Virus Alerts & Information
 

Back to Main Page
 

Want to be informed of nasty virus outbreaks as they happen?  Subscribe to our Virus Alert E-mail Notifications!  Just go to our Comment Form and let us know that you want in!

January 3, 2006 - WMF Picture Flaw

A security risk has been discovered in the way Microsoft Windows displays certain types of images.  Pictures with the WMF extension in their name can, under very specific conditions, allow hackers to infect computers using programs hidden inside the image files.  Unlike a normal virus infection, which usually requires opening an infected attachment or program, WMF files can be embedded into web pages or the body of an e-mail, and simply viewing a contaminated WMF picture can trigger an attack.

This vulnerability affects ALL versions of Windows, from Windows 95 up to the latest Windows XP with Service Pack 2.

Microsoft has said that a patch for the issue is forthcoming… however, they currently do not plan on releasing the patch sooner than January 10.  In the meantime, it is recommended that Windows PC users do the following:

  1. Be careful about where you browse on the Internet.  Do not go to web sites that are unknown or potentially shady.  Stick with the web sites that you usually frequent (main news sites, company sites, and sites with well-known names are safe).

  2. Do not open e-mail from sources that are not trustworthy or were not expected.

Of course, #2 can be difficult if you often receive unsolicited e-mails, especially if it is a function of your business.  In those cases, you can protect yourself by not allowing pictures to be displayed within the e-mail.  To activate this feature, you must do the following:

If you use Outlook 2003: automatic picture blocking is turned on by default, which will prevent the pictures from showing within an e-mail (do NOT right-click to download pictures).  If pictures are not being blocked within your copy of Outlook 2003, you may reactivate the feature by:

  1. Clicking on the Tools drop-down menu and choosing Options

  2. Click on the Security tab at the top and then click on the "Change Automatic Download Settings" button

  3. Click on all four check boxes displayed and then click OK on that window and also the previous one

If you use Outlook Express: you can protect yourself by displaying all e-mail in your Inbox as text only.  To activate this feature:

  1. Click on the Tools drop-down menu and choose Options

  2. Click on the Read tab at the top and then click on the check box labeled "Read all messages in plain text"

  3. Click the OK button

If you use Outlook 2000 or Outlook 2002 (XP), there is no provided way to prevent e-mails from displaying pictures.  You can, however, turn off the Preview Pane that instantly displays any selected e-mail.  To turn off the Preview Pane:

  1. If not there already, switch to the Inbox folder

  2. Click on the View drop-down menu

  3. Click on the item labeled "Preview Pane"; this will toggle the display of the Preview Pane.  Click it again to turn it back on.  Note that this will NOT prevent the pictures from being displayed if you open (double-click) an e-mail.  You will still need to exercise caution.

If you are not sure which program listed above you use, open whichever program you use for e-mail, and then click on the Help menu and choose the item starting with "About".  This will identify the program and version.

Users of America Online and web-based e-mail (such as Hotmail or Yahoo Mail) generally will have protection from this flaw through the e-mail provider.  However, those users should still be careful opening unsolicited e-mails, as the protection may not be 100%.

As stated previously, Microsoft plans on releasing a fix for the problem on January 10.  If your computer is set to receive Automatic Updates, it should download the update on its own once it is available and (if necessary) ask you to install the update.  If you wish to manually retrieve the update once it is available, go to http://windowsupdate.microsoft.com.

You can view the statement from Microsoft regarding the WMF Picture flaw and its intent on a fix at:

http://www.microsoft.com/presspass/press/2006/jan06/01-03WMFUpdatePR.mspx

 

May 4, 2004 - Sasser Worm

Yet another worm is making the rounds on the Internet.  This one is called Sasser, and so far four different variations have appeared (with more surely to follow).  Like most other computer worms, Sasser can travel from PC to PC WITHOUT USER INTERVENTION, and can infect your PC without you knowing it, unlike a virus which usually has to travel via e-mail or a floppy disk. 

Also, just like the MSBlaster worm that infected so many systems last year, this worm takes advantage of a flaw in Windows 2000 and Windows XP that Microsoft has already released a patch for via their Windows Update site. 

Your PC is at risk from the Sasser worm if the following are true: 

  1. You have a PC with Windows 2000 or Windows XP (NOTE: Windows 98 / Millennium PCs, while not affected by Sasser, CAN be a carrier and pass it on to other PCs).

  2.  Your PC is not behind a router or firewall or is not running any adequate firewall software (ZoneAlarm, Norton Internet Security, etc.)

  3.  You have not applied any Critical Updates recently, either through the Windows Update web site or from the automatic updates feature (the "New Updates Are Ready To Install" message that pops up in the lower right corner of the screen).

Full details about the Sasser worm can be found here: http://www.symantec.com/avcenter/venc/data/w32.sasser.worm.html.

While the Sasser worm does no real damage to any of your programs or documents, it will likely slow down your PC to the point where it is virtually unusable.  It also may shut down your PC at will. 

To stop the worm's activity, you will need to do three things: 

  1. End the system processes that make up the worm.  Go into the Windows Task Manager by hitting Ctrl-Alt-Delete on your keyboard.  Click on the Processes tab and look for any process called "avserve.exe" or "avserve2.exe" (later versions of Sasser may have variations on the name).  If you find this process, click on the End Process button to stop it.  Also look for any processes that are named with a four or five digit number, followed by "_up.exe", and stop those as well.

  2. Run the Sasser Removal tool provided here: http://securityresponse.symantec.com/avcenter/venc/data/w32.sasser.removal.tool.html

  3. Go to http://windowsupdate.microsoft.com and download and install any and all Critical Updates listed.

Make sure you do any many of these steps as you can before restarting your computer, as it can be easily re-infected shortly after reboot.

Once again, we recommend that PC users be diligent about keeping their system patches and antivirus programs up to date.  Windows 2000 and Windows XP are designed to automatically download necessary updates and notify you when they are ready to be installed.  Antivirus programs released within the past four years also will automatically obtain these updates.  Do NOT consistently ignore update notifications as they appear on your PC, as worms like Sasser take advantage of PCs behind on their updates. 

Also, if you have any sort of broadband Internet connection (cable modem, DSL, or T1), make SURE that you either have a router or firewall box between your PC and the broadband line, or have a firewall software program running on your PC.  Cable Modem and DSL companies are usually not very good at informing their customers of this necessity.

 

January 26, 2004 - MyDoom (Novarg) Worm

There is a very nasty little worm that started running around the Internet Monday... MyDoom.  Also known as Novarg, this particular worm disguises itself as a mail delivery error, and may likely come from someone you know (without their knowledge).  The message will look like this:

Mail transaction failed. Partial message is available.
The message contains Unicode characters and has been sent as a binary attachment.
The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.

The attachment, which may or may not appear like a text file, will do the following things if run: 

  1. Copies itself to your PC and sets itself up to run at PC boot

  2. Sets up its own mini-mail server, collects as many e-mails it can find on your PC, and mails itself to them all (often as if from you)

  3. Sets up a proxy server, potentially to record your keyboard input (social security numbers, credit cards, etc.)

  4. Copies itself to the Kazaa download folder for availability to other Kazaa users, if you use that program

  5. Does a Denial of Service Attack on a web site (SCO Group, a UNIX provider)

Because this looks like a standard mail error, this worm has spread very rapidly, causing a lot of mayhem.  If you receive an e-mail that purports to be an error, DO NOT OPEN THE ATTACHMENT.  If you think the e-mail may be an actual mail error, call or e-mail the sender of the message and verify first that they actually sent that message (NOTE: if you e-mail, send a new e-mail; do NOT hit Reply on the one you received).

If you would like to see the detailed information regarding the MyDoom / Novarg worm, including instructions on how to remove the worm, you may find it at http://www.symantec.com/avcenter/venc/data/w32.novarg.a@mm.html.

As always, we recommend that you keep your antivirus program up to date.  Both Norton AntiVirus and McAfee VirusScan have already released new updates that will catch this latest worm, as well as all other current viruses, worms, and Trojan horses.

 

September 17, 2003 - New Impending Worm Threat

A week ago, Microsoft announced that another security hole had been discovered in their Windows NT, Windows 2000, Windows XP and Windows Server 2003 products.  The hole is very similar to the one that allowed the MSBlaster worm to spread so quickly.  Microsoft has issued a patch for the current security hole, but this time we may not have to wait very long for a new worm or virus to take advantage of the flaw.  Security firms have already detected activity on the Internet that indicates attempts to exploit the issue, so it may be just a matter of days (or even hours) before another worm begins its run.

If any of your PCs run Windows NT, Windows 2000, Windows XP or Windows Server 2003 and those PCs have not had any Critical Updates applied within the last week, I would recommend that you take the time to do so as soon as possible.  You may click on the Windows Update icon within your Start Menu (if available), choose Windows Update from the Tools drop-down menu of your Internet Explorer browser, or go to http://windowsupdate.microsoft.com to install the new updates.  If you are not sure whether the update has been applied, please go to the site anyway, as it will check whether your system has the updates before offering to install them.

You may also directly download the patch to this specific security hole by going to http://www.microsoft.com/security/security_bulletins/ms03-039.asp.

As these latest virus threats have demonstrated, the time between discovery of a flaw and exploitation of that flaw can be very short.  The best way to stay ahead of the threats is to apply critical updates as soon as they become available.  Windows XP, Windows Server 2003 and Windows 2000 systems will receive on-screen notifications once new updates are ready to install (Windows 2000 systems should be updated to Service Pack 3 or later to receive these notifications).  All other Windows operating systems can obtain a Critical Update Notification tool from the Windows Update site that will operate in a similar fashion.  At the very least, make sure you visit the Windows Update site on a regular basis to make sure your PCs are up to date.

 

August 13, 2003 - MSBlaster Worm

As you may have heard on the news, there is a worm that is making the rounds on the Internet called MSBlaster (or LovSAN). A worm is different than the average virus that you can receive via e-mail or a floppy disk; it can travel from system to system WITHOUT USER INTERVENTION, and can infect your PC without you knowing it.

To be affected by MSBlaster, your PC must have either Windows 2000 or Windows XP as the operating system. If you do not have either of these, you are currently safe from this one. To check which operating system you have, do the following:

  1. Click with the right mouse button on the My Computer icon on the desktop (or in the Start Menu, if present).

  2. When the pop-up menu box displays, click with the left mouse button on Properties.

  3. The dialog box that appears will identify the operating system you have.

Also, for Windows 2000 and Windows XP systems to be vulnerable, two other conditions must be true:

  1. The PC is NOT connected to the Internet through a network router or a firewall, and the PC is not running any firewall software.

  2. Critical updates to these operating systems have NOT been applied in the past month.

The typical PC user that will be affected by this worm will be the home user or small business user that works on a PC purchased or upgraded within the past two years.

The good news for those users unfortunate enough to catch the worm is that data and documents will not be affected... you won't lose anything. The bad news is that you'll have a hard time getting to them, as you'll likely see a great deal of system instability, crashes, and lockups.

If you meet the criteria above and you think you may have caught the worm, you will want to check out the details of the MSBlaster worm at this web page:

http://www.symantec.com/avcenter/venc/data/w32.blaster.worm.html

This page explains all of the details of this threat, including how to remove the worm if infected. You may also download their automatic removal tool at this page:

http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.removal.tool.html

Once you have cleaned the worm out of your PC, you will want to do the following:

  1. Go to windowsupdate.microsoft.com (or click on the "Windows Update" icon on your Start Menu, if present) and download all Critical Updates available for your system. They will be automatically selected, including the fix for this worm.

  2. Open up your antivirus software and update the virus detection (virus definitions).

Both Windows 2000 and Windows XP have a feature called Automatic Updates, which regularly checks for patches to serious issues with these operating systems as they are exposed, and will even download them automatically if set to do so. Many of you might have seen notifications pop up on your screen, telling you that updates are ready to install. As always, my recommendation is to apply these updates as soon as it's convenient, as Microsoft usually discovers and fixes these problems before somebody actually exploits them. Some people who have been affected by this worm are surprised to learn that the fix to the problem has been waiting to be installed on their PC for a month.

Also, we recommend that any home PC with ANY operating system that is connected to the Internet via broadband (i.e. cable modem, DSL, or ISDN) install a firewall program to keep malicious programs - and hackers - out of your system. Dial-Up modem users may also want to consider this as well, especially if you usually browse the Internet for more than just a moment or two. Firewall programs can be purchased at any electronics superstore or office supply store... I recommend Norton Internet Security, as it includes both firewall and antivirus solutions. A free firewall program called ZoneAlarm is available at www.zonelabs.com. If you have Windows XP, you can also use the built in Internet Connection Firewall from within the Properties of your Dial-Up connection.

Back to Main Page

 

 

 

Questions?  Comments?  Click here.

 

Quixotic Computing
P.O. Box 150724
Grand Rapids, MI 49515-0724
Phone: (616) 318-3729
Fax: (616) 361-9507