Home » Technology » Computer Security » Computer Security Weekly, February 1, 1999

Computer Security Weekly, February 1, 1999

© Robert Slade

Fred Cohen, grandfather of virus research, has found an interesting new Microsoft Word macro virus. A Word document (his version is called CALIG.DOC) purports to hold user IDs and passwords to pornographic sites. Behind the scenes, the macro will grab your private PGP key ring and send it to IP address 209.201.88.110. This is related to codebreakers.org, which is registered to a contact in Limburg, Austria, although the technical contact is in area code 517 in the US. (You can check out domain names yourself at http://rs.internic.net/cgi-bin/whois.)

Another interesting note from Fred:

"I just got perhaps the most bizarre Microsoft error of all time. I was copying files from a network drive to a Jazz drive, and up pops an error box with the message "Cannot copy sensitive countries" - at which point the copy of all the files failed! It stopped on a filename corresponding to a country whose name may well be on the sensitive countries list.

"I guess Microsoft doesn't want us to use the names of certain countries in our files!"

The furor continues over Intel's plan to put serial numbers on the chip. Those promoting the plan are arguing that the numbers would be helpful for Internet commerce. Details can be found at http://www.redherring.com/insider/1999/0... & http://www.zdnet.com/zdnn/stories/news/0...

Bruce Schneier, crypto maven, has now weighed in with his position on the e-commerce aspect: it won't work. His explanation is at http://www.zdnet.com/zdnn/stories/commen...

An interesting message from RISKS Digest, 20:19:

"This is really a case of a picture being worth ten thousand words, as the Chinese old proverb says. I urge readers to take a look at http://home.studit.com/com00120/sparbank... and see what is possibly the most foolish bank in the world.

"If you can't view the picture, it shows a bank ATM, with the screen showing a Windows95 error message. I can't tell what it says, as I am not fluent in Swedish.

"The risks here are so obvious it defies rationality as to why this bank decided to do this."

You will Undoubtedly hear about the Happy99 virus, because the BBC has. http://news.bbc.co.uk/hi/english/sci/tec...
I'm not at all sure that I classify Happy99 as a virus, since it requires that you invoke the program: it is more like a trojan. You may get an email or news posting with a file called HAPPY99.EXE. If you run the program it will present a small fireworks display on your screen. Behind the scenes, it will patch your copy of wsock32.dll, used for Internet connectivity. It then uses this patched library, and your Internet connection, to spread itself by attaching to outbound mail and postings. Fortunately, the patch is fairly easy to spot: the program makes a copy of your original library, called wsock32.ska, according to Ian Whalley of Sophos. You can recover by copying the original file to the original filename.