Virus sends users' details to virus exchange site

Virus sends users' details to virus exchange site

Network Security for further information, contact C/AC on: + 1 925 422 8 193; fox: + 1 925 423 8002; E-mail: ciacQ I/n/.gov. Virus sends users’ det...

150KB Sizes 1 Downloads 33 Views

Network Security

for further

information, contact C/AC on: + 1 925 422 8 193; fox: + 1 925 423 8002; E-mail: ciacQ I/n/.gov.

Virus sends users’ details to virus exchange site A new macro virus capable of infecting Microsoft Word 97 and Excel 97 documents has been discovered by Reflex Magnetics. Known as the ‘HSFX’ virus, this new variety appears to be a derivative of ‘Ethan’, a newly emerged macro virus that has become extremely common recently. However, unlike Ethan, HSFX attempts to send the user’s personal details held in Microsoft Office applications to the notorious Codebreakers virus exchange (VX) site. Reflex technical consultant, Neil Larkins, said, “We uncovered the HSFX virus in an infected file we obtained from a London employment agency earlier this week. They apparently process hundreds of CVs received every week via E-mail and had found recently that many of their Word documents were suffering from random corruption. However, since their anti-virus scanner reported no infections, they asked Reflex to investigate the problem. Our macro virus scanner RMI found HSFX using heuristic detection methods, but had no way of dealing effectively with it because of the new infection technique it employs.” sent to Samples were Reflex’s Australian associates, Leprechaun, who analysed them and developed a new version or RMI to provide cleaning functionality. The new versionalso

March

features additional detection capabilities that make unknown viruses written in Microsoft’s Visual Basic for Applications easier to spot. HSFX does not appear to alter the properties of Infected files like Ethan does, or delete the ‘class.sys’ file created as the result of a W97/Class virus. However, it does share a number of other traits with Ethan. Like Ethan, HSFX is a parasitic class module infector. Both viruses hook ‘file close’ and use a ‘shortcut’ style of coding, employing the ‘CodeModule.Lines’ and ‘CodeModule.CountOfLines’ code sequences to perform infections, This is a technique that Reflex hasn’t seen used elsewhere, and the company had to modify the detection process in RMI to deal with it. The new virus is thought to be a derivative of Ethan, but to be written by a different author. The anti-virus company believes this because the coding style is different. HSFX’s author uses a similar short-cut style, but has overlaid that style with his own, more mainstream, ‘explanatory’ style.

7 999

month, and the virus has not already uploaded its log file, it creates a file called HSFXnnnnsys - where ‘nnnn’ is a randomly generated number. A complete dump of the virus code is placed in this file. The virus also creates a file called netldx.vxd containing FTP commands. The virus shells to DOS to run this file in a hidden window in an attempt to upload HSFXnnnn.sys to the Codebreakers VX site. HSFX doesn’t appear to do anything as sinister as stealing PGP users’ secret key rings, unlike the Caligula virus.

for further information, contact Philip Benge, Reflex Magnetics on: +44 171 372 6666: Web: http://www.reflex-magneticsco. uk.

EU called to petition against unwanted E-mail

The new virus seems to have a relatively trivial payload. It executes on file close, checking the current document and the template for its own constant marker. If the market exists, HSFX assumes the file is already infected. If not, the virus infects normaLdot. At the same time, it appends to the virus code a log containing the current system date and time, and the user’s name and address if they’ve been entered in Word.

A campaign has been jointly launched by the German magazine c’t magazin fuer computertechnik and the politically independent information and communication platform ‘politik-digital’ to encourage citizens of the European Union to petition against unsolicited advertising via E-mail (junk mail or spam). The petition calls on the European Parliament to provide effective protection against junk mail harassment on Internet users in future by providing clear legal guidelines.

The virus then infects the current document if it hasn’t already done so. If the system date indicates the first day of the

The theory is that the Internet will serve as a democratic instrument through which people can influence political decision-

0 1999 Elsevier

Science Ltd