From: Mark Neely <[EMAIL PROTECTED]> - - - - - - - - - - - - - - - - - - - - Net-Alert 29 March 1999 If you have any questions, comments or other feedback concerning Net-Alert articles, contact the Editor at <mailto:[EMAIL PROTECTED]> Previous editions of Net-Alert are available at http://www.onelist.com/arcindex.cgi?listname=net-alert ____________________ Contents: ## Macro virus causing havoc ## Security Hole in IE/Outlook and Office ## Microsoft privacy "glitch" ## Windows 98 Update Download site ## Windows "Super" Virus found ## Popular Mail program found to be a trojan ____________________ Macro virus causing havoc ____________________ A new macro virus, dubbed "Melissa", is causing havoc with Internet email systems and PCs. The virus is being propagated via an infected Microsoft Word file sent as an email attachment. The "carrier" email message can be easily identified, as it uses the following subject header: Subject: Important Message From <name> where <name> is the full name of someone you know or who has sent email to you in the past. The attached document was originally called list.doc, and contained a list of pornographic Web sites. However, as the macro virus is capable of infecting other Microsoft Word files on the host's computer, any .doc file sent as an attachment could be infected. When a user opens the infected .doc file using a copy of Word from either Office 97 or Office 2000, the macro virus will launch immediately, if macros are enabled. The macro will then alter the default macro security setting, so that no further macro warnings are given as the macro virus spreads. Once infected, the virus will scan for copies of the user's email Address Book(s) (only those that are MAPI-compliant, such as those used with Microsoft Outlook). It will then compose identical messages to the first 50 users listed in each of available Address Books, and send copies of the infected .doc file. This has led to a widescale propogation of the macro virus in a very short period of time (each of the 50 recipients, if infected, would send 50 more copies of the virus, and so on). This has created considerable burdens for Mail Servers around the globe. In addition, the virus will also infect the user's copy of Normal.dot, which contains Microsoft Word's default settings. As such, all new documents created after the initial infection will also be infected with the macro virus, which in turn can be used to propogate the virus. Further details concerning the macro virus, including removal instructions, are available from CERT. URL: CERT Advisory - http://www.cert.org/advisories/CA-99-04-Melissa-Macro-Virus.html ____________________ Security Hole in IE/Outlook and Office ____________________ Microsoft recently released patches (software updates) fixing well known security holes in its Microsoft Word and Internet Explorer/Outlook software. In essence, the security hole meant that a web page could contain special code or instructions (written in Word's Visual Basic macro language) that could be executed on the user's computer without warning, providing the user has Microsoft Word installed and is using Internet Explorer. This is a fairly serious security hole. It affects both Word 97 and the beta version of Word 2000. URLs: Microsoft Corp. patches - http://officeupdate.microsoft.com/downloaddetails/wd97sp.htm http://officeupdate.microsoft.com/downloaddetails/fm2paste.htm Microsoft Corp. Security Bulletin - http://www.microsoft.com/security/bulletins/ms99-001.asp Woody's Office Watch article - http://www.wopr.com/wow/wowv4n3.html ____________________ Microsoft privacy "glitch" ____________________ Microsoft Corp. has attracted serious criticism following revelations that the Windows 98 registration wizard collects identifying information about a user's PC and transmits this information to Microsoft Corp. when the user registers online, even if the user opts not to transfer such information. The information, known as a Globally Unique Identifier, is also embedded in every Microsoft Office document, potentially enabling Microsoft Corp. to identify the author of documents created using its software. This privacy intrusion affects all Windows 98 users that have a network card installed in their machine. It may also affect users that have installed Microsoft's Dial-Up Networking software (which is commonly used by many ISPs as the default dialler for enabling modem-based access to the Internet). Microsoft has announced that it will post tools on its Web site which will enable users to disable these features. It has also advised that it will correct the problem in future versions of Windows 98. The Microsoft Office 97 Unique Identifier Patch prevents Office 97 applications from inserting a unique identifier number into Office documents The Microsoft Office 97 Unique Identifier Removal Tool will remove the unique identifier number from existing Office 97 documents. URLs: Microsoft Office 97 Unique Identifier Patch - http://officeupdate.microsoft.com/downloadDetails/Off97uip.htm Microsoft Office 97 Unique Identifier Removal Tool - http://officeupdate.microsoft.com/downloadDetails/pf_setup.htm ZDNN Article - http://www.zdnet.com/zdnn/stories/news/0,4586,2221330,00.html ____________________ Windows 98 Update Download site ____________________ One of the major drawbacks of the Windows 98 "Windows Update" feature is that users are not provided the option of saving a copy of the update files. As such, in the event that users had to re-install Windows 98, they were forced to re-download the updates. This is no longer an issue. There is now a version of the Windows 98 update pages that allows users to selectively download available patches and save them to disk. URL: http://www.microsoft.com/windows98/downloads/corporate.asp ____________________ Windows "Super" Virus found ____________________ Central Command Inc., authors of the AntiViral Toolkit Pro software, have announced the discovery of a "Super" virus, capable of infecting DOS, Windows 95, Windows 98 and Windows Help files. The virus, named Win95.SK, has a number of characteristics which, while not in themselves unique, collectively make this virus quite unique. In addition to being able to infect a number of different Operating Systems, it can infect Help (.hlp) files and Windows Portable Executable applications. It can also infect archive files, such as .zip, .arc and .lha files. Particularly disturbing is the fact that the virus will erase the contents of all available drives if one of several popular anti-virus programs are detected. URL: Central Command Inc. Press Release - http://www.avp.com/win95sk/win95sk.html ____________________ Popular Mail program found to be a trojan ____________________ ProMail v1.21, a popular, freeware email program for Windows 95/98, has been revealed as a trojan horse program. ProMail v1.21 was until recently available from a number of public software repositories, including SimTel.net and Shareware.com. ProMail v1.21 was capable of supporting multiple mailboxes and email addresses. The details of each individual email address that the user configured the program to work with was recorded in a file (including the user's full name, email address, password and account details). Prior to performing a normal program function at the behest of the user, the software would check to see if an Internet connection was available and, if so, forward to individual's configuration file to a set Internet account. It is unclear from published reports whether earlier versions of this program are affected. ____________________ If you received this copy of Net-Alerts from a friend, you can subscribe to Net-Alert by visiting the following URL: http://www.onelist.com/subscribe/net-alert ____________________ Net-Alert is copyright (c) Mark Neely 1999. Forwarding this message to friends and colleagues is encouraged, providing the message is forwarded in its entirety, including this copyright notice. - - - - - - - - - - - - - - - - - - - - ------------------------------------------------------------------------ Did you know that we have over 85,000 e-mail communities at Onelist? http://www.onelist.com Come visit our new web site and explore a new interest
