IT@TT - Online

New Melissa Does You Dirty

Watch out, the recent Microsoft nastiness is not all that's evil online. And although this tip has little to do with viruses, consider using a US address in your Hotmail or Yahoo profiles. Both companies in an effort to drive traffic to their Indian properties have reconfigured accounts for those of us in India to go to .co.in domains. The servers are slow and crawly, so if you want quicker resolution, make a switch.

Meanwhile the early New Year cheer seem to be on the wane. Right now there are two new viruses on the loose. One is a new, morphed and highly-virulent form of 2000's Melissa. The second is dubbed Davinia. And if that's not all, Microsoft products too seem to have developed some leaks.

Mine was ruined last week when my virus scanner detected the KAK virus in my Internet cache. I had to purge the cache but am thankful to PC-cillin 2K which detected the virus. My corporate scanner (which supposedly scans) all that passes through our proxy seems to have been sleeping on the job!

But first, Melissa reborn. This one's code-named W97M/Melissa@MM (aka Anniv.doc, List.doc, Macro.Word97.Melissa, Melissa, Melissa.a, W2001MAC/Melissa.W-mm, W97M/Mailissa, W97M/Melissa.a@MM, W97M_MELISSA.A). And has already done a certain amount of damage before it appeared on anti-virus radar. Did you know most anti-virus vendors have some kind of online scanner available. The radar is linked to these online tools' results. And the infections reported with Melissa@MM are >1 percent of the total PC connected to the Internet.

The original Melissa began life as a Word macro. The new strain continues its ancestor's tradition and affects both Word as well as Outlook files. It piggy-backs on a file format designed for Office 2001 for the Mac. However it affects both Mac as well as Windows too. All it takes is for an infected Mac-format file to be sent by email or saved to a floppy readable by Windows.

The strain uses a self-check to verify a Registry setting. If the computer has been previously infected, Melissa@MM probably won't strike anew. But if you've cleaned it out with an anti-virus, then the strain sets the built-in Office macro security level to low. Unless HKCU\Software\Microsoft\Office\9.0\Word\Security\"Level" is not null, the code disables Word2000's "TOOLS/MACRO/SECURITY" or Word97's "TOOLS/MACRO" menu options.

The virus generates and executes a VBS object that use Outlook to read the contents of the Address Book. It then generates and send an email to the first 50 recipients. The email is titled "Important Message From Application.UserName" and the body contains "Here is that document you asked for ... don't show anyone else ;-)". An infected document containing a list of porn sites is attached to the email. The virus also modifies the Registry and adds the key HKCU\Software\Microsoft\Office\"Melissa?" = "... by Kwyjibo." To remove it, get the latest update for your anti-virus.

Davinia is a worm that spreads with the help of the Outlook client. But with a twist. The virus arrives in an email message with an embedded script. This script open an IE window which connects to the hacker's site. The script then opens a Word document located on the site. The infected document contains a sub-script that disables the user's Office' built-in macro virus warning. To do so it exploits the "Office 2000 UA Control Vulnerability" (discovered May 2000).

With the gates breached, the virus now attacks Outlook. It scans the Address Book and send an infected copy of itself to every single contact. And if that was not all, the worm's also replaces all files located on local hard disks with a file that displays a dialog box when clicked.

So far Davinia seems to have been contained because the only known Web addresses have all been shutdown. And you would rather be safe than sorry later, you can download and install an Office patch (http://officeupdate.microsoft.com/2000/downloadDetails/Uactlsec.htm) to prevent future occurrences.

Finally, Microsoft's Media Player seems to be full of holes. It's now been found that the various skins we use to change the look 'n feel (a la WinAMP) can allow a malicious user to completely control your PC. Since its takes Microsoft a long while (weeks mostly) to fix such "holes," consider the first work around. Stop using skins with Windows Media Player (v7 onwards). If this is not possible, then disable all skins.

A malicious Web site operator embeds a Java applet in a skin (.WMZ) file. This applet then uses a script to gain access to your computer. Since .WMZ files are installed in a commonly known folder, its possible for generic hacks to wander loose within your system.

So if you prefer walking the thin line darling, disable IE from running unsigned Java content. Select Tools|Internet Options. Then select Security|Custom Level and scroll down to Java permissions. Next select Custom Settings|Java Custom Settings and select Edit Permissions. Finally select Disable under Run Unsigned Content.

So now even listening to music is potentially dangerous when online.

Govind Menon
[email protected]

Top

Other Articles