|
|
Joyce Winslow
jwins@oregon.uoregon.edu
Self-perpetuating, self-replicating "worms," those parasitic programs
written intentionally to enter a computer without the user's knowledge or consent,
continue to be an unpleasant fact of life in the Internet age. Some of the latest
security threats are summarized below.
'Warhol Worms.' Among the next generation of these attackers could be a hypervirulent strain dubbed "Warhol Worms" by security watchdog Nicholas C. Weaver. These worms are capable of spreading much faster than their predecessors. Whereas notorious worms such as Code Red can spread rapidly in hours or days, Warhols can potentially infect all vulnerable hosts in less than an hour--sometimes in as little as 15 minutes.
In his article "Warhol Worms: the Potential for Very Fast Internet Plagues"
(http://www.cs.berkeley.edu/~nweaver/warhol.html),
Weaver warns that the only way to stop this type of worm from wreaking havoc
is to greatly reduce the number of vulnerable hosts available to it. Even in
the aftermath of Code Red-inspired security precautions, Weaver says Microsoft
IIS, Microsoft Exchange, and various peer-to-peer file sharing programs (such
as Napster) and messenger programs (such as AOL and MSN) are still "very
good targets for active worms to exploit."
Klez: A worm that forges header addresses. In recent months, a number
of campus users have reported receiving bewildering warnings that email messages
with their email address in the "From:" header were rejected by a
remote system because of virus or worm infestation. The affected users found
these notices particularly bewildering because they have been careful to install
Norton AntiVirus and keep their virus definitions updated.
Still others must daily trash messages with subject lines like "Let's
be friends," "Japanese lass sexy pictures" and "Meeting
Notice" (or worse).
These phenomena are the result of the latest variant of the Klez virus, which
emails itself from infected machines using a phony "From:" address.
Many of these viruses harvest email addresses from web pages that are in the
browser web cache of an infected machine.
Symantec has issued a tool to remove infections of several strains of the Klez
virus. You can download it from
http://securityresponse.symantec.com/avcenter/venc/data/w32.klez.h@mm.html
This site also provides detailed information about the Klez worm family. For
more articles about the Klez plague, see "Klez: Don't Believe 'From' Line"
(http://www.wired.com/news/print/0,1294,52174,00.html)
and "Klez worm spreading rapidly" (http://zdnet.com.com/2100-1105-891854.html)
Another Microsoft Outlook worm: VBS.VBSWG.AQ@mm. If you use Microsoft
Outlook or IRC (Internet Relay Chat) on Windows 95/98/NT/2000/XP, you may be
vulnerable to a malicious Visual Basic Script (VBS) worm designed to send itself
as an attached file called ShakiraPics.jpg.vbs. When the attachment is opened,
the worm overwrites files with the extensions .vbs and .vbe with its own malicious
code.*
A complete description of this worm is on Symantec's Security Response site
at http://securityresponse.symantec.com/avcenter/venc/data/vbs.vbswg.aq@mm.html
Basic precautions: As always, keep your Norton Antivirus definitions current, don't open attachments you aren't expecting, avoid Outlook or Outlook Express (the most common infection vectors), and keep your system patches up to date. For detailed information on antivirus protection, see Microcomputer Services antivirus information at http://micro.uoregon.edu/av/
* Note that the Computing Center has implemented a VBS script block on Oegon, Darkwing, and Gladstone that checks the file names of email attachments. If the file attachment is of a type that cold cause an infection, the system adds the suffix ".txt" to the name. The attachments are not otherwise altered in any way, and this precaution prevents most inadvertent infections on Windows machines.