Índice:
=====
1.-S/ SEGURIDAD
2.-W97M/MELISSA
3.-W97M.MELISSA WORD MACRO VIRUS
4.-ARTICULOS SOBRE VIRUS
5.-CHERNOBLE VIRUS
1.-S/
SEGURIDAD===========================
Hola,
Les paso algunas notas del último Boletín Kriptopolis,
para quienes no lo reciben.
Graciela
________
1.MÁS AGUJEROS EN EL NAVEGADOR DE NETSCAPE
Georgi Guninsky se ha convertido en la peor pesadilla de Netscape (o
en el mejor aliado de los usuarios de ese navegador, según se mire).
El caso es que ha publicado una página de demostración
de un nuevo fallo de seguridad que afectaría a todas las versiones
4.x y permitiría acceder a la caché, directorios del disco
duro, etc, etc:
http://www.nat.bg/~joro/nsfind.html
Poco ha durado -pues- la satisfacción con la nueva versión
4.51, que reparaba tres agujeros anteriores.
Como es habitual, JavaScript es también responsable del nuevo
fallo.
2.
NUEVO PARCHE PARA MICROSOFT
EXCHANGE SERVER 5.5
____________________________
Microsoft acaba de anunciar la disponibilidad de un nuevo parche para
su gestor de correo que evita la posibilidad de sufrir denegaciones deservicio
o ejecuciones no permitidas de código, merced a un nuevo'bug' que
posibilitaría el desbordamiento del buffer del servicio de directorio.
Toda la información y direcciones para la descarga de parches:
http://www.microsoft.com/security/bulletins/ms99-009.asp
5.
MICROSOFT RECONOCE EL PROBLEMA DEL SALVAPANTALLAS EN NT Y
PUBLICA UN PARCHE
A través de un boletín de seguridad, Microsoft reconoce
la existencia de un defecto en la operación del salvapantallas en
Windows NT 4.0 que puede comprometer gravemente la seguridad de todo el
sistema:
http://www.microsoft.com/security/bulletins/ms99-008.asp
Desde esa misma dirección puede accederse a los parches correspondientes.
El boletín de Kriptópolis es una publicación semanal
sobre Criptografía, PGP y Seguridad en Internet, que se recibe mediante
suscripción gratuita.
Información, altas, bajas, modificaciones:
http://www.kriptopolis.com/boletin.html
Números atrasados:
http://www.kriptopolis.com/hemero.html
Edita y coordina:
José Manuel Gómez
© KRIPTÓPOLIS, 1999
================
2.-W97M/MELISSA==========================
Fecha: Sun, 28 Mar 1999
De: "Graciela J. Caplan" <pinsky@einstein.com.ar>
Hola,
Para conocimiento.
Graciela
------- Forwarded Message Follows -------
Date sent: Sat, 27 Mar 1999 22:06:22 -0100 (GMT)
From: Kriptopolis <kripto@jet.es>
EL BOLETIN DE KRIPTOPOLIS
http://www.kriptopolis.com
--- URGENTE --- PRECAUCIÓN ---
W97M/Melissa: un nuevo y peligroso virus se propaga por la Red en pocas
horas.
Este boletín especial responde a la aparición -hace pocas
horas- de un nuevo (y potencialmente muy peligroso) virus informático
denominado W97M/Melissa. Como es sabido, a diario se descubren nuevos virus
y ello no suele obligarnos a enviar boletines especiales como este,
pero Melissa parece manifiestar un poder infectivo tan serio que incluso
Microsoft se ha visto obligada a desconectar su propio servidor de correo
para evitar una mayor difusión del virus, que ya parece haber atacado
a sus máquinas y a las de otros gigantes informáticos de
la talla de
Intel.
En tan sólo pocas horas, ya se estiman en decenas de miles los
ordenadores infectados. No obstante, parece que lo peor está aún
por llegar, dado que se espera que el próximo lunes, cuando las
grandes empresas se pongan a trabajar, puede haber graves caídas
por saturación y denegación de servicio en gran número
de servidores de correo.
Al parecer, Melissa vio la luz en el grupo de news alt.sex, en un documento
(denominado LIST.DOC) que contiene contraseñas de acceso a sitios
de contenido X. Al abrir el fichero con Microsoft Word, se ejecuta una
macro que lo reenvía a otros 50 miembros de la agenda de contactos
de cada usuario, con el propio nombre de éste en el remite y el
mensaje "Here is that document you asked for ... don't show anyone else
;-)", junto al propio LIST.DOC como fichero adjunto. Al ser conocido el
remitente, el receptor suele abrir el fichero, con lo que éste se
reenvía a otros 50, y así sucesivamente.
Una vez abierto LIST.DOC, modifica el registro y la infección
se propaga a todos los ficheros que se abran bajo Word. Otros efectos de
Melissa se manifiestan cuando los minutos de la hora coinciden con el día
de la fecha (Ej: a las 5:28 del día 28). Si hay un documento abierto
en Word en ese momento, Melissa inserta en él el mensaje "Twenty-two
points, plus triple-word-score, plus fifty points for using all my letters.
Game's over. I'm outta here", junto al alias del autor del virus ("Kwyjibo").
Estos términos están relacionados con la serie de televisión
"Los Simpsons".
Melissa afecta a entornos Windows y Macintosh, ejecutando Word97 o
Word 2000. Outlook debe estar instalado para que se produzca la propagación
por correo electrónico, aunque no se necesita que el correo se abra
desde Outlook para que exista infección. Como es lógico,
si el ordenador no tiene siquiera acceso a Internet y se ha infectado por
otra vía, sólo resultarán afectados los propios documentos
Word que se abran (como ocurre con los virus de macro al uso).
MÁS INFORMACIÓN
_______________
* El CERT (Centro de Emergencias Informáticas) está distribuyendo
desde primeras horas de la tarde de hoy sábado 27 de Marzo, un boletín
informativo disponible también en:
http://www.cert.org/advisories/CA-99-04-Melissa-Macro-Virus.html
En este documento, el CERT recomienda a los usuarios desactivar la
ejecución de macros en Word y a los administradores de correo configurar
filtros para contener a Melissa, según se detalla en:
ftp://ftp.cert.org/pub/cert_advisories/Patches/
* Otras páginas web con información sobre Melissa:
http://www.avertlabs.com/public/datafiles/valerts/vinfo/melissa.asp
http://www.symantec.com/avcenter/venc/data/mailissa.html
http://vil.mcafee.com/vil/vm10120.asp
OTROS CONSEJOS
______________
Rogamos encarecidamente a todos los receptores de este boletín
especial, difundan el mismo por el mayor número de cauces posibles,
para contribuir a prevenir los posibles daños e inconvenientes que
se anuncian.
AGRADECIMIENTOS
________________
Kriptópolis desea agradecer a la empresa Data Fellows (Finlandia)
su colaboración en la edición de este boletín especial.
Según nos comunican, su producto F-Secure AVT (incluida versión
de evaluación), junto a actualizaciones que previenen y eliminan
el virus Melissa, están ya disponibles en
http://www.DataFellows.com
El boletín de Kriptópolis es una publicación semanal sobre Criptografía, PGP y Seguridad en Internet, que se recibe mediante suscripción gratuita.
Información, altas, bajas, modificaciones:
http://www.kriptopolis.com/boletin.html
Números atrasados:
http://www.kriptopolis.com/hemero.html
Correo electrónico:
boletin@kriptopolis.com
Edita y coordina:
José Manuel Gómez
© KRIPTÓPOLIS, 1999
Reproducción permitida citando fuente y URL de nuestro web.
Cualquier otro uso requiere autorización expresa del editor.
===================================
3.-W97M.MELISSA
WORD MACRO VIRUS========
Fecha: Sun, 28 Mar 1999
De: "Graciela J. Caplan" <pinsky@einstein.com.ar>
Hola,
Para confirmar el tema del nuevo virus, aquí les derivo otro
boletín más.
Graciela
------- Forwarded Message Follows -------
Date sent: Sat, 27 Mar 1999 12:45:38 -0800 (PST)
From: CIAC Mail User <ciac@rumpole.llnl.gov>
The U.S. Department of Energy
Computer Incident Advisory Capability
INFORMATION BULLETIN
W97M.Melissa Word Macro Virus
March 27, 1999 17:00 GMT Number J-037
_____________
PROBLEM: A new Word 97 macro virus named W97M.Malissa has been detected
at multiple DOE sites and is known to be spreading widely. The virus uses
Microsoft Outlook to e-mail the infected document to the first 50 people
from each of your Outlook address books.
PLATFORM: Windows 95 or Windows NT running Microsoft Word 97 (version
8) or Word 2000 (version 9) and Microsoft Outlook. Word 98 on the Macintosh
is probably not vulnerable because the virus uses the Windows registry,
but that has not been verified yet. Outlook Express and other mail readers
are not vulnerable.
DAMAGE: It overwrites the first macro in open documents and in the
normal.dot template with the macro virus code. It turns off macro detection
in Word. It sends copies of the infected document to up to 50 people from
each of your Outlook address books.
SOLUTION: Use an updated antivirus product. Some vendors have a solution
available but in many cases you must go to the vendors web site to get
it. Do not depend on the automatic or live update feature of an antivirus
package to get the detector for this virus. Additional precautions are
to password protect the normal.dot file, turn on macro virus detection
in Word, and DO NOT OPEN attachments to mail messages with the subject
"Important Message From " and the contents "Here is that document you asked
for ... don't show anyone else ;-)" without checking with the sender. Alert
your computer security officers if you receive such messages.
______
VULNERABILITY Risk of infection is high. This virus is spreading widely
ASSESSMENT: within and without of the DOE complex. The risk of damage to
your system is low because most users do not have macros in files and would
be alerted by Word's macro detector. The risk of lostproductivity and lost
mail messages is high as mail servers may have to be shut down and purged
of infected mail messages.
_____________
CIAC has critical information about the W97M.Melissa Word Macro Virus
The W97M.Malissa Word macro virus has been seen within the DOE complex.
This macro virus attaches to Word objects in Word 97 and Word 2000. Because
of this method of infection, this virus will not infect older versions
of Microsoft Word. When an infected document is opened, the virus checks
to see if Word 97 or Word 2000 is installed and then disables the Macro
toolbar.
It then disables the following Word options:
Confirm conversions at open.
Macro virus protection.
Prompt to save Normal template.
Disabling these options makes it difficult to detect the virus in action.
The virus next checks the value of the private registry string:
HKEY_CURRENT_USER\Software\Microsoft\Office\Melissa?
If that string is not equal to "... by Kwyjibo" the virus sends copies
of the infected document to the first 50 people in each of your Outlook
address books and then sets the registry key so it does not do this again.
It sends copies of the infected document to others by opening a connection
to Microsoft Outlook and creating an e-mail message with the subject:
Important Message From <username> where <username> is replaced
with the current Word user's name (Tools, Options command, User Information
tab). The body of the message contains the following text: Here is that
document you asked for ... don't show anyone else ;-)
The virus then inserts the first 50 users from your Outlook address book, attaches the infected document and sends the message. It does this for however many address books you have defined in Outlook.
After sending itself to the people in your address books, the virus then checks to see if it is running on a document or the Normal.dot template. If it is running on a document, it infects the Normal.dot template with a Document_Close macro that runs whenever a document is closed. If it is running on the Normal.dot template, it infects the active document with a Document_Open macro that runs whenever a document is opened. After the Normal.dot template is infected, the virus infects every document you work on as soon as you close them. If you share these documents with anyone, you will spread the virus.
Finally, if the minute of the hour equals the day of the month, the virus inserts the following message at the current location in the active document.
Twenty-two points, plus triple-word-score, plus fifty points for using all my letters. Game's over. I'm outta here.
Detecting The Virus
===================
Several antivirus vendors have a detection and cleaning capability
for this virus; however, you must go to the vendors web site to get the
scanner updates. Scanners with automatic or live update features do not
yet get the update required to find and clean this virus. While we expect
the detection strings to be in the automatic updates in the near future,
for the next week or two you should get the scanner directly from your
vendor's web site. We have verified that the Norton Antivirus updater obtained
from the Symantec web site
http://www.symantec.com/techsupp/custom/mailissa.html
does detect the virus, the current live update does not. We have reliable
information that McAfee
http://vil.mcafee.com/vil/vm10120.asp
and Trend Micro
http://housecall.antivirus.com/smex_housecall/technotes.html
also have detection capabilities.
Protecting A System
===================
The first step in protecting a system is to have a current antivirus
package running on your system. Be sure to update it at least once a month.
Many of the newer antivirus scanners have the capability to automatically
update themselves every couple of weeks.
To protect Word from this and other Word macro viruses, first insure
that Word has been patched with the Word 97 Template vulnerability patch
http://www.microsoft.com/security/bulletins/ms99-002.asp
second, the normal.dot template file should be password protected;
and third, the following Word 97 options should be enabled.
Confirm conversions at open.
Macro virus protection.
Prompt to save Normal template.
Password Protecting The Normal.dot File
---------------------------------------
To password protect the Normal.dot file in Word 97, perform these steps:
1. Start Word.
2. Choose the Tools, Macro, Visual Basic Editor command.
3. In the Project window of the Visual Basic Editor, click on Normal.
4. Choose the Tools, Normal Properties command, Protection tab.
5. Check the Lock Project for Viewing check box and type in a password
twice.
6. Close the dialog box, close the Visual Basic editor.
7. Quit Word.
The next time you start Word, the normal.dot template will be protected.
WARNING: If you ever have to type in the password to make changes to the normal.dot file be aware that the file remains unprotected until you quit Word and restart it.
Turning On Macro Virus Protection and Other Options
---------------------------------------------------
Some simple macro virus protection is built into Word 97. It does not
detect specific macro viruses but only informs you if macros exist on a
document you are trying to open. Macros detected by Macro Virus Protection
are not necessarily a virus. However, if you are alerted to a macro attached
to a document you should be extremely wary because most people do not have
macros attached to their documents.
Other options to set are:
Confirm conversions at open. This makes Word display a dialog box if it is converting a document from one format to another.
Prompt to save Normal template. This makes Word display a dialog box asking you to confirm changes to the Normal.dot template. Most macro viruses hide in Normal.dot so this lets you know that there has been a change that you may want to prevent. Changes also occur when you change the default font or one of the built-in styles.
To turn on macro virus protection and these other options, perform these steps:
1. Start Word.
2. Choose the Tools, Options command, General tab.
3. Check the Macro Virus Protection check box.
4. Check the Confirm conversions at open check box.
5. Choose the Save tab.
6. Check the Prompt to save Normal template check box.
4. Close the dialog box.
Whenever you open a document that contains macros, the macro virus protection opens a dialog box telling you that there are macros in the document and giving you the option to: Open the document with the macros enabled, open the document without the macros, or cancel the open operation. You should only open a document with macros enabled if you are expecting there to be macros on that document and you know what they are supposed to do.
Detecting the Virus With a Mail Server
======================================
If a site has been infected you may need to block the virus infected
mail messages with your mail servers. The following filter was written
by Scott Hutton (Lead Security Engineer, Information Technology Security
Office) of Indiana University. As Scott mentions, this filter blocks all
messages with the text "Important Message From" in the subject line, which
may block messages that do not contain the virus. Use this filter at your
own discretion.
===== start included text ======
We blocked this on our mail relays through the following additions
to the sendmail.cf:
HSubject: $>CheckSubject
SCheckSubject
RImportant Message From $+ $#error $: 553 Subject Error
R$* $@ OK
Don't forget that there are tabs before $#error and $@ OK. This will
block any message where the subject begins with "Important Message From
...", which may be too rash of an action at your site.
===== end included text ======
Another filter was obtained by the CERT team from Nick Christenson of
sendmail.com
ftp://ftp.cert.org/pub/cert_advisories/Patches/
Previous CIAC notices, anti-virus software, and other information are
available from the CIAC Computer Security Archive.
http://www.ciac.org/
http://ciac.llnl.gov
ftp.ciac.org
==========================
4.-ARTICULOS
SOBRE VIRUS==================
Fecha: Mon, 29 Mar 1999
De: "Jorge Rey Valzacchi" <horizonte@datamarkets.com.ar>
Hola amigos:
Sea el Ping, Michelangelo o Melissa, los virus siempre han sido una
preocupación para los poseedores de computadoras. Para aquellos
interesados en su historia, fundamentalmente con fines didácticos,
les recomiendo una serie de seis artículos que han aparecido en
la revista electrónica "Las Noticias (en LaRed)" Están en:
http://www.lasnoticias.nu/reportaje1/reportaje1.htm
Chau.
=====================
5.-CHERNOBLE
VIRUS========================
Fecha: Sun, 25 Apr 1999
De: "Graciela J. Caplan" <pinsky@einstein.com.ar>
Hola,
Para conocimiento.
Graciela
------- Forwarded Message Follows -------
From: "Dr. Eugene Norman" <normeu@OURBBS.FRVS.ORG>
Subject: [IAS-CR4] Chernoble Virus
Hi:)
I just downloaded a virus cleaner for the Chernoble Virus which is
to hit Windows '95 and Windows '98 om this coming Monday. You can get it
from
http://www.pspl.com/download/cleancih.htm
To execute it, you press <Start>, then <u>, then in the dialog
box you select <Restart in MSDOS> and press <Enter>. You then go
to the place where you stored CLEANCIH.EXE when you downloaded it.
You type CLEANCIH and press <enter>, then press <y>, <y>, <y> and the program will do the rest checking your drive and cleaning it with your permission if the virus is present.
On my box, all the files were clean.
With love and respect,
Hugs too,
Gene
============
Fin de IER-90
Vielha, 2/5/99