SYMANTEC. SARC Home Page			The SARC AntiVirus News Update "The sun never sets on SARC" Volume 4 Issue 2.2 November 1999
		The following is a list of the top reported viruses, trojans and worms to SARC's regional offices during the last month. Asia Pacific Happy99.Worm O97M.Tristate.C W97M.Melissa Europe Happy99.Worm W97M.Ethan.A BackOrifice.Trojan Japan XM.Laroux Happy99.Worm PrettyPark.Worm USA W97M.Melissa XM.Laroux Happy99.Worm New Virus Hoaxes reported to Symantec Sandman FREE M & M's Halloween Virus South Park News Despite Virus Free Pizza Virus			This month has seen a couple of very interesting new worms and viruses. VBS.BubbleBoy exploits a security flaw within Microsoft Outlook and would have been a greater threat if Microsoft had not already provided a patch. W32.FunLove was was not highly reported but is significant in that the techniques it uses to infect Windows NT make it difficult to remove. Inthis issue you will find details on a new tool from SARC to help get rid of Happy99 and a report from the second AVAR (Association of AntiVirus Asia Researchers) conference. As we get closer to the Y2k date rollover the next issue of the SARC Update will provide links to useful virus related information on the web, this month's link takes you to the Virus Activation Calendar (no longer available) on the SARC Y2k web site. The site lists trigger dates and virus names for November, December and January and will keep you updated on new virus threats over the Christmas/New year period. As the newsletter continues to develop and incorporate suggestions from our subscribers you'll see new additions such as the list of new virus hoaxes in the left side bar to compliment the list of common viruses, trojans and worms reported by each of our regional SARC's. David Banes, Editor, sarc.avnews@symantec.com
				Go to the SARC Year 2000 Awareness Center (no longer available) for more Y2k Virus Information
					Trojans and Worms in the News Occasional PC
					VBS.BubbleBoy is a worm that works under Windows 98, Windows 2000 and will also work under Windows 95 if the Windows Scripting Host is installed. The worm will only function properly with the English and Spanish versions of the operating systems, and not any language version of Windows NT. UPDATE.HTA is placed in Program-StartUp of the Start menu. Therefore, the infection routine is not executed until the next time you start your computer. UPDATE.HTA is a script file that uses MS Outlook to send the worm by email message to everyone in the MS Outlook address book. Microsoft Outlook (or Express) with Internet Explorer 5 must be used in order for the worm to propagate. The worm utilises a known security hole in Microsoft Outlook/IE5 to insert a script file called UPDATE.HTA, when the email is viewed. The key differentiator with this worm is that it is not necessary to detach or run a file attachment to trigger this worm. Microsoft has also provided a patch to fix this problem at: http://www.microsoft.com/security/Bulletins/ms99-032.asp By patching the known security hole in Microsoft Outlook/IE5, the worm will no longer propagate. For further details regarding the security hole, please read this posting: http://www.microsoft.com/Security/Bulletins/MS99-032faq.asp In addition the worm will not propagate if IE5 Internet security settings have been set to "High". Currently, Symantec has received only a few customer reports of this virus. This virus appears to have originated in Argentina and was sent directly to anti-virus vendors by the virus author. by: Raul Elnitiarta and Eric Chien SARC, US and SARC, Europe http://www.sarc.com/avcenter/venc/data/vbs.bubbleboy.html
					Viruses in the News Occasional PC
					W32.FunLove.4099 is a new virus that replicates under Windows 95 and Windows NT systems and infects applications with EXE, SCR or OCX extensions. What is notable about this virus is that it uses a new strategy to attack the Windows NT file security system. The original report of this virus was submitted through our exclusive Scan & Deliver system on Nov. 9, 1999 from a corporate customer in the United States. This virus is a direct action appending type. It adds its code to the end of the last file section and modifies the first 8 bytes of the code at the entry-point in order to point to the virus body. The virus creates a thread in the infected process for itself and replicates in the background while it executes the host program (main thread). Therefore, the user will not easily notice any delays. This virus may also use the network to spread itself to other systems. This virus does drop a file named flcss.exe into the Windows System directory. by: Cary Ng SARC US http://www.sarc.com/avcenter/venc/data/fun.love.html
					Happy99.Worm Removal Tool Common PC
					The FIXHAPPY tool is designed to safely remove Happy99.Worm (a.k.a. W32.Ska) files and restore the WSOCK32.DLL in Windows systems. FIXHAPPY accomplishes the following: Deletes the SKA.EXE and SKA.DLL files from the Windows System directory (usually C:\WINDOWS\SYSTEM). Happy99.Worm inserts these two files when it installs itself to the system. Restores WSOCK32.DLL. Happy99.Worm modifies WSOCK32.DLL to hook the mail-sending and newsgroup article-posting routines. It removes the following Windows Registry modification HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce=SKA.EXE Happy99.Worm adds this Windows Registry entry if WSOCK32.DLL is in use when the worm attempts to modify it (i.e. a user is online or connected to a network). You will still need to delete the Happy99.Worm file, usually named HAPPY99.EXE (i.e. the file that NAV detects as "Happy99.Worm"). Download: FIXHAPPY.EXE ftp://ftp.symantec.com/public/english_us_canada/antivirus_definitions/ norton_antivirus/fixhappy.exe
					Report of the Second AVAR Conference
					The second AVAR (Association of Anti-Virus Asia Researchers) Conference was held in Seoul, Korea on the 28 and 29 October. There were about 50 participants, and speakers came from as far as the USA. Seiji Murakami (JCSR, AVAR Chairman, Japan) and Charles Ahn (Dr. Ahn's Anti-Virus Laboratories Inc., AVAR Vice Chairman, Korea) opened the conference and welcomed the participants. Mr. Murakami gave his vision for the development of AVAR in preventing the spread of and damage caused by computer viruses by exchanging information around the Asia Pacific region. He hoped to see local branches established in each country to provide local activities and information. Dr. Ahn highlighted the importance of real-time exchange of information to respond to increasing damage caused by viruses. Chul Soo Lee (President, Korea Information Security Agency, Korea) warned of the trend from viruses written for fun or showing off to cyber-crime. He said that technical and legal standards were necessary to prevent this, and the Korean Government was working on it and they would help and co-operate with AVAR. Mr. Cho Kyu-Hong (Trend micro Korea) spoke on behalf of Richard Ku (Trend micro, USA) and described the issues involved in developing anti-virus software for three versions of Microsoft Exchange, 5.5, 5.5 SP3 and 2000. Masaaki Kimura (Ministry of International Trade and Industry, Japan) talked about security policy and anti-virus activities in Japan. He covered the guidelines issued, Japanese law and the growing number of reports of damage received. He said that the Japanese Government would contribute in the fight against viruses and would assist AVAR. Allan Dyer (Yui Kee, Hong Kong) addressed the problem of a generation gap in computer knowledge, which could lead to children getting into inappropriate computer activities, including virus writing. He called for improvements in school curriculums to include IT ethics, safety and security. Seok Chul Kwon (HAURI, Korea) reviewed the development of anti-virus technology and it's future. Hantae Kim (Symantec, Korea) looked at virus trends and outlined the digital immune system. The second day started with Motoaki Yamamura (Symantec, USA), who demonstrated the increased speed in which worms are spreading and discussed the changes in policies that would be necessary if we had a new worm every week or every minute. Chae Ho Lim (Korea Information Security Agency, Korea) reported on security incident response and anti-virus activities in Korea. He described the organisations that exist in Korea, including CERTCC-KR and CONCERT, their relationships and connections with similar organisations abroad. CIH hit Korea particularly badly, with 160,000 to 240,000 activations; Mr. Chae described how the incident developed and the lessons to be learnt. Motoi Endo (JCSR, Japan) talked about anti-virus policies, the difficulties of getting users to follow them and some ideas to help. Allan Dyer described his experiences in preparing and teaching a module on viruses and worms for a course on Information and Internet security. He suggested that the course material he prepared, with improvements, could become the basis of a "common body of knowledge" for anti-virus professionals. Closing the conference, Charles Ahn (Dr. Ahn's Anti-Virus Laboratories Inc., Korea), a medical doctor turned anti-virus researcher and a famous person in Korea for developing the first Korean anti-virus software, took us through the history of computer viruses in Korea. The AVAR 2000 conference will be held in Japan. More information on AVAR can be found at http://www.aavar.org/ by Allan Dyer Director (Technical Division), AVAR.
					SARC Glossary, what's the difference between a virus and a worm?
					Contacts
					Correspondence by email to: sarc.avnews@symantec.com Send virus samples to: avsubmit@symantec.com Newsletter Archive: http://www.symantec.com/avcenter/sarcnewsletters.html
					To Subscribe and Unsubscribe
					To be added or removed from the subscription mailing list, please fill out the form available on the SARC website at: http://www.symantec.com/help/subscribe.html SARC AntiVirus News Update is published periodically by Symantec Corporation. No Reprint without Permission in writing, in advance.
					All information contained in this newsletter is accurate and valid as of the date of issue.		Copyright © 1996-1999 Symantec Corporation. All rights reserved.