IT@TT - Online

Dangerous Portends

Oh no, virus attacks are back in fashion. On 5 June 2001, perhaps to coincide with World Environment Day, yet another Internet worm, I-Worm.MsWorld, was discovered. The Day-linked significance is simple: the worm destroys your data and therefore renders your PC useless. Now since the PC no longer consumes any electrical energy it helps preserve the environment!

I-Worm.MsWorld aka W32/MsWorld@MM is a Windows PE (executable) infector. The virus file size is about 130 Kb and is written in Visual Basic with an embedded Macromedia Flash module. The worm spreads by e-mail. The subject of which is "Miss World" (hence the name). The message body contains "Hi, <your name> Enjoy the latest pictures of Miss World from various Country [sic]." The worm is intelligent enough to individually address the recipient. The file attachment is one of MWrld.exe, MissWorld.exe or MWld.exe.

Executing the attachment opened one of 4 different Flash windows (see image). The worm spreads courtesy your Outlook Address Book. And once your computer is infected, will email a copy of itself to the first 50 contacts. The Flash message seems an annoyance. But it hides the worm dropping a copy of a DOS batch file, AUTOEXEC.BAT, onto your hard drive. The next time you boot up, this batch file will reformat your hard drive! Meanwhile, the worm also attempts to delete USER.DAT, USER.DA0, SYSTEM.DAT, and SYSTEM.DA0. If these files are in use, you will see a "RUN-TIME ERROR" message. And only the .DA0 files (backups of .DAT) will be deleted.

The (now infamous) SULFNBK.EXE email hoax is being re-circulated. But this time it has a sting in its tail. For those who came in late, SULFNBK.EXE is used by the built-in Windows Backup programme to archive and restore files with long file names. So do avoid deleting it as gradually Windows will stop responding. And were you to use the Backup after deleting this file, Windows will crash permanently.

The user who first cried "Wolf!" had a copy of the file infected by the Magistr worm! As does the new email with a sting; I've learned there are copies of the hoax now circulating with the Magistr worm embedded in them. So watch out!

This plague of email viruses should have improved your sensitivity and alertness to such matters. However, from the email's I receive and reply to in Mailbox, several of our more recent converts to the faith don't yet appreciate the gravity of such matters. All I can offer is when something bad happens you only have yourselves to blame.

For example, a colleague of mine (who used to also write about viruses) managed to panic most of my company. Worse, he didn't send the email in a personal capacity, but with the imprint of a site manager. Which authenticated the hoax and actually made fire-fighting harder. Luckily, in-company we use a thin client-based network and users can't delete system files. Still, several other senior company members and I spent nearly a whole day sorting out the mess with a net loss in productivity at Rs 1 lakh! Don't laugh. It could happen to you too.

The past few weeks have seen a sharp rise in the incidence of Denial of Service (DoS) attacks. The most ironic one brought CERT.org, home of the Computer Emergency Response Team, to its knees for nearly 3 days. A similar attack on Gibson Research was finally blocked mainly to the diligent efforts of Steve Gibson. I found his tale so interesting I managed to get it as an it@tt Exclusive. Read Part 1 in TechTalk this week's .

For added safety (and perhaps because I'm a closet paranoid), I also use a personal firewall. I used to root for Tiny Personal Firewall (Product Review, it@tt, 1 May 01). But am now a firm convert to ZoneAlarm after Tiny failed me when I needed it most. We all make mistakes, but luckily for me between the company router, Tiny and my PC-Cillin antivirus program, I was able to identify and stop the attacker cold. A friend, Jitender Lakhani, tipped me to ZoneAlarm. Actually, he's been singing its praises for a while. It was I who had remained quite deaf!

ZoneAlarm 2.66 (www.zonealarm.com) is free for personal use. And let's you define local and Internet security zones, block suspicious email attachments (Pro lets you customize this list). And also define what apps can and can't access the local network or the Web. Ever since I installed a copy last week I've detected some strange goings-on. Every time I connect to the TataNova site, I receive notification that the site was trying to elicit information from my computer. As again when I access their mail server. This only happens when an ISP's is trying to gather information on the sly. With Tiny I had no clue. ZoneAlarm ensure's I remain alert.

One of Steve's important findings is that the BlackICE Defender firewall is next to useless too. So if you run a copy discard it as well. Download ZoneAlarm instead. That's all I have time for now. See you again in health next week.

Govind Menon
[email protected]

Top

Other Articles