SYMANTEC.  
AntiVirus Research Center

"The Sun Never Sets on SARC"

   
 

SARC Home Page

July 2000 Newsletter

 
   



Top Threats

VBS.Stages.A
Wscript.KakWorm
Happy99.Worm
VBS.LoveLetter
VBS.Network
PrettyPark.Worm



The following is a list of the top reported viruses, Trojans and worms to SARC's regional offices during the last month.


Asia Pacific

Wscript.KakWorm
VBS.Stages.A
Happy99.Worm


Europe

Wscript.KakWorm
VBS.Stages.A
Happy99.Worm


Japan

VBS.Stages.A
VBS.Network
DSCE.2100


USA

Wscript.KakWorm
VBS.Stages.A
VBS.Network



New Virus Hoaxes reported to Symantec

None this month

   
Late June and early July have seen a lot of media attention for palm format computing devices like the Palm and Pocket PC. This month Eric Chien
writes about security and the PalmOS.

The Simpsons and Pokemon characters contribute to this months newsletter in the form of the
Simpsons.Trojan and W32.Pokey.Worm. They are both catagorized as low risk since we haven't had many reports but the Simpsons.Trojan will cause extensive damage if you are unfortunate enough to receive it and it triggers.

W95.Zperm.A is also low risk but I've included it because it takes an interesting approach to polymorphic encryption.

VB2000 is to be held from 27 - 29 September. It's their 10th anniversary and this year for the first time, the exhibition is to be broadened to include data security companies, their products and services.

David Banes,
Editor,
sarc@symantec.com
   
         
       
Viruses in the News

Minimal [1]

PC

   
        The W95.Zperm.A virus is one of the first metamorphic viruses for 32-bit Windows platforms. The virus does not use traditional polymorphic encryption. Rather, it mutates its code by using jump instruction insertion. The complete virus body is permutated including the permutation engine itself. A variant, W95.Zperm.B is known to exist.

The virus uses Win32 APIs to replicate. However, the virus is only able to function on Windows 95 and Windows 98 systems. Neither of its variants replicate on Windows NT or Windows 2000. The actual permutation engine shows similarities to some of the older DOS viruses. Fortunately, metamorphic viruses are more difficult to create and there are currently only a few viruses that use such an advanced technique.

At this time, infected files must be deleted from the system and replaced with uninfected copies.


http://www.sarc.com/avcenter/venc/data/w95.zperm.a.html
by: Peter Szor
SARC, USA
   
             
       
Worms in the News

Severe [4]

PC

 
        The VBS.Network worm does little but replicate. It attempts to copy itself across a network by first locating shared network drives, then mapping them to a local drive letter. Once a drive is infected, the worm tries to copy itself to the \Startup folder of the drive (assuming the infected drive is a Win95/98/NT system drive) to ensure execution at startup. The worm remains in memory until the system is restarted.

Windows Scripting Host comes with a sample file with the filename NETWORK.VBS. This file is not infectious. This file is commonly found on Windows 98 systems in the directory C:\WINDOWS\SAMPLES\WSH. Please note that filenames alone are not enough to determine if a file is clean or malicious.


http://www.sarc.com/avcenter/venc/data/vbs.network.html
by: Andy Cianciotto
SARC, USA
   
                 
       
 

Minimal [1]

PC

   
       

W32.Pokey.Worm is a worm that propagates as an attachment by email. When the attachment is executed, it will display an animation of a pokemon character. The worm also has a payload that will delete the contents of your Windows and Windows\system directories.

W32.Pokey.Worm is a worm program, not a virus. It propagates as an attachment by email. It will attempt to email itself to everyone in the address book. Only systems running Outlook are affected. The worm will not run on Outlook Express.

The subject of the email is:
Pikachu Pokemon

The body of the email is:

Great Friend!
Pikachu from Pokemon Theme have some friendly words to say.
Visit Pikachu at http://www.pikachu.com
See you.


Attachment name: pikachupokemon.exe

The attachment (worm program) will only run if the file MSVBVM60.dll is installed and available on the system and also if the file name is pikachupokemon.exe. This file is a Visual Basic 6 runtime library file. When the attachment is executed it will display the Pokemon animated picture.

The worm will also modify the contents of the autoexec.bat file to delete the contents of your Windows directory and Windows\system directory. The autoexec.bat file will be executed when the system is rebooted and will display a prompt before attempting to delete the content of those directories.

http://www.sarc.com/avcenter/venc/data/w32.pokemon.worm.html
by: Peter Szor & Motoaki Yamamura
SARC, USA

   
                   
         
 Trojans in the News

Small [2]

PC

   
          Simpsons.Trojan is a malicious Trojan that is actually a self-extracting compressed batch file called SIMPSONS.EXE. Upon execution, this Trojan horse program decompresses itself and begins to delete all the files on drives C:, A:, B:, and D:. During execution an MS-DOS window appears and reveals the Trojan deleting all files on each drive.

Simpsons.Trojan executes its payload immediately. When executed, a message dialog box will notify the user that there should be no unauthorized use of this file. When the user clicks OK, an MS-DOS window appears showing all the files being deleted.

The time necessary to damage the system is less than 20 seconds. Generally, infected users will need to reinstall the operating system and all applications.

This program uses the deltree.exe program to delete files. This program will not function on systems that do not have the deltree.exe program.

If the Trojan has damaged the system, the operating system (i.e. MS Windows) and other applications need to be reinstalled.

http://www.sarc.com/avcenter/venc/data/simpsons.trojan.html
by: Edric Ta
SARC, USA
   
                   
         
The PalmOS Security
   
          In the 1980s, no one left home without his or her FiloFax. Today, no one leaves home without his or her Personal Digital Assistant (PDA). However, while FiloFaxes contained important names and numbers, PDAs are more than just an address book. Combined with Internet access, the functionality of the PDA is moving towards a desktop computer combined with a cellular phone, small enough to put in one's pocket.

According to IDC, Palm OS controlled 78.4% of the handheld market share in 1999. With more than 4,000 applications for the Palm OS, devices running this OS are at the greatest risk of malicious code.

The Palm OS file system is optimised for synchronisation with a desktop computer and for the limited storage area available. Data is stored in memory blocks called records. Such memory storage provides a home for new application databases (executable code), which can be introduced in a variety of ways.

Any method that allows the introduction of executable code onto the Palm device represents a vector of delivering potentially malicious code. HotSyncing currently represents the primary method and in the future, Internet access will actually pose the greatest threat.

The HotSync functionality is used primarily to synchronise data stored on the device with data stored on the desktop computer, back-up data to the desktop computer, and install new device applications that are located on the desktop computer. Currently, this provides the easiest means of introducing malicious code.

The Palm contains IrDA (Infrared Data Association) communication capabilities. You can directly interface with the IR capabilities of the Palm. However, the majority of programs utilise the Exchange Manager which provides a simple interface for Palm OS applications to send and receive data from a remote device using standard protocols.

With IR capabilities, the Palm is able to receive and send applications and thus malicious code, which could potentially speak to other infected devices exchanging information and code all without the user realising.

By adding a modem to the Palm or utilising newer wireless models, clipped web browsing and email access with attachments is available. One can easily receive emails with Palm applications attached, save those attachments and applications that could contain malicious code.

Palm OS applications can easily establish a connection with any other machine on the Internet and transfer data to and from that machine using the standard TCP/IP protocols. Thus, malicious code is not limited to utilising the Palm mail client or web browser but can open listening server ports allowing remote access, sending of confidential data or receiving additional malicious code. Such network access is an open invitation for fast spreading worms.

Many applications running on Palm OS are programmable. A third party program can interact with the programs through a standard application-programming interface. Such programmability easily allows for email type worms like W97M.Melissa and VBS.LoveLetter.

The Palm does not employ any inherent access control to databases and records. Databases are easily modified by malicious code. With a single click, on a malicious email attachment you could wipe out all the applications and data on the device.

Palm is only one of many vulnerable devices. Unfortunately, there isn't a digital device that is 100% secure. To be 100% secure, one should revert to the old FiloFax. However, while there is a threat, there are also potential solutions already in development.


http://www.symantec.com/region/reg_ap/avcenter/palmos.pdf
Eric Chien
SARC, EMEA
   
                   
         

Updated SARC Glossary, what's the definition of a virus, trojan and worm?

   
          Contacts    
          Correspondence by email to: sarc@symantec.com, no unsubscribe or support emails please.
Send virus samples to:
avsubmit@symantec.com
Newsletter Archive:
http://www.symantec.com/avcenter/sarcnewsletters.html
   
          To Subscribe and Unsubscribe    
          To be added or removed from the subscription mailing list, please fill out the form available on the SARC website at: http://www.symantec.com/help/subscribe.html
SARC AntiVirus News Update is published periodically by Symantec Corporation. No reprint without permission in writing, in advance.
   
       

 

     
          All information contained in this newsletter is accurate and valid as of the date of issue.  

Copyright © 1996-2000 Symantec Corporation. All rights reserved.