Feds issue warning as email virus spreads By Stephen Shankland and Kim Girard Staff Writers, CNET News.com March 29, 1999, 7:40 a.m. PT update A tricky new computer virus spreading across the Internet continued to paralyze corporate email systems across the globe this morning as experts grappled with how to stop it. Network managers moved quickly over the weekend to control the virus, called W97M Melissa, which takes advantage of users' email address books to replicate extremely quickly. As reported previously by CNET News.com, once activated, W97Melissa, uses a combination of Microsoft Word macros and Microsoft Outlook on a user's PC to send copies of a list of 80 pornographic Web sites. It works with either Word 97 or Word 2000, according to antivirus companies TrendMicro, McAfee, and Network Associates. The program is somewhat devious in that it sends itself from the email addresses of people who are likely to be familiar contacts, arriving as email with the subject line "Important message from..." followed by the sender's name. The body says "Here is that document you asked for...don't show anyone else ;-)." The email includes an attached Word file "list.doc," which includes the porn sites' addresses. It could take more than several days to get the virus under control, experts said. TrendMicro is warning that 20 to 30 variants of the virus could show up by tomorrow, making filtering the virus at the email server level even more difficult. "This has the potential to get worse before it gets better," said Jeff Carpenter, team leader of Carnegie Mellon's Computer Emergency Response Team (CERT). As of last night, more than 100 organizations had called CERT for help, he said. "We've never seen something spread like this before." Carpenter said companies are taking steps to combat the virus by posting warnings for employees on their front-door entrances, rolling out new versions of antivirus packages to protect PCs, advising employees not to open email attachments from users they do not know, and disabling macros in Microsoft Word. Over the weekend, CERT issued an advisory detailing how users can combat Melissa. Carpenter said companies such as law firms and accounting firms are particularly wary about the risk, as confidential information from a word document can leak out via email as a result of the virus. The virus doesn't appear to cause any damage to infected computers except in rare cases when the minutes of the current time match the date--for example at 4:26 p.m. on March 26. In this instance, the virus will insert the Bart Simpson quotation, "Twenty-two points, plus triple-word-score, plus fifty points for using all my letters. Game's over. I'm outta here," into a user's active document. Because the virus sends itself to potentially thousands of contacts contained in a user's address distribution list, however, there's a possibility that the virus could overwhelm mail servers. Users won't get the virus by opening up a message, only by opening the attached document. Experts are warning people not to open documents attached to messages from people they don't know. Even the FBI and the National Infrastructure Protection Center have issued an unprecedented public warning about the virus. Michael Vatis, director of the NIPC, stated in a memo, "Email users have the ability to significantly affect the outcome of this incident. I urge [them] to exercise caution when reading their email over the next few days and to bring unusual messages to the attention of their system administrator." The virus first was spotted last Friday, according to TrendMicro and others. It is believed to have originated in Western Europe and was first discovered on the alt.sex newsgroup. "We've been swamped all day with customers calling in with this," said Dan Schrader, director of product marketing at TrendMicro, when contacted last Friday. "It's spreading extremely quickly. Twenty major corporate sites have called us." Melissa is similar to an "autospam" virus called "Share Fun" that emerged in March 1997, Schrader said, but that virus was buggy and not as effective. There have been viruses that spread through the address books in the past, "but never this effectively," Schrader said. Network Associates estimated the virus has already hit hundreds of thousands of computers. Microsoft shut down outbound mail so it wouldn't impact customers or partners last Friday. However, after installing filtering software the company resumed outbound mail service. Waggener Edstrom, Microsoft's public relations agency, also got hit by Melissa, which brought the agency's email system down. Intel was hit internally as well. Twenty of Network Associate's largest clients were infected; one firm alone said it had reached 60,000 computers. "The propagation rate has been alarming," a company spokesperson said. Tom Moske, a network administrator at USWeb/CKS, ran into the virus this afternoon when the virus spread itself from people in his company who had opened the attachment. And he had cause to appreciate the devious nature of the virus, since it spread from employees in his company to the business clients of USWeb/CKS. "It's the most intrusive I've ever seen," he said. "This is worldwide spam." TrendMicro said the virus can be detected using its free Web-based "house call" service. Because the virus spreads itself automatically, it could be termed a "worm." The author apparently appreciated this, remarking in the virus code: "Worm? Macro Virus? Word 97 Virus? Word 2000 Virus? You Decide!"

Date: Tue, 30 Mar 1999 16:51:23 -0800 From: Rob Slade Subject: Melissa macro virus A report prepared by Robert M. Slade The following is an attempt to bring together the information about the Melissa virus. It is taken from the most reliable available sources. Additional sites have been listed at the end of the article. I have not added a copyright line to this message in order to allow it to be used as needed. I will be posting the latest updated version of this article at http://sun.soci.niu.edu/~rslade/melissa.txt and http://victoria.tc.ca/techrev/melissa.txt. The virus, generally referred to as W97M.Melissa.A (with some variations: Symantec, in a rather strained effort to be cute, seems to be calling it "Mailissa"), is a MS Word macro virus. This means that, if you don't use Word, you are safe. Completely safe. (Except for being dependent upon other people who might slow their/your mail server down. More on that later.) If you need to look at MS Word documents, there is a document viewer available (free, as it happens) from Microsoft. This viewer will not execute macros, so it is safe from infection. In the messages about Melissa, there have been many references to the mythical and non-existent "Good Times" virus. Note that simply reading the text of a message still cannot infect you. However, note also that many mailers, in the name of convenience, are becoming more and more automated, and much of this automation concerns running attached files for you. As Padgett Peterson, author of one of the best macro virus protection tools, has stated, "For years we have been saying you could not get a virus just by "opening E-Mail. That bug is being fixed." Melissa does not carry any specifically damaging payload. If the message is triggered there will be text added to the active document. The mailout function can cause a large number of messages to be generated very quickly, and this has caused the shutdown of a number of corporate mail servers. If you have Word set with macros disabled, then the virus will not active. However, relying on this protection is a very dangerous proposition. Previous macro viruses have also killed macro protection in Word, and this one does as well. The name "Melissa" comes from the class module that contains the virus. The name is also used in the registry flag set by the virus. The virus is spread, of course, by infected Word documents. What has made it the "bug du jour" is that it spreads *itself* via e-mail. We have known about viruses being spread as attachments to e-mail for a long time, and have been warning people not to execute attachments (or read Word documents sent as attachments) if you don't know where they came from. Happy99 is a good example: it has spread very widely in the past month by sending itself out as an e-mail attachment whenever it infects a system. Melissa was originally posted to the alt.sex newsgroup. At that time it was LIST.DOC, and purported to be a list of passwords for sex sites. I have seen at least one message theorizing that Melissa is someone's ill-conceived punishment for viewers of pornography. This hypothesis is extremely unlikely. Sending a virus to a sex related newsgroup seems to be a reliable way to ensure that a number of stupid people will read and/or execute your program, and start your new virus off with a bang. (No pun intended.) If you get a message with a Melissa infected document, and do whatever you need to do to "invoke" the attachment, and have Word on your system as the default program for .doc files, Word starts up, reads in the document, and the macro is ready to start. If you have Word's "macro security" enabled (which is not the default) it will tell you that there is a macro in the document. Few people understand the import of the warning, and there is no distinction between legitimate macros and macro viruses. Because of a technical different between normal macros and "VBA objects," if you ask for a list of the macros in the document, Melissa will not show up. It will be visible if you use the Visual Basic Editor, but only after you have loaded the infected file. Assuming that the macro starts executing, several things happen. The virus first checks to see if Word 97 (Word 8) or Word 2000 (Word 9) is running. If so, it reduces the level of the security warnings on Word so that you will receive no future warnings. In Word97, the virus disables the Tools/Macro menu commands, the Confirm Conversions option, the MS Word macro virus protection, and the Save Normal Template prompt. It "upconverts" to Word 2000 quite nicely, and there disables the Tools/Macro/Security menu. Specifically, under Word 97 it blocks access to the Tools|Macro menu item, meaning you cannot check any macros. It also turns off the warnings for conversion, macro detection, and to save modifications to the NORMAL.DOT file. Under Word 2000 it blocks access to the menu item that allows you to raise your security level, and sets your macro virus detection to the lowest level, that is, none. (Since the access to the macro security menu item is blocked, I do not know how this feature can be reversed, other than programmatically or by reinstallation.) After this, the virus checks for the HKEY_CURRENT_USER\Software\Microsoft\Office\Melissa?\ registry key with a value of "... by Kwyjibo". (The "kwyjibo" entry seems to be a reference to the "Bart the Genius" episode of the "Simpsons" television program where this word was used to win a Scrabble match.) If this is the first time you have been infected (and this "first time" business is slightly complicated), then the macro starts up Outlook, in the background, and sends itself as an attachment to the "top" 50 names in *each* of your address lists. (Melissa will *not* use Outlook Express.) Most people have only one (the default is "Contacts"), but if you have more than one then Outlook will send more than 50 copies of the message. Outlook also sorts address lists such that mailing lists are at the top of the list, so this can get a much wider dispersal than just fifty copies of the message/virus. There was also a mention on one message about MAPI and Exchange servers, which may give access to a very large number of mailing lists. From other reports, though, people who use Exchange mail server are being particularly hard hit. Then again, people who use Exchange are probably also standardized on Word and Outlook. Some have suggested setting this registry key as a preventive measure, but note that it only prevents the mailout. It does not prevent infection. If you are infected, and the registry key is removed at a later date, then a mailout will be triggered the next time an infected document is read. Once the messages have been sent, the virus sets the Melissa flag in the registry, and looks for it to check whether or not to send itself out on subsequent infections. If the flag does not persist, then there will be subsequent mass mailings. Because the key is set in HKEY_CURRENT_USER, system administrators may have set permissions such that changes made are not saved, and thus the key will not persist. In addition, multiple users on the same machine will likely each trigger a separate mailout, and the probability of cross infection on a common machine is very high. Since it is a macro virus, it will infect your NORMAL.DOT, and will infect all documents thereafter. The macro within NORMAL.DOT is "Document_Close()" so that any document that is worked on will be infected when it is closed. When a document is infected the macro inserted is "Document_Open()" so that the macro runs when the document is opened. Note that *not* using Outlook does not protect you from the virus, it only means that the 50 copies will not be automatically sent out. If you use Word but not Outlook, you will still be infected, and may still send out infected documents on your own. The virus also will not invoke the mailout on Mac systems, but definitely can be stored and resent from Macs. At this time I do not have reliable information about whether it can reproduce on Macs (there is one report that it does), but the likelihood is that it can. Vesselin Bontchev has noted that the virus never explicitly terminates the Outlook program. It is possible that multiple copies may be invoked, and may create memory problems. However, this has not been confirmed, and is not probable given the "first time" flag that is set. The message appears to come from the person just infected, of course, since it really is sent from that machine. This means that when you get an "infected" message it will probably appear to come from someone you know and deal with. The subject line is "Important Message From: [name of sender]" with the name taken from the registration settings in Word. The test of the body states "Here is that document you asked for ... don't show anyone else ;-)". Thus, the message is easily identifiable: that subject line, the very brief message, and an attached Word document (file with a .doc extension to the filename). If you receive a message of this form *DO NOT OPEN THE DOCUMENT WITH WORD!* If you do not have alternate means or competent virus assistance, the best recourse is to delete the message, and attachment, and to send a message to the sender alerting them to the fact that they are, very likely, infected. Please note all the specifics in this paragraph, and do not start a panic by sending warnings to everyone who sends you any message with an attachment. However, please also note that, as with any Word macro virus, the source code travels with the infection, and it will be very easy to create modifications to Melissa. (The source code has already been posted to one Web site.) We will, no doubt very soon, start seeing many Melissa variants with different subjects and messages. There is already one similar Excel macro virus, called "Papa." The virus contains the text "Fred Cohen" and "all.net," leading one rather ignorant reporter to assume that Fred was the author. Dr. Cohen was the first person to do formal research into viral programs. There is a message that is displayed approximately one time in sixty. The exact trigger is if the current system time minute field matches the current system time day of the month field when the virus is run. In that case, you will "Twenty-two points, plus triple-word-score, plus fifty points for using all my letters. Game's over. I'm outta here." typed into your document. (This is another reference to the "Simpsons" episode referred to earlier.) One rather important point: the document passed is the active document, not necessarily the original posted on alt.sex. So, for example, if I am infected, and prepare some confidential information for you in Word, and send you an attachment with the Word document, containing sensitive information that neither you nor I want made public (say, the fact that Bill Gates is a jerk for having designed the technology this way), and you read it in Word, and you have Outlook on your machine, then that document will be mailed out to the top 50 people in your address book. Rather ironically, a clue to the identity of the perpetrator may have come from the identification number embedding scheme recently admitted by Microsoft as having been included with Office and Windows 98. [Traced to an AOL user, apparently... PGN] A number of fixes for mail servers and mail filtering systems have been devised very quickly. However, note that not all of these have fully tested or debugged. One version that I saw would trap most of the warning messages about Melissa. Note that any Word document can be infected, and that an infected user may unintentionally send you an infected document. All Word documents, and indeed all Office files, should be checked for infection before you load them. Information and antiviral updates (some URLs are wrapped): http://www.cert.org/advisories/CA-99-04-Melissa-Macro-Virus.html http://www.ciac.org/ciac/bulletins/j-037.shtml ftp://ftp.complex.is/pub/macrdef2.zip http://www.complex.is/f-prot/f-prot.html http://chkpt.zdnet.com/chkpt/hud0007500a/www.zdnet.com/zdnn/stories/ news/0,4586,2233030,00.html http://www.zdnet.com/zdnn/special/melissavirus.html http://www.symantec.com/techsupp/mailissa.html http://www.antivirus.com/vinfo/security/sa032699.htm http://www.avp.com/melissa/melissa.html http://www.microsoft.com/security/bulletins/ms99-002.asp http://www.sendmail.com/blockmelissa.html ftp://ftp.rubyriver.com/pub/jhardin/antispam/procmail-security.html http://www.innosoft.com/iii/pmdf/virus-word-emergency.html http://www.sophos.com/downloads/ide/index.html#melissa http://www.avertlabs.com/public/datafiles/valerts/vinfo/melissa.asp http://www.pcworld.com/cgi-bin/pcwtoday?ID=10302 http://www.internetnews.com/bus-news/article/0,1087,3_89011,00.html http://cnn.com/TECH/computing/9903/29/melissa.copycat.idg/ http://www.pcworld.com/cgi-bin/pcwtoday?ID=10308 rslade@vcn.bc.ca rslade@sprint.ca robertslade@usa.net p1@canada.com http://victoria.tc.ca/techrev or http://sun.soci.niu.edu/~rslade ------------------------------ Doesn't get much more informative than this!

'tis probably true...

COMPUTER VIRUSES STAR TREK VIRUS Invades your system in places where no virus has gone before. MR. SPOCK VIRUS You can only access logical files. MOTHER VIRUS Generally harmless, but does not allow access to your SVGA graphics; "They're too sharp and could poke an eye out!" MOTHER-IN-LAW VIRUS When you try to run a file, a message appears: "You're not good enough to run this program." THE TEENAGER VIRUS Your PC stops every few seconds to ask for money. THE CHILD VIRUS It constantly does annoying things, but is too cute to get rid of. HEALTHCARE VIRUS Tests your system for a day, finds nothing wrong, and sends you a bill for $4500. QUANTUM LEAP VIRUS One day your PC is a laptop, the next day it is a Macintosh, then a Nintendo. THE PRISON VIRUS It locks up your system. CENSOR'S VIRUS It decides what you're allowed to run. AIRLINE VIRUS You're in Dallas, but your data is in Singapore. PBS VIRUS Your PC stops every few minutes to ask for money. TEXAS VIRUS Makes sure that it's bigger than any other file.

Dateline: 5/4/00 The "I Love You" worm is spreading world-wide at an extremely rapid pace, slipping past firewalls and antivirus programs. Discard emails with the subject "I Love You" and attachments titled "LOVE-LETTER-FOR-YOU.TXT.VBS." Because variants are likely to occur fairly soon, be very careful about opening any attachments - especially with a VBS extension. Reports of massive infections world-wide are rampant. Public relation and investment banks in Asia have been hit particularly hard with this outbreak. After infection users are not able to send and receive email. Many servers are crashing because of all the traffic generated by the worm. Antivirus developers are being pounded with calls and requests for information. Many sites have a server to busy error on the Internet because of all the users attempting to reference online information about the I Love You worm. The I Love You worm uses multiple methods for infecting and spreading through computer systems. The name of the attachment, "LOVE-LETTER-FOR-YOU.TXT.VBS," is designed to fool users into thinking the attachment is a harmless text (.txt) file. This worm attempts to send only one email to each user of a Microsoft Outlook address book on an infected computer. Because this worm is spreading so quickly, individuals may see 100 or more I Love You emails from 100 or more associates (different computers) infected with the worm! -------------------------------------------------------------------------------- TECHNICAL DETAILS Virus Type Worm, Trojan Origin may be from the Philippines, as indicated by text at the beginning of code for this malware: rem barok -loveletter(vbe) rem by: spyder / ispyder@mail.com / @GRAMMERSoft Group / Manila,Philippines Email Subject I Love You Email Attachment LOVE-LETTER-FOR-YOU.TXT.VBS Email Body kindly check the attached LOVELETTER coming from me. Files Created or Modified Following infection MSKERNAL32.VBS, LOVE-LETTER-FOR-YOU.TXT.VBS, and LOVE-LETTER-FOR-YOU.HTM are created in the Windows System directory. WIN32DLL.VBS is copied into the Windows directory. If the WinFAT32 subkey is not found on the infected machine the worm creates it and copies itself to the Windows Systems directory as WINFAT32.EXE to run a Trojan each time the computer is booted. The following registry keys are modified to boot the malware each time the computer is booted: HKEY_LOCAL_MACHINE\Software\MicrosoftWindows\CurrentVersion\Run\MSKernel32 HKEY_LOCAL_MACHINE\Software\MicrosoftWindows\CurrentVersion\RunServices\Win32DLL The start page for Internet Explorer is set to download WIN-BUGSFIX.EXE. If WINFAT32.EXE does exist the following registry key is created, "HKLM\Software\Microsoft\WindowsCurrentVersion\Run\WIN-BUGSFIX". The Trojan part of this worm creates a hidden window "BAROK...", which runs in memory following a successful Trojan infection of a machine. The Trojan also attempts to delete the following registry keys: Software\Microsoft\Windows\CurrentVersionPolicies\Network\HideSharePwds Software\Microsoft\Windows\CurrentVersionPolicies\Network\DisablePwdCaching .DEFAULT\Software\Microsoft\WindowsCurrentVersion\Policies\Network\HideSharePwds .DEFAULT\Software\Microsoft\WindowsCurrentVersion\Policies\Network\DisablePwdCaching Infection Attempts This worm infects immediately after the VBS attachment is run by a user. Following infection the worm attempts to infect VBS and VBE files on local and network computers. This worm also searches for files with extensions JS, JSE, CSS, WSH, SCT, HTA, JPG, JPEG, MP2, and MP3. When found, the worm creates a file with the same name but with a VBS extension. For example, cool.jpg becomes cool.jpg.vbs Within mIRC the worm creates a script.ini file in the mIRC program directory to send the LOVE-LETTER-FOR-YOU.HTM to others in a chat room. Using MAPI, the worm also calls Microsoft Outlook applications to send an email with the worm to each user in the address book. Damage May disable sending and receiving of email and crash email servers. Overwrites infected files. Removal Instructions 1. Download an update to your current antivirus program, or download and update a new antivirus program, and run a scan for ALL files. In an idea situation this will remove malware from your computer. If not, follow instructions below. 2. See Files Created or Modified section above to locate and remove files from infected drives. Also scan all email files and delete "I Love You" messages and emails with a LOVE-LETTER-FOR-YOU.TXT.VBS attachment. 3. Use REGEDIT to edit the registry, fixing areas noted in Files Created or Modified above. Use REGEDIT with extreme care - for expert users only. To run REGEDIT select "Run..." from the start menu, enter REGEDIT, and press return. 4. Reset Internet Explorer start page to desired start location. Select "Internet Options..." from the View menu to enter desired changes. 5. Delete overwritten files and restore with backup copies. Prevention Many antivirus developers have already provided updates to protect against this new worm. Check online sites for more information and update as soon as a fix is available for your antivirus program. Turn off auto-preview and HTML options in email programs, do not open emails with the subject "I Love You", avoid running attachments, NEVER run the LOVE-LETTER-FOR-YOU.TXT.VBS attachment, set updated antivirus scanner to scan ALL files on all drives and run scans on a daily basis if not more often.

I got one of these and promptly deleted it.

http://www.zdnet.com/zdnn/stories/news/0,4586,2562032,00.html A new e-mail worm is rapidly spreading across the globe affecting users of Microsoft Windows running Microsoft Outlook. The ILOVEYOU worm (a.ka., VBS.LoveLetter.A) infects VBScripts, mIRC users and files on your hard drive (namely .jpg and .mp3 files). The worm makes changes to the Windows registry and copies the Outlook address book and e-mails itself to all of your contacts. (Previously, viruses such as Melissa and its variants only chose the first 50 addresses.) This new worm has been overloading e-mail servers around the world. ILOVEYOU arrives as e-mail with the subject line "I Love You" and an attachment named "Love-Letter-For-You.txt.vbs." Opening the attachment infects your computer. The infection first scans your PC's memory for passwords, which are sent back to the virus's creator (a Web site in the Philippines which has since been shut down). The infection then replicates itself to everyone in your Outlook address book. Finally, the infection corrupts files ending with .vbs, .vbe, .js, .css, .wsh, .sct, .hta, .jpg, .jpeg, .mp2, .mp3 by overwriting them with a copy of itself.

A good central source for information: http://www.zdnet.com/zdnn/special/lovebites.html

Authorities close in on 'ILOVEYOU' suspect Clues provided from chat rooms lead Filipino police to suspect the 'ILOVEYOU' author may be a young man living in a Manila suburb. By Sharon Buan, Reuters May 5, 2000 5:27 AM PT MANILA, Philippines -- The "Love Bug" virus wreaking havoc on computer systems worldwide appears to have originated in the Philippines, and the author may be a young man living in a Manlia suburb, police and local Internet firms said Friday. Police sources said the local National Bureau of Investigation was investigating the case following a request from the U.S. Federal Bureau of Investigation. A Manila Internet service provider (ISP) had earlier said the virus appeared to have first spread from two of its e-mail addresses. "What happened is the author of the virus used two e-mail addresses through Supernet -- spyder@super.net.ph and mailme@super.net.ph," Jose Carlotta, chief operating officer of Access Net Inc., a Manila Internet company, told Reuters.

Latest variant I heard of on UK news this afternoon has 'joke' in the subject line. The ILOVEYOU virus brought the House of Commons to a stand still yesterday, and has caused widespread damage to most major UK companies. Thanks for all the good advice above.

You may add "veryfunny" and "jokes" to the files to delete. They showed up this morning.

And who knows what else?

Exactly! If these evil little minds are enjoying the chaos they are creating (and isn't that why they are doing it?!) they will continue to spawn more and more until they are arrested and their computers confiscated. Good point!!

Friday - 16:30 05/05/2000, EST 'Love Bug' Takes New Forms to Smite Users NEW YORK (Reuters) - Copycat variants of the ``Love Bug'' virus labeled ``Joke'' and ``Mother's Day'' infected computers around the world on Friday, a day after the most widespread cyberattack ever wreaked havoc on business and government operations. Tens of millions of computers have been disabled so far, as the virus, first detected in Asia, spread around the globe, forcing network administrators to shut down e-mail systems at major companies and penetrating the Pentagon, the Central Intelligence Agency and Britain's Parliament. Security experts said the virus was far more devastating than last year's Melissa bug, with losses now counting in the billions from damaged data and the distractions of fighting the software scourge, and warned that it could take a while to stem the invasion. By one estimate, approximately 45 million computers around the world have been infected by various strains of the virus, according to Computer Economics, a research firm in Carlsbad, Calif. ``We estimate $2.61 billion of damage has been done,'' said Samir Bhavnani, a research analyst with Computer Economics. ``By Wednesday, the total can reach $10 billion. We see damages growing by $1 billion to $1.5 billion a day until the virus is eradicated.'' Other experts said actual damage estimates would be harder to pin down. Sal Viveros, group manager for Network Associates' (NETA.O) Total Virus Defense, told a conference call of reporters that his researchers have found as many of five different variants of the virus, although he didn't yet have details of the specifics of the variants. Business software maker Computer Associates International said it was relatively easy to create new strains of the virus. ``There's a potential that anyone who receives this virus can go to the Internet and (find) tools to change codes within the virus program that can give the e-mail or the attachment a new name,'' said Simon Perry, vice president for security products at Computer Associates International Inc. (CA.N). The Islandia, N.Y. is a leading maker of anti-virus software such as InoculateIT. For the time being, most of the virus variants are only cosmetically different from the original virus. ``Based on our research, we believe that the variants are coming from a number of different people,'' Perry said. LOVE BUG TAKES NEW FORMS TO TRICK USERS Technically, the software scourge is known as a worm, not a virus. ``Worms have the ability to self-replicate; viruses do not,'' said Jeff Carpenter, a security expert with the Computer Emergency Response Team, a Defense Dept.-funded clearinghouse at Carnegie-Mellon University in Pittsburgh. The original worm ``ILOVEYOU,'' works by enticing e-mail recipients to open an attached letter, only to cripple their e-mail systems. This so-called Love Bug continued to pop up in e-mail systems on Friday, even as variants appeared to pose new tricks for computer users. But the effect is unchanged: Upon opening the attachment using Microsoft software such as the Outlook program, it sends a copy of the worm to everyone in the user's address book and seeks to destroy a variety of files throughout a computer network, including picture and music files. The worm is being sent as an e-mail attachment and many sites are experiencing significantly increased electronic mail traffic. The worm can spread through network disk drives, Web pages, and via IRC (Internet Relay Chat), a communications system popular with computer aficionados, experts said. The damage is limited to users of the Microsoft Windows operating system, said Gene Hodges, president of McAfee, a maker of anti-virus software and a unit of Network Associates. ``We've seen no evidence of affected users of Apple, Linux or Unix operating systems,'' he added. In one new version designed to spoil the upcoming ``Mother's Day'' holiday that will be celebrated in the United States on May 14, a variant of LoveLetter sends e-mails which appear to be a confirmation of an electronic gift order. ``The Mother's Day version of this worm is quite cunning,'' said Mikko Hypponen, manager of anti-virus research at computer security firm F-Secure Corp.'s laboratories in Helsinki, Finland. ``The e-mail appears to be a confirmation of an order for 'Mother's Day diamond special,' and the attached file mothersday.vbs is portrayed as if it were an invoice. With only eight days to go until Mother's Day, this attack is quite credible,'' he said. F-Secure has identified five variants so far in its efforts to keep pace with the worldwide assault. Another variant appears to have originated in Lithuania, in which the subject line reads, ``Susitikem shi vakara kavos puodukui.'' In Lithuanian, the sentence translates into: ``Let's meet this evening for coffee.'' And still another has ``fwd: Joke'' in the subject line and an attached file called ``Very Funny.vbs,'' which when opened has a similar impact as the ``Love Bug.'' One scary aspect of these worms is that they prey on behavior patterns that most people don't think twice about. ``I think everyone in the world has seen the news about the 'ILOVEYOU.' But say your computer has been affected. You're having a miserable day. And you open something that says 'Very funny,' because you need a laugh. The next thing you know, you're infected all over again.'' Anti-virus software developers scrambling to keep ahead of the mutating software have found it relatively easy so far to eradicate the copy-cat versions of the virus by comparing the variant virus codes to the original ``signature'' code. LOVE BUG TRACED TO PHILIPPINE INTERNET ACCOUNT Philippine police sources said the author of the ``Love Bug'' may be a 23-year-old man living in a Manila suburb, but computer security experts cautioned that computer hackers could write in clues to mislead investigators. Manila police were probing the case after a request from the U.S. Federal Bureau of Investigation. A Manila Internet service provider, Supernet, had earlier said the virus appeared to have first spread from two of its e-mail accounts. Kevin Mitnick, a former hacker who served nearly five years in prison for hacking, said in a U.S. television interview that the initial author of the worm could have been acting to throw off investigators, adding that it was easy to establish a mail account anywhere in the world so that it could not be tracked. Experts warned the full effects of the bug may carry through the weekend. ``We're starting to see the situation come under control,'' McAfee's Hodges said. ``Starting Monday, we should start to see the virus start to abate.'' (Additional reporting by Eric Auchard)

'Love Bug' Hits Secret U.S. Military Computers WASHINGTON (Reuters) - The international ``Love Bug'' virus contaminated at least two classified U.S. military computer systems but the problems were quickly isolated and no damage was done, the Defense Department said on Friday. Pentagon spokesman Ken Bacon released a statement which did not directly identify the systems. But U.S. officials, who asked not to be identified, told Reuters that at least one of them belonged to the super-secret National Security Agency. Among NSA's tasks is to monitor millions of pieces of intelligence information gathered from around the world by U.S. spy satellites in space. Bacon said the electronic bug, which emerged Thursday and has infected millions of computers worldwide, had ``contaminated a classified internal e-mail system'' early on Thursday. He said the agency using the system reported that less than one percent of the network was contaminated and it was quickly isolated and cleaned by technicians. ``In addition, the Joint Task Force on Computer Network Defense reported this morning that one other classified system was infected by the 'Love Bug.' The virus was quickly detected and contained,'' he said. ``Because of protections built into classified computer systems, the impact of the virus was minimal'' and had no impact on military operations, the statement said, adding that the task force was investigating how the virus entered the classified systems.

nvestigators in the Philippines have traced the source of the 'Love' worm virus to a 23-year-old male in a Manilia suburb. But experts warn that the clues found in the source of the program may be false. Meanwhile, new copycat versions of the virus are spreading throughout e-mail systems around the world today.

Virus Hoax -- Elf Bowlers Get an Attitude Among the hundreds of so-called viruses that want to do horrible and evil things to your computer is a chain letter that says that the famous "Elf-Bowl" game contains a virus that will erase your hard drive. This is not true. The "Elf-Bowl" game is perfectly safe. HOWEVER, it is possible that a Trojan horse-type virus could attach itself to an EXE file. So, here are the specs on "Elf-Bowl." Length: 1130496, CRC-32 : ae35e713. So, Bowl away! Watch out for the mooning!

News / Bugs & Breaches High risk of virus spreading without attachments being opened (05/10/2000) As if security experts didn't have enough worries yet, reports are coming in that in the aftermath of the already numerous LoveLetter variants, new email viruses are now spreading without the intervention of the user. That's correct, the attachments carrying the payload, seem to auto-execute without the user opening them. The range of vulnerable machines also broadens as not only machines running Internet Explorer (IE) version 5.0 and/or Microsoft Office 2000 are vulnerable, but a user is now seemingly also vulnerable when the user has IE simply installed with the default security settings, without even using it. Needless to say this is a major flaw and could lead to enormous computer & network mayhem. Sources of the likes of Network Associates http://www.nai.com and SANS http://www.sans.org/newlook/home.htm all agree that this is by far the fastest growing virus distribution problem potent enough to cause a hugely destructive event - at least as large as the ILOVEYOU virus. Updating one's virus detection software, while important, is apparently not an effective solution for this problem. This additional hole needs also to be closed. Windows systems that have not yet been fixed for MS99-032 should be fixed ASAP, whether one does or does not use MSIE (Internet explorer) or Office 2000,even if you never open attachments of emails. The problem is allegedly caused by a programming bug in an Internet Explorer ActiveX control called scriptlet.typelib. Tools at Microsoft's security site http://www.microsoft.com/security/bulletins/ms99-032.asp are available though to close this initial hole at: http://www.microsoft.com/security/bulletins/ms99-032.asp The correction script may be run directly from: http://www.microsoft.com/msdownload/iebuild/scriptlet/en/scriptlet.htm SecurityWatch will of course keep a close eye on this alarming news, updates will be published as we receive them. Jimmy Kuo of Network Associates and Nick FitzGerald of Computer Virus Consulting Ltd. raised the visibility of this dangerous problem. _____

Microsoft Adds New Security Features to Outlook May 15, 2000 (Tech Web - CMP via COMTEX) -- Microsoft said Monday it will offer new security features for its Outlook e-mail program in the wake of the destructive "Love" virus. The Outlook Email Security Update, scheduled to be available for free download the week of May 22, will offer three security features designed to combat viruses. One prevents users from accessing several file types when sent as e-mail attachments, including executables and batch files that contain executable code used to spread viruses. Another feature prompts customers with a dialog box when an external program tries to access their Outlook address books or send e-mail on their behalf. The third increases the default Internet security zone setting within Outlook from "trusted" to "restricted," which disables most automatic scripting and ActiveX Controls from opening without the users permission. Microsoft (stock: Copyright (C) 2000 Cmp Media Inc. Tech Web on May 15, 2000

********** VIRUS ALERT - VBS/Newlove.a ********** VBS/Newlove.a is a VB Script worm with virus qualities. McAfee AVERT has assessed it as a HIGH-risk threat. This worm searches all drives connected to the host system and replaces all files with copies of itself and it adds the extension .VBS to the original filename. The original file is then deleted. The worm uses Microsoft Outlook to send copies of itself to all entries in the address book. When this worm is first run, it places a copy of itself in the Windows folder and gives itself a name from either the Recent Documents folder, or uses a random name with a random extension. This worm will arrive in an email message with this format: Subject: Starts with "FW: " and is either a name from the Recent Documents folder or a random name Message: Empty Attachment: Is the randomly-selected VBS filename from the Windows folder This virus will run if Windows Scripting Host is installed. Running the email attachment received either accidentally or intentionally will install to the local system.

I got an empty email body the other day and promptly deleted it. The outlook for Outlook is not that great these days.

Let's try this again. I just had a long post evaporate. Sumthin is not quite right, yet... Amyway, I downloaded and installed the Norton antivirus which froze my computer. That was yesterday. I could not boot it at all. It would shut down as soon as it tried to load my taskbar. So, I entered in safe mode and uninstalled the Norton program but saved the downloaded .exe file to reinstall it if their techies can figure it out. I think it may have to do with the fact that I enabled it to scan all drives for viruses at startup. There is an imbedded program (non-removable)which is the first to open on the taskbar. That is what would appear just before it closed down the entire system. But, until I hear agreement from others who know more than I do, my PC will continue tobe protected by my vigilance and Iris anti-virus (anyone hear of it?) which came installed on the computer.

I'm glad you finally got your PC to boot. I use the virus scanner that comes with Norton Utilities at home, so I guess it doesn't behave the same way as Norton Antivirus. I never heard of Iris, but I'd stick with it for now. Does Iris update their data files, like McAfee and Norton?

I posted this in Geo 34, as well: Do you know the name of the embedded program? If it's in your Startup folder, you should be able to delete it from the Startup folder to keep it from running. If it's not there, it might be in the win.ini or system.ini file; at least I think Windows 95/98 still has those files...they would be in the c:\windows or c:\windows\system directory. The only other place I can think of would be the Windows Registry, but you'd have to hunt through the Registry keys for it. There should be a Registry Editor program (regedit.exe or regedt32.exe) in the c:\windows or c:\windows\system directory. (I'm not sure exactly where it is on Windows 95/98, and I'm on and NT system right now.)

It is NEC Assistant and the computer is a NEC. There is a regedit but I wonder what else it would make unworkable if I removed it. Does it have its tentacles into the dial-up system or other things which might make it very nasty to deal with? It is a really complete program with internal libraries and program installers and wallpaper changer and all that - very much like the control panel windows supplies and which is what I use. How perilous is it to remove such a program?

There is no option for doing so, but I am going to do a Google search for Iris to see if I can get to their website and talk to them about updates. So far I have just been V e r y careful....and lucky!

The Registry Editor (regedit.exe) is a program that allows you to add/delete/modify Windows registry keys. You don't want to delete regedit.exe; you would use it to search through the various registry keys for NEC, and try to figure out which was the program that was causing problems. I wouldn't try that unless you are sure of what the name of the NEC program is, and have some idea of what registry keys it sets. Can you find any way to uninstall the NEC assistant, either from some kind of NEC program folder, or through "Add/Remove Programs" in the Control Panel? Maybe NEC's web site would have some information or trouble-shooting tips.

Oh, I know better than to delete regedit.exe ... Yikes!!! No uninstall no showing up on the add/delete programs in the control panel, no getting it off the task bar, either! There is simply no way to rid of it without deleting the thing piece by piece. I think I will check with both NEC and Symantec and McAfee about this. One of them should know what to do - especially NEC. I'll go there first. Thanks for that suggestion. Did not think of it...

Sorry...just wanted to make sure you knew what I meant. :-) Deleting the program files without a proper "uninstall" might simply cause a new error to the effect of "Can't find program *whatever*", since there could still be some registry setting somewhere that is looking for that program at bootup. Trying to catch program conflicts is a real pain. That's the down side of having so many third-party software vendors selling Windows programs...no one can possibly test the millions of combinations of software products to find all interactions and side-effects.

Well, if I had had my druthers it would not have come with this stuff on it. However, it was the replacement for the W3.1 PC which was stolen, and it is so much superior that I dared not complain! NEC will be told and asked for suggestions other than "Live With It" which I just might have to do! Yeah, I know about picking pieces out and have boxes popping up telling you whatever is missing. What a pain!

Holy Cow Marcia, you may end up having to do a re-install from scratch.

Then I will need to be walked through it - might need to enlist my geek son... I got rid of IE that way and it was a huge pain but it was not as entwined in the entire system as this one is. It is supposed to run your computer if you are a mindless idiot who is clueless to boot. I resent its intrusiveness but it has not interfered with any other programs until I tried to install the "alien" anti-virus programs. If I could only get out of the startup file...but it does not show up there. How can I prevent something from loading when I cannot find where it is lodged and what is loading it at startup. Most peculiar.

Never did a reinstall on w95, but got so good at doing w3.1 I can do it in my sleep and nitpick the stuff out I don't want loaded. That's how I did the little laptop I was using when this one froze. I really don't want to do reinstall.....sheesh!

Maybe you can bump up the memory to 32mbs and put Win 98 on it. Have your geek son do it and take notes so you can do it yourself next time. And put CRT on it and some cool apps, except for the offending anti-virus program. Or better yet, *you* do the install with him talking you through it so you could do it yourself next time. That way doing a re-install will become what it should be, routing, painless and time consuming. (no way to do it fast).

And maybe the anti-virus program will work with 98.

Perhaps! I don't have 98 on disks. I have the equivalent with downloads and upgrades now running on this PC, however. Not thinking about 2000... Not sure they have it right, yet. The anti-virus will work as soon as I negate NEC Assistant. You can bet I will NOT include that program when / if I do reinstall.

Hey, I bought CRT long time ago at the last provider when I telnetted a lot. It is still on here with 5 different graphics viewers, media enablers and dozens of weather, and other earthly updaters... plus three different IM and an ICQ. I have more plugins than Central Texas Power and Light (or whatever your utility company is called). I will do the installing myself with David talking me through it and taking notes too. It is the only way I will learn it, and how I learned to do W3.1 Btw, David asked me how to login on Spring so I sent him the new user URL. Gotta behave myself here now...*sigh*

How much memory do you have in it and how much can you add?

I have most of my 6.4 Gigs of memory and 64k Ram. It is expandable but not sure of the amount. I have zip drives for storage, as well.

More precisely, on my C drive I have 3.91GB free space and have used 2.47 MB (Where did the rest of the 6.4GB go?)

What processor is it running, sounds like it could run Windows 98.

266 MHz Pentium II with MMX technology

Yep, that's a pretty powerful little notebook.

No, that is the big PC. I'm gonna get me a little laptop for just me to use when this one behaves improperly. There is much to love about this computer with all the power to multitask that others apparently don't have. I am hesitant to mess with it too much. It has brought me joy I cannot imagine any other way of obtaining.

Security experts and federal government authorities warn that offspring of the dangerous e-mail virus are now on the loose. As a public service, we present the following list of "I Love You" variations and how to recognize them: - The "I Love You, But I'm Shy" virus never actually invades your computer but collects data about it worshipfully from afar. - The "Unrequited Love" virus causes your computer to be so obsessed with a virus-a virus that it can never have-that it can no longer function. - The "Love The One You're With" virus hangs around your computer, but the whole thing is just temporary until it can find the computer that it really wants to invade. - The "Can't We Just Be Friends" virus makes your computer think it's interested in invading. Then, just when your computer is getting excited about the invasion, it breaks off the connection with your computer, dashing its hard drive against the rocks. - The "One Night Stand" virus invades your computer, turns its hard drive upside down, then disappears after promising to come back sometime. But it leaves a twenty in your online bank account. - The "Happily Married" virus invades only one computer and stays with it for life. - The "Unhappily Married" virus spends a long time negotiating with a computer, finally invades it, and then strays to other computers from time to time. - The "I Can't Commit" virus hangs around a computer for a long time and frequently sends messages that it intends to invade, but is really just interested in playing with your computer's data. - The "It's Just A Physical Thing" virus invades your computer on a regular basis, but no meaningful data is ever exchanged. - The "I Want A Divorce" virus sends repeated, hard-to-read messages that your computer is never turned on, then finally leaves. But it returns some time later and takes half of your computer's best data in an ugly network session. - The "Little Virus Of The Evening" virus will do anything to your computer--if you're willing to pay the right price. - The "Stalker" virus spends unnatural amounts of time monitoring your computer, collecting data your computer has thrown away and trying to record its most intimate functions. - The "Forever Single" virus causes your computer to focus solely on other computers that are totally incompatible with it. - The "Deadbeat Dad" virus invades your computer, spawns an entirely new database, then refuses to help update it as it grows. - The "Married Too Long" virus splits your PC into two partitions that never interface-one that does too much online shopping and one that never does anything except monitor espn.com.

Here's new one - beware! I was talking on ICQ with someone in Honolulu last night and it crashed his computer: RESUME' Virus Saturday, May 27, 2000 WASHINGTON, D.C. -- A new and dangerous computer virus dubbed "Killer Resume" is spreading through e-mail systems using the Microsoft Outlook e-mail program, the FBI and computer industry sources said Friday night. Anti-virus industry sources reported that some corporate e-mail systems had already been infected, and some shut down, the FBI's National Infrastructure Protection Center said. The virus is carried in a file attached to an e-mail with the subject "Resume -Janet Simons." The attachment is a Microsoft Word file called "EX PLORER.DOC" or "RESUME.DOC," according to an alert posted on the Web site of Network Associates, a computer security company. If a computer user opens the attachment, the virus will spread itself by sending an e-mail to everyone in the user's e-mail address book, the company said. When the user closes the Word document, the virus will then delete important files on the user's computer. The FBI advised computer users to open no e-mail with this subject line, to deactivate the executive summary feature in Microsoft Outlook, and then delete the e-mail without opening it. The anti-virus industry was working on software patches to stop the virus, the FBI said. The government warning said the Memorial Day weekend could allow the virus to spread over the next three days with a potentially rapid surge in activity as business opens overseas on Monday and in the United States on Tuesday. Santa Clara, Calif.-based Network Associates said the virus was known as the "Killer Resume" because it arrives pretending to be a resume from a potential job applicant. Symantec AntiVirus Research Center of Cupertino, Calif., said the virus was "extremely fast-spreading." The text of the message reads: "To Director of Sales/Marketing, Attached is my resume with a list of references contained within. Please feel free to call or e-mail me if you have any further questions regarding my experience. I am looking forward to hearing from you. Sincerely, Janet Simons." Earlier this month, the spread of a computer virus that could have done more damage than the "Love Bug" was slowed by U.S. companies that had strengthened their defenses against attacks from the Internet. That virus, dubbed "NewLove," infected thousands of computers around the world but failed to become an epidemic like the Love Bug, which reached millions three weeks ago. Safeguards put in place on corporate e-mail systems against the earlier virus stopped NewLove's spread. The FBI said the virus shared some characteristics with the Love Bug and have launched a search for the creator. The Love Bug arrived in e-mails with an "ILOVEYOU" subject line that enticed millions of recipients to open the attachment that activated the virus. Once news spread of the threat, infected e-mails were easily detected and deleted. Estimates of the damage caused by that virus go as high as $10 billion, mostly in lost work time.

I guess this can go in here: I downloaded a free firewall program for individual PCs which seems to be working really well and got a good write up in Internet magagzine. It's monitoring my ports while I'm online, and also monitors unautorised applications use of internet. anyway, have a look and see what you think http://www.zonelabs.com program is ZoneAlarm 2.1 and is free for personal use.

I thought firewalls were for NT computers who share programs and stuff... Terry????

Guess not - at the bottom of the following is a firewall for pc's ******* VIRUS ALERT - W97M/Resume.a@mm ******** Dear McAfee.com Dispatch Subscriber: W97M/Resume.a@mm is a variant of the W97M/Melissa family with a very dangerous payload. McAfee AVERT has given it a risk assessment of MEDIUM--ON WATCH. This is a worm and it spreads through email with an attachment in this format: ------------------------------------------------------------ SUBJECT: Resume - Janet Simons TO: Director of Sales/Marketing, MESSAGE: Attached is my resume with a list of references contained within. Please feel free to call or email me if you have any further questions regarding my experience. I am looking forward to hearing from you. Sincerely, Janet Simons. ATTACHMENT: Explorer.doc ------------------------------------------------------------ If the file EXPLORER.DOC is opened, it forwards itself to everyone in your address book. When you close the attachment, it deletes files on your hard-drive. Please do not open the attachment. For more information about this worm, go to McAfee.com Virus Information Library. Click here. http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=1568 --McAfee.com _______________________Virus Fixes__________________________ Find out more about this virus. Click here. http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=1568 Become a McAfee.com Clinic subscriber and check your system online. To use VirusScan Online, click here. http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=1569 Purchase the latest copy of VirusScan, please click here. http://store.mcafee.com/category.asp?CatID=3&CategoryLevel=1&rfr=VSCALRT Upgrade to the latest VirusScan. Purchase the VirusScan Maintenance Plan which entitles you to 12 months of upgrades, click here. http://store.mcafee.com/category.asp?CatID=18&CategoryLevel=1&rfr=VRSPLN Download the latest DAT files, click here. http://download.mcafee.com/updates/updates.asp ____________________Clinic Subscribers______________________ If you are an ActiveShield user, get the latest update. Click here. http://clinic.mcafee.com/clinic/virusscan/activeshield/start.asp Surf the Web safely. Get McAfee.com Personal Firewall. Click here. http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=1458

******* VIRUS ALERT - IRC/Stages.worm ******** Dear McAfee.com Dispatch Subscriber: IRC/Stages.worm is an Internet worm that began spreading rapidly on 6/19. McAfee AVERT has assessed it as a HIGH-RISK threat. McAfee.com Clinic users who used VirusScan Online after 6/16 have protection against this worm. The worm uses Microsoft Outlook to send copies of itself to all entries in the address book and through installations of Pirch, ICQ and mIRC.* It also spreads to all available mapped drives on your system. This worm will arrive in an email message with this format: SUBJECT: "Funny", "Jokes", or "Life Stages", sometimes followed by "Text" CONTENT: "The male and female stages of life" ATTACHMENT: "LIFE_STAGES.TXT.SHS" (the suffix ".SHS" may be hidden) If the attachment is run, the user sees a list of jokes while the worm infects the system and attempts to send copies of itself to all addresses in Outlook address book, as well as through the other channels mentioned above. * Pirch is an internet relay chat client for Microsoft Windows 95/98/NT, mIRC is a shareware IRC chat client for Windows and ICQ lets you initiate IRC style chat sessions - it alerts you when your friends are online and lets you chat with them. --McAfee.com _______________________Virus Fixes__________________________ Find out more about this virus. Click here to go to the IRC/Stages.worm Help Center. http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=1585 Become a McAfee.com Clinic subscriber and check your system online. To use VirusScan Online, click here. http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=1586 Purchase the latest copy of VirusScan, please click here. http://store.mcafee.com/category.asp?CatID=3&CategoryLevel=1&rfr=VSCALRT Upgrade to the latest VirusScan. Purchase the VirusScan Maintenance Plan which entitles you to 12 months of upgrades, click here. http://store.mcafee.com/category.asp?CatID=18&CategoryLevel=1&rfr=VRSPLN Download the latest DAT files, click here. http://download.mcafee.com/updates/updates.asp ____________________Clinic Subscribers______________________ If you are an ActiveShield user, get the latest update. Click here. http://clinic.mcafee.com/clinic/virusscan/activeshield/start.asp Surf the Web safely. Get McAfee.com Personal Firewall. Click here. http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=1458 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

****NEW VIRUS ALERT**** Description: This worm spreads via Microsoft Outlook email and over IRC using mIRC or Pirch. Via email, the worm sends a message whose subject is constructed from the following terms: "Fw:", "Life Stages", "Funny", "Jokes" and " text". The body of the message may contain the text "The male and female stages of life." The worm itself is attached as a file called LIFE_STAGES.TXT.SHS. When it runs, the worm displays some long humourous text about life. It then attempts to create copies of itself on all available network drives. It also moves the regedit.exe to the recycled folder and changes its name to recycled.vxd. Geoff Aldridge Conferencing Team Leader On-Line Applications Learning and Teaching Services The Open University

YOU HAVE BEEN INFECTED WITH THE HONOR VIRUS! Since I'm too lazy to program a real virus, this virus works on the honor system. Please delete all the files on your hard disk drive. Then forward this message to everyone you know... Thank you for your cooperation.

ALERT: Internet Explorer and Netscape Vulnerabilities CatchUp Security Alert A message from CNET CatchUp.com August 23, 2000 ________________________________________________________________ Patch Available for Internet Explorer Vulnerabilities Microsoft has released a patch that eliminates two security vulnerabilities in Microsoft Internet Explorer. The weaknesses could allow a malicious Web site to read files on your computer. The Scriptlet Rendering vulnerability and Frame Domain Verification vulnerability affect Internet Explorer versions 4.0, 5.0, and 5.5. Click here to run CNET CatchUp Security Fixes: http://2.digital.cnet.com/cgi-bin2/flo?y=e110BBFIG0JP0CIwp Click here to read the Microsoft Security Bulletin: http://2.digital.cnet.com/cgi-bin2/flo?y=e110BBFIG0JP0DOii ________________________________________________________________ Update Available for Netscape Brown Orifice Vulnerability Netscape Communications has released Netscape Communicator 4.75, which patches a security hole that made computers vulnerable to file theft. The bug, dubbed Brown Orifice, concerns Netscape's implementation of Java. Without the update, Netscape lets an unsigned Java applet read and distribute files from a user's PC by acting as a Web server. This vulnerability has been identified in Netscape Communicator versions 4.0 through 4.74 on Windows, Macintosh, and Unix operating systems. This vulnerability does not affect Netscape 6 Preview Releases. Click here to update your browser with CNET CatchUp: http://2.digital.cnet.com/cgi-bin2/flo?y=e110BBFIG0JP0CIun Click here to read the CERT Security Bulletin: http://2.digital.cnet.com/cgi-bin2/flo?y=e110BBFIG0JP0DOjj ________________________________________________________________

It's good to keep up with those patches.

update A computer worm that spreads to both servers and PCs running Microsoft software flooded the Internet with data Tuesday, prompting the FBI to create a task force to investigate the attack, sources said. Known as "Nimda" or "readme.exe," the worm spreads by sending infected e-mail messages, copying itself to computers on the same network, and compromising Web servers using Microsoft's Internet Information Server (IIS) software. "It is extraordinary how much traffic this thing has created in a couple of hours," said Graham Cluley, senior security consultant for antivirus company Sophos. "As far as we can see, it doesn't seem to be using any psychological tricks because it's all automated." Mailing lists for the security community quickly generated news of the worm, as infected servers scanned the Internet for vulnerable servers. Sources in the antivirus community told CNET News.com that the FBI has set up a "task force" to study the virus. The FBI held conference calls three times Tuesday night with antivirus experts to discuss the investigation, sources said. "There was a task force set up today, and there were a lot of things discussed," said Vincent Gullotto, director of antivirus research at security software firm Network Associates. "No evidence" of terrorist link An FBI representative said the agency was "assessing" the incident, but so far it found no relationship between the online deluge and last week's terrorist attacks on the World Trade Center and the Pentagon. "There has been no indication that this is linked (to Tuesday's) attack," said FBI spokeswoman Debbie Weierman. "That is the question of the day." At a news conference Tuesday about last week's terrorist attacks, Attorney General John Ashcroft also spoke about the Internet worm. "This could be heavier than the July activity with Code Red," he said. He noted that there is "no evidence" linking the worm, which he said may have first appeared on Monday, "to the terrorist attacks of last week." The worm was noticed by several Silicon Valley companies. "It does appear to be more aggressive than Code Red," said spokeswoman Pamela Sklar of network equipment maker 3Com. She added that the company's IT department received more hits per hour from Nimda than it did from Code Red, but that there was no direct effect on e-mail or Internet access. The worm's name sparked speculation about its origin. Nimda, for example, is the backward spelling of admin, the common shorthand for the system administrator. While the worm has text indicating that it may have originated in China, that is in no way hard evidence, experts said. Others pointed out that NIMDA is the name of an Israeli defense contractor. The worm apparently generates an avalanche of Internet traffic because of its multipronged attack on both servers and PCs. The server component of the virus exploits an old and previously patched flaw in IIS called the Unicode Directory Traversal vulnerability. Once a server is infected, the worm continues to scan for other vulnerable computers. In addition, the program takes control of the part of Microsoft's IIS software that delivers Web pages, allowing the virus to trump a request for any page--even invalid requests--and instead return a page infected with the virus. In addition to its ability to cross between servers and PCs, the Nimda worm seems to be more virulent because it automatically executes in Microsoft's Outlook e-mail software under the program's "low" security setting. "There appears to be a MIME exploit," said Eric Chien, chief researcher for antivirus software maker Symantec's European operations. "It appears that it is doing some kind of exploitation in e-mail." Nimda also appears to be capable of spreading by other means, including Internet relay chat (IRC), an online chat format, and by FTP for remotely exchanging files. "My guess is we may also see it spread through Internet relay chat," said Alex Shipp, senior antivirus technologist at e-mail screening firm MessageLabs. And that may not be the end of it. "We have also found an FTP component in there," Shipp said. "It may be trying to download nasty stuff from some Web site somewhere--we're still not sure. We know it is using FTP, but we don't know how yet." MessageLabs said it stopped more than a hundred copies of the virus attached to e-mail messages within an hour of the first incident, which arrived from Korea at 12:10 p.m. GMT. Most of the Nimda copies captured by MessageLabs originated from the United States, leading the company to speculate that was where the virus originated. While thousands of people likely became aware of the worm when their in-boxes were flooded with e-mail, for some the damage was more severe. Mel Lower of Davenport, Iowa, who hosts Web sites for small businesses through EarthLink, said two of his customers' sites were inaccessible for much of Tuesday. Lower said he contacted EarthLink and was told that the worm "crippled" two Unix server farms. EarthLink could not immediately be reached for comment. When Nimda arrives in an e-mail, it appears as an attachment named readme.exe. This is the same name used by another current virus called W32/Apost-A, so antivirus companies say many people should already be wary of attachments bearing that name. However, analysis of the worm is ongoing, experts said. "First of all, we are talking guesses at this time," said Fred Cohen from the University of New Haven in Connecticut. "Clearly, (it) just showed up this morning." For some time Tuesday morning, the worm's double whammy had experts believing that two pieces of code were spreading at the same time. The Computer Emergency Response Team (CERT) Coordination Center at Carnegie Mellon University issued a warning Tuesday morning about malicious code scanning for vulnerable Web servers and an e-mail worm called Readme.exe. "We are recommending to sites that they verify the state of security patches on all IIS servers and e-mail client software," the warning said. Wall Street reacts Interest in software security companies was heightened late Tuesday, although it was unclear if investors were reacting to the worm or to the terrorist attacks. In a research note, a USB Piper Jaffray analyst called such companies "one of the safest bets in technology." Shares of Symantec and RSA Security slipped during daily trading but climbed after hours. Symantec fell $2.37, or 6.25 percent, to $35.52 during regular hours. But the stock gained 73 cents, or 2 percent, to $36.25 in after-hours trading. Symantec creates software and utilities used to secure networks and maintain PCs. RSA Security, a maker of encryption and security software, was down 48 cents, or 2.74 percent, to $17.07 when the closing bell rang at 1 p.m. PDT. But the shares gained 33 cents, or 1.93 percent, to $17.40 in after-hours trading. And shares of Internet Security Systems, a network-protection company, finished the day up 45 cents, or 3.4 percent, to $13.70. The climb continued in after-hours trading, up 90 cents, or 6.5 percent, to $14.60. Analyst Gene Munster at USB Piper Jaffray wrote in a note to clients that the attacks on the World Trade Center and the Pentagon may heighten investor interest in security software firms. "While growth rates may need to decline from 45 percent to 30 percent, we still believe it is one of the safest bets in technology," Munster wrote. Staff writer Matt Loney contributed from London.

Times are getting tougher and security is becoming a huge concern. Look at what just happened to us. We're hardening up and making ourselves more resilient. I will spent most of tday on backups and making a redundant system.

http://www.filehippo.com/ anti-spyware programs anti-virus programs and a lot more...