure
(Data Fellows) - See list of possible attachment names
this worm may assume
- McAfee/Network
Associates -
See right side box "More Information" for remedy in
both instances
- Norton/Symantec
- See list of possible attachment names this worm may
assume
- Top
-
•
VIRUS BULLETIN #40
-
HOMEPAGE
- AKA
VBS/SST.gen@MM
- 09 May 2001)
- This virus/worm
arrives as an e-mail attachment, most probably from
someone you know with an enticing message to open a
"cool attachment." Attachment name is
"Homepage.html.vbs" also generically known as
VBS/SST.gen@MM. As soon as you open the attachment, it
infects your system and tries to send itself to
recipients on your address book. Do not open the
attachment, DELETE the message immediately. To obtain
removal instructions, you may visit one of the
following antiviral software companies to download the
latest update:
- That
is why we suggest you follow this
procedure:
if you receive an attachment that you are not
expecting, particularly
if it is from a friend or acquaintance, try to refrain
from clicking on the attachment immediately.
Rather, reply to the sender and ask if the person
meant to send the attachment. It may save you a
whole lot of trouble if you take that simple measure.
This particular virus/worm is difficult to remove
manually.
- Please read again
our Words
of Caution
- Top
-
•
VIRUS BULLETIN #41
-
SUDAMERICANO PEQUEÑO, PERO,
OEMRNCE
- (16 May
01, updated 16 July 2001)
-
- A Bulletin
recipient warned us of receiving an e-mail infected
with a virus which was intercepted, happily, by her
antiviral software. Although the subject of the e-mail
she received (Sudamericano pequeño, pero) and
the attachment name (OEMRNCE.EXE) do not appear in the
list of software companies' new viruses, her
antiviral software intercepted this virus under the
generic virus name of "W32@Magistr." As you know
(and may have experienced), infected e-mails often
(not always) come from family members, friends or
acquaintances who are not even aware that their system
is infected. If you receive this e-mail, please do not
open the attachment. Delete it.
-
|
SUBJECT:
Sudamericano pequeño,
pero
|
- Diversidad
biológica y geográfica. Hay
cuatro regiones geográficas en el
Ecuador: el oriente, la sierra, la costa,
y los galápagos. En el pasado la
mayoría de la gente vivía en
la sierra y el campo, hoy la mayoria de la
gente vive en la costa y las
ciudades.
- ATTACHMENT:
- Name:
OEMRNCE.EXE
- Type:
application/x-msdownload
Encoding:
base64
|
- Since this appears
to be a generic virus which already has a fix, you may
refer to our Virus
Bulletin #31
above. It covers the generic virus under which this
new e-mail falls and you will find the links to the
antiviral software companies for more information and
to download a fix if needed.
- Top
-
VIRUS
BULLETIN #42
-
SIRCAM
- AKA
W32.SirCam@MM
- (20 Jul 2001, updated 23 July
2001)
-
- From McAfee:
"This is a HIGH
RISK virus
for consumers that is spread to email recipients found
in the Windows Address Book and addresses found in
cached files. The
infected email can come from addresses that you
recognize. Attached
is a file with two different extensions. The file name
itself varies."
-
- From
F-Secure: "Another file is then created by the
worm. It contains a list of files with certain
extensions (e.g. with .DOC, .ZIP, JPG extensions)
located in a user's 'My Documents' folder.
Since
quite often users keep their personal or
company-related documents there, it means that the
worm can send out confidential
information."
-
- The catch: the
e-mail comes from someone you may know and may say, "I
send you this file in order to have your advice."
(added
23 July 2001)As
usual, we recommend that you do NOT open
attachments from people you know if you are not
expecting the attachments. Instead, "reply to"
senders and ask if them if they actually sent the
e-mail and attachment. We have caught a few
worms/viruses this way. In turn, if you are sending
an attachment, we suggest that you write something
that clearly gives it a personal touch,
something the recipient would
recognize as coming from you and a hacker would not
know.
- F-Secure
(Data Fellows)
- McAfee/Network
Associates
- Norton/Symantec
- UPDATE - 23 Jul
01
-
UPDATE - 01 Aug 01 - We have had reports from three
unrelated sources that their systems were infected
with SirCam. Please, do not open any attachments from
a KNOWN or unknown source without first asking the
senders if they sent the e-mail in
question.
- SirCam
Virus Continues to Affect
Email -
Fox News, 30 Jul 01 -
"That
stubborn e-mail worm is particularly difficult to
stamp out because of its changing subject line.
Although the typical Sircam e-mail reads: "I send
you this file in order to have your advice," it can
also have completely different subject lines,
making it impossible to tell whether a message is
legitimate without opening it."
- Top
VIRUS BULLETIN #43
-
CODE RED
- AKA
I.Worm.Bady, CodeRed, Bady,
W32/Bady.Worm
- (31 July 2001, 01 August
2001)
-
- This Bulletin
provides a variety of items on Code Red and its
"imminent strike." This virus may or may not affect
you directly, depending on your server and your setup.
But, is it hype? Is it real? Is it confined to certain
systems? Is it hysteria? We shall soon find
out!
-
- F-Secure/Data
Fellows: "Bady [Code Red] is a worm that
exploits a security hole in Microsoft Internet
Information Server (IIS) to spread. When it infects a
server it starts to scan for other vulnerable servers
and infects them. During a certain period of time the
worm only spreads, then it initiates a
Denial-of-Service (DoS) attack against
www1.whitehouse.gov and finally suspends all the
activities."
-
- McAfee:
"AVERT reiterates that this threat does not
generally affect an end-user's PC, but rather it
attacks unpatched administrator's Microsoft IIS web
servers. However, all Internet users can feel the
effects of this worm, such as requested web pages
being defaced or unavailable, due to the actions of
this worm."
- Top
VIRUS
BULLETIN #44
-
MAGISTR
- (7
September 2001)
-
- This W32/Magistr
virus/worm has re-appeared and we urge you to re-visit
Virus
Bulletin #31
above and read carefully the description of the virus
and how it is propagated.
-
- We received over 15
e-mail with attachments infected with this worm. They
came from people we did not know. Please read again
our Words
of Caution
-
- Top
-
VIRUS
BULLETIN #45
-
W32APost@MM
- (7
September 2001)
-
- You can read about
this new virus/worm on the McAfee
site at:
- Top
|
