Security Roundup

The National Infrastructure Protection Center (NIPC) and the FBI have been investigating the activities of organized hackers they believe originated in Eastern Europe and Russia. The hackers have been able to obtain American credit card numbers through e-commerce sites, then attempt to ransom the numbers back to their owners or credit card companies or threaten to publish the numbers on the Internet.

The hackers penetrated holes in Microsoft Windows NT systems, and the vulnerabilities have been known since as early as 1998. Many users, however, did not patch their systems and thus became victims.

The virus of the week is the W32/Naked@MM, or Naked Wife virus. The Naked Wife virus consists of a file attached to an e-mail message with the subject “Fw: Naked Wife” and the message “My wife never look like that! ;-)”. When run, NakedWife.exe copies itself to a Temp directory and displays a window entitled “Flash” and purports to be a property of JibJab Media. After attempting to delete all .BMP, .COM, .DLL, .EXE, .INI, and .LOG files in the Windows and Windows\System directories, the “Flash” window informs the user that they’ve been the victim of a ruse.

It would seem obvious that this is a virus – after all, how many strangers send pictures of their naked wives to their entire address books?

Another recent virus uses an open mail relay to deliver a .EXE file. CERT, Carnegie Mellon University’s network security clearinghouse, reports on the Hybris Worm. The worm is a piece of malicious code that propagates through e-mail messages and newsgroup postings and targets Windows machines. The user must execute an attachment in order to become infected.

The worm infects the Windows networking library WSOCK32.DLL file, subverting normal e-mail behavior, and sends a copy of itself any time an infected user sends an e-mail message. The e-mail message containing the virus masquerades as a pornographic story.

As Sophos Anti-Virus’ Graham Cluley said, “Think with your head, not your groin.”

Finally, a bug in Microsoft Internet Explorer. A newly divulged IE vulnerability could allow a hacker to run code of his choice, if a user visits the hacker’s Web site or opens an HTML e-mail from the hacker.

The IE security architecture provides a caching mechanism that is used to store content that needs to be downloaded and processed on the user’s local machine. A vulnerability exists because it is possible for a Web page or HTML e-mail to learn the physical location of cached content. With this information, a hacker could cause the cached content to be opened in the Local Computer Zone. This would enable him to launch compiled HTML help (.CHM) files that contain shortcuts to executables, thereby enabling him to run the executables.

A patch for IE 5.01 SP1 is available at, and for IE 5.5 SP1 at - Isaac Slepner

About the Author

Scott Bekker is editor in chief of Redmond Channel Partner magazine.

comments powered by Disqus
Most   Popular