Land auswählen |
Security Information Week 14, 2001
Introduction
It is often claimed that security companies, security consultants and the antivirus vendors, are too eager to warn about different kinds of threats.
In some instances there may be some truth in this criticism, although Norman tries to issue warnings only when we feel that a warning is really justified. Our Policy regarding virus alerts may be seen here.
At this point in time, we feel that it is correct to issue a more general warning as the remaining part of April may cause severe problems for organizations dependent on computers and applications being fully functional (and which organizations are not among those?). This warning does not imply that we suspect any new kinds of malicious programs to be published - even though that may of course happen at any time. It has to do with malicious programs, which have been it the wild for some time, and e.g. with payload coming up during April.
Those which we consider as representing the most severe threats are mentioned below. All links opens a separate browser window showing a more detailed technical virus description.
CIH a.k.a. Tsjernobyl
The Win95/CIH virus has been In the Wild for quite a long time, and the antivirus products have had protection for years. Nevertheless it is still among the active ones, and Norman still gets reports about computers being infected by CIH.
The most widespread variant of this virus has its payload 26 April each year. This payload i.e. probably the most destructive of any virus In the Wild, as it attempts to delete or damage the Flash-BIOS of certain computers, to overwrite the Master Boot Record (MBR), as well as the system boot sector (SBS), the file allocation table (FAT) and the data on all hard disks. The result is data loss and in some instances the need to get new hardware to the affected computer.
Magistr
W32/Magistr@mm is a new malicious program. Norman issued an alert about this 14 March this year.
Interestingly, this malicious program did not spread as fast as expected after the initial very fast propagation, and some commented that once more the antivirus industry did cry wolf without any animals in sight. However, recently Magistr has been picking up its speed with respect to spreading, and it is now among those most often reported.
Magistr is a mass mailer, which gives it the potential for very quick spreading, and also propagates through the internal network in an organization. One month after infection Magistr executes its first payload, which is similar to CIH, as it tries to erase CMOS, Flash-BIOS and overwrite files. Those who were infected by Magistr when it started its initial spreading will - if the infected files are not cleaned - experience the virus' payload during Easter holiday others in days and weeks to come. Most still remember the Easter two years ago when Melissa did "her evil deed"...
Hybris a.k.a. Snowwhite
Soon after W32/Hybris@m came In the Wild, it became one of the most widespread malicious programs ever.
This is a quite complicated malicious program as it consists of several modules and is able to update itself from the Internet with new modules. Hybris is a mass mailer, which to some extent explains the fast and steady propagation.
The two most common variants of emails carrying Hybris so far are:
- an email with the Subject field Snowhite and the Seven Dwarfs - The REAL story!
- an email with no subject or body and Hybris as an attachment with a file name of random letters.
One variant of Hybris blocks access to several antivirus web sites, which makes updating virus detection files complicated.
MTX a.k.a. Apology-B
W32/MTX@mm is a malicious program which has been In the Wild for approximately six months. Regardless of this "mature age" it is still among the most widespread.
This program consists of a virus, a Windows backdoor and an email worm.
MTX sends itself as a second email to a recipient. The email has an empty subject field and an attachment consisting of several different file names (see virus description).
KAK
JS/KAK.Worm utilizes a security flaw in Microsoft's email client Outlook Express. Microsoft made a patch for this vulnerability as early as in August 1999. This, however, has not prevented KAK to be extremely persistent in infecting computers all over the world.
KAK is a worm that embed itself to every email without attachments sent by Outlook Express from an infected user. KAK does not function in an Windows NT/2000 environment.
What to do?
As shown above, most of the malicious programs briefly described above, are not new. Some of them are quite old, actually. The fact that they are still among the most widespread, clearly demonstrates that users either do not use antivirus software, or that their antivirus software is not updated as frequently as it should.
- Do your best to make April a good month for yourself
- Prevent your arriving at work after Easter holiday to be overwhelmed by viruses
- Let not you be the one who infects collegues, business acquaintances and friends
- Protect your valuable data from destruction.
Update your virus protection to the most recent version! Run a virus scan immediately after updating to check if you are infected.
Per Olav Førland
Medium risk
Low risk