Archive of entries posted on January 2004

Virus stuff again

Posted by on

There’s a variant of the Mydoom virus going around now. Mydoom.B also targets microsoft.com for the DDoS. It’s mostly a clone, with some filenames changed. http://files.invisibill.net/unmydoomb.inf will remove the new version, just like my last one did on the original.

However, the B version also tampers with your hosts file. A hosts file is a text file that lists some names and the IP addresses they should correspond to. The most common entry in a hosts file is 127.0.0.1 localhost. This is the standard loopback address, and tells the system that you mean your own PC anytime you use the servername localhost. Mydoom.B adds a bunch of common servernames and points them at 0.0.0.0, making it so that your computer can’t connect to those sites. Most of the sites are places you would go for updates or virus info – it attempts to cut you off from finding the information to fix the problem.

    ad.doubleclick.net
    ad.fastclick.net
    ads.fastclick.net
    ar.atwola.com
    atdmt.com
    avp.ch
    avp.com
    avp.ru
    awaps.net
    banner.fastclick.net
    banners.fastclick.net
    ca.com
    click.atdmt.com
    clicks.atdmt.com
    dispatch.mcafee.com
    download.mcafee.com
    download.microsoft.com
    downloads.microsoft.com
    engine.awaps.net
    fastclick.net
    f-secure.com
    ftp.f-secure.com
    ftp.sophos.com
    go.microsoft.com
    liveupdate.symantec.com
    mast.mcafee.com
    mcafee.com
    media.fastclick.net
    msdn.microsoft.com
    my-etrust.com
    nai.com
    networkassociates.com
    office.microsoft.com
    phx.corporate-ir.net
    secure.nai.com
    securityresponse.symantec.com
    service1.symantec.com
    sophos.com
    spd.atdmt.com
    support.microsoft.com
    symantec.com
    update.symantec.com
    updates.symantec.com
    us.mcafee.com
    vil.nai.com
    viruslist.ru
    windowsupdate.microsoft.com
    www.avp.ch
    www.avp.com
    www.avp.ru
    www.awaps.net
    www.ca.com
    www.fastclick.net
    www.f-secure.com
    www.kaspersky.ru
    www.mcafee.com
    www.microsoft.com
    www.my-etrust.com
    www.nai.com
    www.networkassociates.com
    www.sophos.com
    www.symantec.com
    www.trendmicro.com
    www.viruslist.ru
    www3.ca.com
    (microsoft.com is only added if it’s not within the DDoS date range)

Once the virus is on your system, you won’t be able to successfully connect to any of those sites. The fix is fairly simple though. You just need to remove those lines from your hosts file. You can search for “hosts” or it should be in your Windows directory on Win9x (C:\Windows\hosts) or under your system directory on WinNT (C:\WinNT\system32\drivers\etc\hosts). The hosts file doesn’t have an extension, so you may need to have Notepad (or whatever editor you’re using) look at all filetypes to open it. That’s the dropdown box under the filename in the Open box.

Now that you’ve got the hosts file open, you should see lines with “0.0.0.0” and the servernames above. Just delete any line that starts with 0.0.0.0 and has one of these servernames. Some ad-blockers will add names of ad servers here (so that you never connect to the ad server), but you should be able to tell which ones are valid servers blocked by the virus and which ones are ad servers blocked by another program.

Pinguin

Posted by on

Pinguin!

Click once to drop the penguin, and again to swing at him. See how far you can send him! The known records are 596.4 and 501.2 for a faceplant. If you manage to beat those (my records are 588.8 and 492.9), get some screenshots and let them know in #Penguin on Undernet. If you’ve given up on winning, the short record for a hit is 148.4.

More anti-virus crap

Posted by on

I’m at it again! I’ve created another .inf virus removal script, this time for Mydoom/Novarg. Save http://files.invisibill.net/unmydoom.inf somewhere, right click, and choose “Install”. The script may have problems removing files if they’re in use, so I suggest running it once, rebooting (since the startup stuff has been cleaned off, it will be a clean boot now), then run it again to delete any files that may have been in use before.

The script removes/fixes everything listed on Symantec’s page. It removes the startup entries in the Current User and Local Machine sections of the registry. It removes the two other keys listed (it isn’t mentioned what they do). It deletes taskmon.exe and shimgapi.dll from your Windows system directory. Note that there is a valid taskmon.exe file, but it’s in the Windows directory itself. It will also overwrite the registry entry where WebCheck is hijacked. The flags in the script tell it to only write the value if it already exists, and it’s different depending on whether the system is Win9x or WinNT. It replaces the value with (Windir)\SYSTEM\WEBCHECK.DLL on 9x and %SystemRoot%\System32\webcheck.dll on NT. It calculates the value of (Windir) as the script is run and %SystemRoot% is system variable, so there shouldn’t be any problems with that. It also removes files from the KaZaA\My Shared Folder directory under your Program Files directory. Again, the location of Program Files is figured as the script is run (it’s not hardcoded to “C:\Program Files” or anything) so it should work regardless of where you actually have Program Files. However, I don’t know an easy way to access the shared Kazaa directory, so that part is hardcoded. You’ll have to manually delete the files if they’re somewhere else. An updated virus scanner should find these, and they’re really only for spreading the virus, as opposed to being part of the virus running on your PC. Anyway, the script looks for all combinations of the filenames and extensions listed on Symantec’s page, 28 in all.

If you don’t trust me, look at the file yourself. It’s just a plain text file. The default action for .inf files should be to open them in Notepad, so it should be very easy for you to check out. The first sections are just comments and info on the author and the script’s name and stuff. The SourceDisksFiles section just lists all the filenames involved. In a regular installation script, this would tell it which disks contained which files. The ProgFiles and SysFiles sections just break the files down into groups which are installed in the same place. DestinationDirs tells where each of those groups should go. 16422 is your Program Files directory and 11 is your System directory. Mydoom.Reg just lists the registry stuff that the virus creates. DLL.reg and DLL_NT.reg are the correct WebCheck registry entries. As you can probably figure out, DefaultInstall and DefaultInstall.nt tell it to delete the files and registry entries listed above, and add the proper WebCheck stuff. The two versions tell it to use one WebCheck entry for 9x and another for NT. It’s not really an “Install” as we’re mostly removing stuff, but DefaultInstall is what gets run when you right-click the file and choose “Install”.

The virus contains its own SMTP (mail-sending) engine. It doesn’t rely on Outlook or anything like that, it actually sends the messages itself. It is also clever in that it reports the server name as the domain of whatever email address it is spoofing as the sender. For example, if it’s saying the email is from joe@fakeisp.net, it will report to the receiving mail server that its name is fakeisp.net. If you view all the headers of the virus spams you receive, you can find out where they came from. CTRL+U opens the message source in Mozilla-based mail programs, and I believe it’s CTRL+F3 in Outlook Express. Near the beginning you should find a line that starts with Received: from. After that will be an IP address in brackets and the HELO command. The IP address should be the PC sending the mails, and the HELO command should return the domain of the spoofed sender address as I stated above. Note that the virus may spoof your address as a sender. If it gets sent to a bad address, that mail server may return an error message to you saying that your email (which you didn’t actually send) couldn’t be delivered. To find the infected PC in one of these emails, you need to look deeper into the message source. You need to find the original message’s headers where it is quoted in the error message. Some error messages may not even include the original message. In this case, the HELO command will return your domain name, since it was saying that the message came from you. It will be something like Received: from invisibill.net ([111.222.333.444]). That IP address is the infected PC who originally sent the message saying it was from you.

Now that we’ve covered how the virus spreads and how to get rid of, let’s mention what it actually does. It opens your system up, probably for remote control, and is coded to DDoS SCO’s website starting February 1. Yes, those litigious bastards (hehe, see this entry) involved with the Linux IP lawsuit. It was probably written by some zealot, as most of the open source community doesn’t support illegal attacks, even against those they really dislike. It does have a trigger to stop spreading February 12, but the backdoor function will still work after that.

Here is a list of IP addresses that I have personally received virus spam from. I don’t want anyone to attempt to hack these people or DDoS them or anything. I’m providing the IP addresses here so that people can find out if they’re infected and so that people can filter out incoming email from known infected sources.

209.7.198.2 (user-2.museum.state.il.us)

216.237.20.226 (216-237-20-226.orange.nextweb.net)

69.9.12.20 (appears to be a broadband user of dakotacom.net, downstream from broadband01-fe0-0.tus.dakotacom.net)

67.167.18.184 (c-67-167-18-184.client.comcast.net)

68.65.56.34 (va-staff-u1-c4a-a-34.frbgva.adelphia.net)

http://www.invisibill.net/ipcheck.php will show you your IP address. It simply outputs the address that made the request to the webserver. It doesn’t access anything on your PC or require the installation of anything. It’s just a function on the webserver that shows the IP address that requested the page. If your IP address is one of those, your PC is infected. Your PC has been opened up for remote access and you’re sending out a bunch of junk email, slowing the internet down for everyone. Clean up your PC now. http://pctech.invisibill.net/virusinfo.html has links to a whole bunch of AV vendors, including some free and online options.

http://www.habeas.com/companyPressPR.html#violatio…

Posted by on

http://www.habeas.com/companyPressPR.html#violation is the Habeas press release about the recent wave of zombified PCs sending spam using the Habeas headers. If you’re unfamiliar with Habeas, you can get a license from them that allows you to embed their poem into your email headers. Spam filters are set up to allow any message with this poem in it to pass through. Your legitimate emails never get blocked by spam filters. As part of the license, you agree not to spam. Anyone caught spamming with the Habeas poem in their headers gets sued for devaluing their poem under existing and very enforcable copyright laws. You can read about their victories via this method further down on the press releases page.

If you get any messages which are obviously spam and use the Habeas headers, please report them using the form at http://www.habeas.com/report/. Once these zombies are reported, the IP addresses can be added to Habeas’ list of infringers. This will put that IP address on a list of sources from which you shouldn’t accept the Habeas headers. If the spam filter is configured properly, this should cancel out the fact that they have the Habeas headers. If you can, check your spams for the Habeas headers and report any that are using it. This will make the system work better, and hopefully sue the crap out of the spammer responsible.

http://us.mcafee.com/virusInfo/default.asp?id=mydo…

Posted by on

http://us.mcafee.com/virusInfo/default.asp?id=mydoom

Another Windows virus. This one spreads via email and via Kazaa. It opens up your system, probably for remote access. It also has code to DDoS SCO. I honestly don’t really care about that stuff, but I keep getting virus spam from this. Some are viruses being sent to me, others are error messages from mail servers that received mail with my address forged as the sender. Both are annoying.

Do an online virus scan and/or update your virus scanner. http://pctech.invisibill.net/virusinfo.html It’s a little outdated, but it has most of the major AV vendors, as well as some free options.

Yay, new worm! Bagle is on the loose now. It will …

Posted by on

Yay, new worm! Bagle is on the loose now. It will arrive in an email with the subject Hi and Test =) {random characters} Test, yep. in the body. It will have an attachment with a random filename and the standard Windows Calculator icon. When you run the attachment before January 28, 2004, the worm will copy itself to your Windows system directory as bbeagle.exe, create registry entries to load that at startup, and then open the Windows Calculator program to cover it. January 28, 2004, or later, the program will simply do nothing and exit. This expiration date may be an indication that another version will be made also.

The worm collects email addresses from .wab, .txt, .htm, and .html files (address book, text, HTML). The first email uses the same address both to and from. The second email uses the same address as the from, and uses the next collected email address as the target. The third email goes to the third address found, from the second address, and so on. It won’t send to addresses that contain “@hotmail.com”, “@msn.com”, “@microsoft”, or “@avp”. The worm opens up the system for remote access and tries to report to a script on several websites (none of which are currently active) that the system is infected.

As with Sobig.f, I’ve made a script to remove Bagle from your system. Save unbagle.inf on your Desktop or somewhere else handy. Right click and choose Install. While most of you probably haven’t wastedspent as much time with .inf files as I have, it’s pretty easy to open the file in Notepad and see what’s going on. It’s set up so that the default Install action is to delete files and registry entries. Normally you would use those for the uninstall section, but the main reason behind this script is to remove stuff, so removing stuff is the default action. In the file you will see that it has the location of the file specified as 11. This equates to your Windows System directory (you can find a list of these numbers in a KB article linked from the Software section of PC Tech). Basically the default “install” just goes through and deletes the files and registry entries from the locations listed in the file. If the worm program is running, you may need to use this script twice. If the worm file is in use, it might not let the script delete the file. It will still remove the startup stuff from the registry though. Run the script once, and the worm won’t be running after you reboot. Then run the script again and the worm file will get deleted, as it won’t be running this time.

MIME types. You may or may not know what a MIME ty…

Posted by on

MIME types. You may or may not know what a MIME type is. If you don’t, you probably don’t care what one is either. Too bad, you’re going to learn!

Every time a client requests something from an internet server, the server tells the client what type of file it is. This is the MIME (Multipurpose Internet Mail Extensions) type. The webserver tells your browser that this file is an HTML page, or that file is an image, or that one is an executable. This is a very handy feature. It allows me to do some cool things, like have a Perl script generate an image file. Even though the URL ends with .pl instead of .jpg, the server tells my browser that it’s a JPEG, so my browser shows the picture properly.

Here’s where the problems start. Due to error, inactivity, or apathy, many webservers send incorrect MIME types. In the example above, an incorrectly configured webserver would tell my browser that the file is a text file. So my standards-compliant browser shows the “text” it was sent. A bunch of garbage shows up in my browser window. Certain popular non-standard browsers look at everything sent to them, and guess at what type of file it is. This usually works, but basically stops everything when it doesn’t work. At least with the garbage, you can do a Save As, and save the file to view it in whatever program you have to handle that type of file. With the non-standard browser, you can’t do anything to stop it from guessing the wrong type. This also allows people to embed code into “image” files. This is why certain systems could be sent a shutdown command by going to a .jpg URL.

Try these URLs in your favorite browser… they should all come out as plain text if the standards are followed.

http://webtips.dan.info/cgi-bin/plaintext.pl

http://webtips.dan.info/cgi-bin/plaintext.pl/test.html

http://webtips.dan.info/cgi-bin/plaintext.pl/test.gif

http://webtips.dan.info/cgi-bin/plaintext.pl/test.zip

http://webtips.dan.info/cgi-bin/plaintext.pl/test.exe

Note that according to W3C web standards (the rules that make the web “world wide” and accessible via so many different browsers and devices) state that a browser must accept the MIME type the server tells it. While you can add non-standard features like the <blink> and <marquee> tags without breaking anything else, the RFC says that you have to do what the server says. Either you do what the server says and are standards-compliant, or you do something else and aren’t standards-compliant.

http://forums.mozillazine.org/viewtopic.php?t=16497 is a huge thread of debate on this topic. Not the first, and not the last either. Basically it comes down to the fact that honoring the standard makes things difficult for the average end user. But at the same time, breaking the standard to make things easier for end users in many situations could cause problems with unusual (though perfectly acceptable, standards-wise) configurations. You’re breaking working stuff to fix a server admin’s error. Essentially, the standards say that the extension on a file doesn’t mean anything on the web. If I have a plain text file named text.zip, that’s perfectly acceptable as long as my server tells the browser that the file is a text file. If you were to disregard the MIME types standard, your browser would probably guess that this is a ZIP archive and that the server is incorrectly saying it’s a text file, which would be wrong in this case.

Obviously, the best solution to this problem is for everyone to not make mistakes. If all filetypes on all servers were configured correctly, this wouldn’t be an issue. The server would tell the browser what type of file it is, and the file would be of that type, and the file would get displayed properly and/or open in the correct helper program. The latest Mozilla code is supposed to be improved to handle these server configuration errors, but I haven’t had a chance to test it out yet. Even if your browser can now handle this stuff, let the server admin know when something isn’t working right. It might be an honest mistake or oversight. They can’t fix what they don’t know about!