From: technews <technews@ou.edu>
To: "'it-fyi@listserv.ou.edu'" <it-fyi@lists.ou.edu>
Subject: it-fyi: New Disguise for Infection of Computers (NY Times on the
Date: Mon, 6 Dec 1999 09:41:10 -0600
December 4, 1999
New Disguise for Infection of Computers
By JOHN MARKOFF
The first of what experts fear could be many malicious software programs
masquerading as the Year 2000 computer problem began spreading on Thursday.
The new program hides on hard drives, poised to begin destroying data on
Jan. 1.
The program, which is technically known as a computer worm, has been named
W32.Mypics.Worm by anti-virus researchers. The researchers said Friday that
the worm had already made its way into the networks of some corporate
clients, though they would not identify them.
Several anti-virus companies reported that they had already released code
that identifies and eliminates the program.
Like two recent worms, Melissa and Explore, and their variants, the new worm
spreads by pretending to be e-mail from an acquaintance. Unlike the Explore
worm, however, it cannot attack a computer or data unless the recipient
opens a file sent as an attachment.
But the most crucial difference with this worm is that it is designed to
attack its host computer on New Year's Day, when many people will be
expecting a variety of computer-related disruptions as a result of the
so-called Y2K problem.
"There is so much media attention about Y2K problems that this is a great
way to disguise a malicious program," said Marian Merritt, group product
manager for anti-virus products at the Symantec Corporation.
This kind of malicious program has been long anticipated. In background
meetings with reporters and analysts earlier this year, anti-virus software
developers began describing a range of possible events in which virus
authors were likely to use the timing of the Year 2000 problem to propagate
their handiwork.
The Year 2000 problem is caused by the fact that programmers for many years
set aside only two digits to denote years in software. As a result, programs
that have not been repaired by Jan. 1 will act as if the year is 1900,
possibly causing serious problems throughout the increasingly digital world.
Viruses and worms that mimic the Year 2000 problem actually have nothing to
do with flawed year designations.
A number of anti-virus companies said yesterday that they had received
reports about the program and that it had probably first been released in
the United States.
Intended for users of Windows-based computers, the worm is transmitted as an
attachment to e-mail that lands in Microsoft's Outlook and Outlook Express
e-mail software. Once it invades a computer, the worm will resend itself to
up to 50 people in the Outlook address book. There is no subject line, and
the body of the e-mail contains the phrase "Here's some pictures for you!"
But the attachment, a file called "pics4you.exe," is actually a small
program that runs when an unsuspecting computer user tries to view the
pictures.
"These types of programs really harm the new user," Ms. Merritt said.
"Although an expert user will usually not fall for these tricks, people who
are new to computers are generally unsuspecting."
If the message and the attached file are simply deleted, the program will
not harm a computer, she said.
If the program is run, however, it will mail itself to 50 people in the
Outlook address book, then hide itself in a component of the Windows
operating system known as the registry. The program also resets the home
page of users of Microsoft's Internet Explorer browser to a personal page on
the Yahoo Geocities Web site that until yesterday afternoon contained
sexually explicit pictures.
The page was titled "Daves Web Page: Brought to You From the Cave!" Computer
researchers said yesterday that they were not certain why that particular
page had been chosen, though one said it was possible that the virus author
simply wanted to make use of a counter on that page that recorded the number
of visitors.
As of noon yesterday, the site had recorded almost 5,000 new visits. Shortly
thereafter, a Yahoo spokesman said, the site had been taken down, but he
would not say whether it had been taken down by the page's owner or by the
company.
After infection, each time the computer is turned on, the worm program
checks the date. When it detects Jan. 1 or a later date, it executes two
separate tasks known as payloads. The first tries to overwrite the
computer's BIOS, or basic input output statement, memory, a small permanent
storage area that contains the instructions the computer follows when it
boots. These are necessary for everything from running a modem or printer to
finding the operating system on a hard drive.
Once that happens, the computer when next turned on will refuse to start.
Instead, it will display a message like "CMOS Checksum Invalid."
Many of today's computers protect the BIOS from this type of vandalism, but
the worm's second form of attack is more malicious: it overwrites a Windows
start-up file named autoexec.bat with a file of the same name that causes
the operating system to reformat the hard drive, or C drive, and any second
hard drive or other storage device designated as the D drive. This destroys
all programs and data on the computer.
"We are very concerned about the time delay built in to this program," said
Narender Mangalan, director of security for Computer Associates in Islandia,
N.Y.
He said that because both the date trigger and the use of e-mail address
books by viruses and worms were increasingly popular trends, the company had
released a program known as a variant analyzer that tries to find programs
that are similar to existing viruses and worms.
And the variations are likely to grow quickly between Christmas and New
Year's Day. Traditionally, Ms. Merritt said, the number of viruses and worms
tends to increase during and after school holidays, when students, who are
the most frequent authors of malicious programs, have more free time to
devote to their illicit hobbies.