1999
[Back to index] [Comments (0)]As the end of the twentieth century rapidly approaches, and the world appears to be ready to host the party of all parties, I am often being asked what I am going to be doing myself. To be honest I did not think I would be sitting down to write the eighth yearly virus review, but there you have it. Eight years on and the end of a decade, the end of the century and the start of a new millennium and still time for yet another virus review. Before the e-mails start flying I know it is not quite the next millennium but I have been out-voted in my household by three to one, so believe me when I tell you I have to go with the flow. Anyway, any excuse for a party!
As far as virus reports were concerned, the year 1999 was very significant, with over a one hundred per cent increase in the number of different viruses being reported. There was also a dramatic increase in the number of hoax virus e-mails. A total of 38 viruses were reported, more than double the 15 that were reported in 1998. Why this should be is difficult to determine with any certainty. As detailed below, we switched to a new anti-virus product and this possibly encouraged more users to install and use it for the first time. The media hype surrounding Happy99, Melissa and Ethan I believe also had an impact in this area. All three viruses were seen in large numbers within the University and could have presented a real problem. Fortunately, there were traps placed on the mail relays to handle the large numbers of e-mails that were coming in with these viruses, and this helped keep the number of infections down. I received notification in March that 516 Happy99s had been trapped. However, there are many ways into the University as far as viruses and indeed e-mail is concerned and these viruses did present a problem for some sites.
I am not going to spend this review going over the details of the Happy99, Melissa and Ethan outbreaks. These have been more than adequately documented elsewhere. If you are interested in the details and were one of the few lucky ones not to receive a copy of these viruses then visit one of the many anti-virus sites that carry full descriptions. A list of some sites can be found in the Edinburgh University Computer Virus FAQ, which can be downloaded from http://mft.ucs.ed.ac.uk/pcvirus/edunvfaq.html
It is interesting how quickly such viruses can now spread. The main problem we face today is not so much the fact that these particular viruses are here, but rather that anti-virus software is never going to be as up to date as it could be. This is a major problem for anti-virus developers. The widespread use of e-mail coupled with the dominance of the Microsoft Office suite on the desktop and many users being quite happy to run unknown attachments, means that new viruses can rapidly gain hold in the first twentyfour hours of their release into the wild. Anti-virus labs can produce detection and disinfection mechanisms within hours of receiving samples. Unfortunately, no matter how skilled anti-virus developers are, this delay provides a window of opportunity for a virus to propagate itself on a scale barely imaginable a few years ago.
Of the 38 viruses reported, 31 were previously unreported at Edinburgh University. Of the seven viruses that we had seen in previous years, Antiexe.a and One-half had not been reported since 1996. Parity boot.b, with the exception of 1996, has been reported every year since 1994. These were the only four DOS Classic viruses.
Last years review reported on the WIN95/CIH.1003, which again made an appearance this year. I reported then that there were four distinct categories of viruses identified at Edinburgh University - DOS Classic, Word Macro, Excel Macro and Win32 File. During 1999 there was a growing trend towards viruses that not only infect Word documents but also target Excel workbooks. Tristate is of particular interest since it has the potential to also infect PowerPoint files. Both infected Word and Excel files were identified during the year. The Jerk virus is another example of a virus that infects both Word 97 documents and Excel 97 worksheets. These viruses are categorised by adding either WM/ or XM/ in front of the virus name to distinguish the infection depending on whether it was Word or Excel that was involved. (1)
On December 29th the X97M/Hopper.r virus was reported. According to Network Associates this is known as a cross application virus for documents in Word 97 and 2000 and workbooks in Excel 97 and 2000. Not only notable as an example of this new type of virus, it was the 100th reported virus at Edinburgh University since the wildlist began back in 1991. This virus presents particular problems for scanning software. Although it stays resident in the normal.dot file under Word, it creates a workbook in Excel called Book1 in the xlstart directory. Due to the lack of a file extension the advice is to scan for all files for detection and removal. I appreciate that this can be an overhead but with current trends it is becoming the only safe option. (2) The virus has date activated payloads, with probably the most worrying being in Excel which involves random cell swapping in different columns.
Ataka is worth noting. It is also known as IE0199.EXE, which was the name of the e-mail file attachment, posed as an Internet Explorer update. Essentially a "denial of service attack" trojan, its purpose is to flood certain internet servers with TCP connection requests.
StealthBoot was an unusual one to hear about since this is pretty much a standard boot sector virus with stealth capabilities as documented in the early editions of these virus reviews. The FAQ mentioned above also has details of the infection mechanism of this family of viruses. It was unusual to hear about this since this virus was commonly reported in the first half the decade, but has generally declined since then.
Antiexe.a, One-half, Parity boot.b, StealthBoot
WM/Cap, WM/Concept, WM/Npad, O97M/Jerk.b, Orifice (3 variants), Stealthboot, Win32/Ska, W32/Explore.zip, W32/Pretty.worm, W97M/Assilem.gen, W97M/Chack.w, W97M/Class (2 variants), W97M/Coldape.b, W97M/Ethan.a, W97M/Groovie, W97M/Marker (3 variants), W97M/Melissa.a, W97M/Sat.b, W97M/Story.gen, W97M/Tristate.gen, WM/Colors, WM/Footer, WM/Walker.e,
X97M/Tristate.gen, X97M/Hopper.r, XM/Laroux.dx
Ataka, WIN95/CIH.1003
Ataka, Netbus (2variants), O97M/Jerk.b, Orifice (3 variants), Stealthboot, Win32/Ska, W32/Explore.zip, W32/Pretty.worm, W97M/Assilem.gen, W97M/Chack.w, W97M/Class (2 variants), W97M/Coldape.b, W97M/Ethan.a, W97M/Groovie, W97M/Marker (3 variants), W97M/Melissa.a, W97M/Sat.b, W97M/Story.gen, W97M/Tristate.gen, WM/Colors, WM/Footer, WM/Walker.e, X97M/Tristate.gen, X97M/Hopper.r, XM/Laroux.dx
The hoax e-mail virus alert featured strongly again during 1999. Indeed, as mentioned above, there was a dramatic increase in this area with nine months of the year featuring at least one hoax. There were hoaxes every month up to July, with the exception of the month of June. Further hoax e-mails then circulated during September, November and December. To help cope with this problem and help educate users, a list of circulating hoaxes were published on the web site at http://mft.ucs.ed.ac.uk/pcvirus/pcvirus.htm
and on the 1st of June a short paper entitled "An introduction to hoax viruses" was published at http://mft.ucs.ed.ac.uk/pcvirus/hoaxintro.html
January saw the Budweiser Frogs screensaver hoax along with Win a Holiday. February, March and April featured an e-mail entitled "It takes guts to say Jesus".
followed closely by Join the Crew/Penpals. Then a hoax went around concerning a Bugs Life Screensaver. Yes, you've guessed it, the same hoax as the Budweiser Frogs, but cashing in on the success of the Disney film. May featured "It takes guts to say Jesus" again, followed by the Frog Blender and Fish Bowl hoaxes. The Wobbler hoax did the rounds in July.
September featured a new variation which was Cellsaver, Sandman, Win a holiday, Join the Crew/Penpals all contained within the same e-mail. I was also sent interestingly enough, the hoax Wobbler in Italian. I had not been aware that such things were translated into other languages, but clearly someone, somewhere doesn't get out enough.
In November, the Budweiser Frogs screensaver made another appearance. The hoax in December concerned an appropriately festive program called Elf Bowling. Don't ask!
One thing you have to watch out for concerning hoaxes that feature genuine programs is that very often these programs are freeware and are often in wide circulation. There is the very real possibility that someone will infect a clean copy of the featured program and then release it into the wild, thus making the hoax a reality. Two things to remember - if you are going to run the featured program then scan it first. This applies to all files that you download. Secondly, if you are unsure about the e-mail then check with computer support staff or one of the anti-virus sites for details on the hoax. Do not pass the message on throughout the community. Personally I do not mind being sent these - which is just as well really given the number I receive - so if you really need to e-mail someone, then e-mail me.
Still on the subject of hoaxes, I came across two excellent papers written by Sarah Gordon who currently works with the anti-virus science and technology R&D team at IBM Thomas J. Watson Research Center. The papers are "Where there's smoke, there's mirrors" and "Hoaxes and Hypes". I had e-mailed her to say that:
It was very interesting to compare the hype over the Elmo doll and Tamagocchi pets in the context of looking at computer viruses. Here in Scotland it has been Teletubbies but the principles remain the same
.
Sarah e-mailed back to say:
Thanks for your comments! When I gave the talk in the UK, I used teletubbies as an example :). That paper was fun to research and write, and I'm glad you liked it.
The papers can be found at http://www.av.ibm.com for those who are interested in finding out more about this subject.
On the 27th of May the McAfee Vscan software was made available within Edinburgh University. This was the replacement for the Solomons product as a result of the takeover by Network Associates the previous year. Given the problems we had encountered with site access to the previous product as documented in the 1998 review, it was felt that making access by ftp would simplify the process, and remove some of the overheads we had encountered with administration of the previous system. By and large the site took to this with calls about being unable to access the software dwindling rapidly. The exception to this was from those sites that had firewalls in place but again this was quickly resolved. Updates went to a weekly basis, (Macintosh updates are on a monthly cycle) which may have been an overhead if it were not for the automatic update and upgrade facilities that are a feature of the software.
Obtaining the software was simple enough as was the basic installation procedure. However, given the large numbers of computers running either Windows 95, Windows 98 or Windows NT on different hardware with different software configurations, problems and bugs were expected to emerge. By and large, running on Windows 98 and Windows NT appeared to be far less problematic than Windows 95. In the central student labs we have close on a thousand NT workstations running the Vscan software with no problems. There were issues with how Novell's Client 32 was configured at install time and clashes with Microsoft's findfast utility with Windows 95. So although there were a number of complaints about the software at the time of the rollout, Vscan has been installed by a large number of users and is doing the job it is intended to do. The NetShield NLM under NetWare was particularly successful and has run without problems across our student mail servers since May.
In March, the Virus-L Digest appeared in my mailbox. This was a digest I had subscribed to in the early 1990's. However it had lapsed some years ago. Very quickly many of the regular subscribers began to post some very useful information. Unfortunately, the postings of the digest were irregular and they stopped by June.
During April two new pages were posted on the web site. The Edinburgh University Computer Virus Wildlist contains all viruses reported since 1991. This can be viewed at http://mft.ucs.ed.ac.uk/pcvirus/wildlist.html
The Edinburgh University Computer Virus News at http://mft.ucs.ed.ac.uk/pcvirus/virusnews.html
contains alerts and information concerning updates on a regular basis.
As always I received some very entertaining e-mails throughout the year and I must thank you all for taking the time to e-mail me. One of the most memorable two liners that came my way was as follows:
Dear Sir,
I must thank you for providing such an excellent web-site with regards to viruses. ... This E-mail may seem a little strange, don't worry I'm not a weirdo, but merely interested in the whole procedure of virus protection.
The use of the Pegasus Mail application and the Mercury mail gateways is widespread within the University. In August an alert came over concerning a virus which targeted Pmail users directly. When an infected program is run, the virus attempts to propagate itself by looking for unsent Pegasus Mail messages and adding itself as an attachment to those messages. Fortunately we had no reports of this virus within the University. However, not for the first time in 1999 did we have to download an extra.dat file to update our software. These extra.dat files are produced by Network Associates in response to new virus threats. They provide protection until such time as these new signatures can be incorporated into the weekly software update. Sometimes even a weekly update is no longer sufficient in todays virus climate.
Given the hype surrounding the Y2K bug, no countdown to the millennium would be complete without reports of Y2K viruses. Fortunately no reports here of any Y2K problems, whether virus-related or not. Certainly some virus authors have used the hype to send out e-mail attachments claiming in the case of the W32/Fix to be a Y2K Internet bug fix. Such actions are hardly surprising. What is worrying that users will still run unknown attachments.
Predictions for the future? I think it is only right and proper that I break with tradition this year and make no predictions. There have been enough predictions concerning Y2K as it is. See you next century!