SYMANTEC.

SARC Home Page

The SARC AntiVirus News Update
"The sun never sets on SARC"

Volume 4 Issue 2.2 November 1999

 
   


The following is a list of the top reported viruses, trojans and worms to SARC's regional offices during the last month.


Asia Pacific

Happy99.Worm
O97M.Tristate.C
W97M.Melissa


Europe

Happy99.Worm
W97M.Ethan.A
BackOrifice.Trojan


Japan

XM.Laroux
Happy99.Worm
PrettyPark.Worm


USA

W97M.Melissa
XM.Laroux
Happy99.Worm



New Virus Hoaxes reported to Symantec

Sandman
FREE M & M's
Halloween Virus
South Park News
Despite Virus
Free Pizza Virus

   
This month has seen a couple of very interesting new worms and viruses.
VBS.BubbleBoy exploits a security flaw within Microsoft Outlook and would have been a greater threat if Microsoft had not already provided a patch. W32.FunLove was was not highly reported but is significant in that the techniques it uses to infect Windows NT make it difficult to remove.

Inthis issue you will find details on a new tool from SARC to help get rid of
Happy99 and a report from the second AVAR (Association of AntiVirus Asia Researchers) conference. As we get closer to the Y2k date rollover the next issue of the SARC Update will provide links to useful virus related information on the web, this month's link takes you to the Virus Activation Calendar (no longer available) on the SARC Y2k web site. The site lists trigger dates and virus names for November, December and January and will keep you updated on new virus threats over the Christmas/New year period.

As the newsletter continues to develop and incorporate suggestions from our subscribers you'll see new additions such as the list of new virus hoaxes in the left side bar to compliment the list of common viruses, trojans and worms reported by each of our regional SARC's.

David Banes,
Editor,
sarc.avnews@symantec.com
   
     

Go to the SARC Year 2000 Awareness Center (no longer available) for more Y2k Virus Information

 
       
Trojans and Worms in the News

Occasional

PC

   
        VBS.BubbleBoy is a worm that works under Windows 98, Windows 2000 and will also work under Windows 95 if the Windows Scripting Host is installed. The worm will only function properly with the English and Spanish versions of the operating systems, and not any language version of Windows NT.


UPDATE.HTA is placed in Program-StartUp of the Start menu. Therefore, the infection routine is not executed until the next time you start your computer. UPDATE.HTA is a script file that uses MS Outlook to send the worm by email message to everyone in the MS Outlook address book.

Microsoft Outlook (or Express) with Internet Explorer 5 must be used in order for the worm to propagate. The worm utilises a known security hole in Microsoft Outlook/IE5 to insert a script file called UPDATE.HTA, when the email is viewed. The key differentiator with this worm is that it is not necessary to detach or run a file attachment to trigger this worm.

Microsoft has also provided a patch to fix this problem at:
http://www.microsoft.com/security/Bulletins/ms99-032.asp

By patching the known security hole in Microsoft Outlook/IE5, the worm will no longer propagate. For further details regarding the security hole, please read this posting:
http://www.microsoft.com/Security/Bulletins/MS99-032faq.asp

In addition the worm will not propagate if IE5 Internet security settings have been set to "High".
Currently, Symantec has received only a few customer reports of this virus. This virus appears to have originated in Argentina and was sent directly to anti-virus vendors by the virus author.

by: Raul Elnitiarta and Eric Chien
SARC, US and SARC, Europe
http://www.sarc.com/avcenter/venc/data/vbs.bubbleboy.html
   
                   
         
Viruses in the News

Occasional

PC

 
          W32.FunLove.4099 is a new virus that replicates under Windows 95 and Windows NT systems and infects applications with EXE, SCR or OCX extensions. What is notable about this virus is that it uses a new strategy to attack the Windows NT file security system. The original report of this virus was submitted through our exclusive Scan & Deliver system on Nov. 9, 1999 from a corporate customer in the United States.

This virus is a direct action appending type. It adds its code to the end of the last file section and modifies the first 8 bytes of the code at the entry-point in order to point to the virus body. The virus creates a thread in the infected process for itself and replicates in the background while it executes the host program (main thread). Therefore, the user will not easily notice any delays. This virus may also use the network to spread itself to other systems. This virus does drop a file named flcss.exe into the Windows System directory.

by: Cary Ng
SARC US
http://www.sarc.com/avcenter/venc/data/fun.love.html
   
                   
         
Happy99.Worm Removal Tool

Common

PC

   
         

The FIXHAPPY tool is designed to safely remove Happy99.Worm (a.k.a. W32.Ska) files and restore the WSOCK32.DLL in Windows systems.

FIXHAPPY accomplishes the following:

  • Deletes the SKA.EXE and SKA.DLL files from the Windows System directory (usually C:\WINDOWS\SYSTEM).
  • Happy99.Worm inserts these two files when it installs itself to the system.
  • Restores WSOCK32.DLL.
  • Happy99.Worm modifies WSOCK32.DLL to hook the mail-sending and newsgroup article-posting routines.
  • It removes the following Windows Registry modification

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce=SKA.EXE

  • Happy99.Worm adds this Windows Registry entry if WSOCK32.DLL is in use when the worm attempts to modify it (i.e. a user is online or connected to a network).

You will still need to delete the Happy99.Worm file, usually named HAPPY99.EXE (i.e. the file that NAV detects as "Happy99.Worm").

Download:
FIXHAPPY.EXE
ftp://ftp.symantec.com/public/english_us_canada/antivirus_definitions/
norton_antivirus/fixhappy.exe

   
                   
         
Report of the Second AVAR Conference
   
         
The second AVAR (
Association of Anti-Virus Asia Researchers) Conference was held in Seoul, Korea on the 28 and 29 October. There were about 50 participants, and speakers came from as far as the USA.

Seiji Murakami (JCSR, AVAR Chairman, Japan) and Charles Ahn (Dr. Ahn's Anti-Virus Laboratories Inc., AVAR Vice Chairman, Korea) opened the conference and welcomed the participants. Mr. Murakami gave his vision for the development of AVAR in preventing the spread of and damage caused by computer viruses by exchanging information around the Asia Pacific region. He hoped to see local branches established in each country to provide local activities and information. Dr. Ahn highlighted the importance of real-time exchange of information to respond to increasing damage caused by viruses.

Chul Soo Lee (President, Korea Information Security Agency, Korea) warned of the trend from viruses written for fun or showing off to cyber-crime. He said that technical and legal standards were necessary to prevent this, and the Korean Government was working on it and they would help and co-operate with AVAR.

Mr. Cho Kyu-Hong (Trend micro Korea) spoke on behalf of Richard Ku (Trend micro, USA) and described the issues involved in developing anti-virus software for three versions of Microsoft Exchange, 5.5, 5.5 SP3 and 2000.

Masaaki Kimura (Ministry of International Trade and Industry, Japan) talked about security policy and anti-virus activities in Japan. He covered the guidelines issued, Japanese law and the growing number of reports of damage received. He said that the Japanese Government would contribute in the fight against viruses and would assist AVAR.

Allan Dyer (Yui Kee, Hong Kong) addressed the problem of a generation gap in computer knowledge, which could lead to children getting into inappropriate computer activities, including virus writing. He called for improvements in school curriculums to include IT ethics, safety and security.

Seok Chul Kwon (HAURI, Korea) reviewed the development of anti-virus technology and it's future.

Hantae Kim (Symantec, Korea) looked at virus trends and outlined the digital immune system.

The second day started with Motoaki Yamamura (Symantec, USA), who demonstrated the increased speed in which worms are spreading and discussed the changes in policies that would be necessary if we had a new worm every week or every minute.

Chae Ho Lim (Korea Information Security Agency, Korea) reported on security incident response and anti-virus activities in Korea. He described the organisations that exist in Korea, including CERTCC-KR and CONCERT, their relationships and connections with similar organisations abroad. CIH hit Korea particularly badly, with 160,000 to 240,000 activations; Mr. Chae described how the incident developed and the lessons to be learnt.

Motoi Endo (JCSR, Japan) talked about anti-virus policies, the difficulties of getting users to follow them and some ideas to help.

Allan Dyer described his experiences in preparing and teaching a module on viruses and worms for a course on Information and Internet security. He suggested that the course material he prepared, with improvements, could become the basis of a "common body of knowledge" for anti-virus professionals.

Closing the conference, Charles Ahn (Dr. Ahn's Anti-Virus Laboratories Inc., Korea), a medical doctor turned anti-virus researcher and a famous person in Korea for developing the first Korean anti-virus software, took us through the history of computer viruses in Korea.

The AVAR 2000 conference will be held in Japan. More information on AVAR can be found at
http://www.aavar.org/

by Allan Dyer
Director (Technical Division), AVAR.
   
                   
         

SARC Glossary, what's the difference between a virus and a worm?

   
          Contacts    
          Correspondence by email to: sarc.avnews@symantec.com
Send virus samples to:
avsubmit@symantec.com
Newsletter Archive:
http://www.symantec.com/avcenter/sarcnewsletters.html
   
          To Subscribe and Unsubscribe    
          To be added or removed from the subscription mailing list, please fill out the form available on the SARC website at: http://www.symantec.com/help/subscribe.html
SARC AntiVirus News Update is published periodically by Symantec Corporation. No Reprint without Permission in writing, in advance.
   
       

 

     
          All information contained in this newsletter is accurate and valid as of the date of issue.  

Copyright © 1996-1999 Symantec Corporation. All rights reserved.