E-Musings Mon Immorata

Something old something new. Something borrowed, something blue. Really sums up my state of mind this week. I was all charged up to bring you news of some interesting software I discovered in my Web perambulations. But it's all come to nought 'cos there are some vicious worms and other forms of Net lo-life that I feel honor-bound to update you about.

Kicking off is news that Microsoft has inadvertently released copies of the Funlove virus to some of its customers. If you have downloaded any hot fix files between 6-20 April 2001, you may be at risk. The infected files were delivered to Premier Support and Microsoft Gold Certified Partners Web sites.

Next comes news of Hello, the first MSN Messenger worm. Of course, if you work for someone who discourages the use, or installation of messaging software. Or use Yahoo or ICQ, then this warning is not for you. But for all us Messenger fans, take note that this virus spreads using the Messenger software. The Worm arrives as HELLO.EXE and is actually a VB (Visual Basic) 5 application. Accidentally execute it and Hello creates an unnamed shortcut in the WINDOWS STARTUP folder. It then checks if Messenger is installed in the default folder. If you like to twiddle and put stuff in a custom folder, the worm crashes and displays an error "Run-time Error '91'. Object variable or With block variable not set." But if like the rest of humanity you let Microsoft apps install where they want, Hello self-replicates and send a copy of itself to everyone in your contact list. The message is titled (innocuously enough) "i have a file for u. its real funny!" and includes the HELLO.EXE application.

So beware. Especially if you use WinME. That's because ME uses an auto-backup utility that stores files in the hidden C:\_Restore folder. And an infected file can be stored there as a backup file. Since this folder is protected, anti-virus software are unable to sanitise any infected files. You need to manually remove the worm. Begin by right-clicking My Computer icon and selecting Performance|File System|Troubleshooting. Enable "Disable System Restore" and click Apply followed by Close button until you are prompted to restart the computer. When restarting choose Safe Mode and scan files in the C:\_Restore folder. Delete any infected files and then restart again. To re-enable the Restore applet, reverse the process.

The next T2B (terror-to-be) is I-Stator; another worm. This is luckily restricted to computers with TheBat! e-mail client. The worm collects the names of its victims from the application's database. And uses SMTP to connect to smtp.mail.ru e-mail. Both email subject and body are in Cyrillic (Russian) script and includes an attached file PHOTO1.JPG.PIF which is actually an .EXE. The intended victims are email desperates; a friendless species who will do anything to receive email from somebody.

The worm installs itself to Windows and infects MPLAYER.EXE, WINHLP32.EXE, NOTEPAD.EXE, CONTROL.EXE and SCANREGW.EXE, The infected original files are renamed with a .VXD extension. The worm then copies SCANREGW_EXE and its own LOADPE.COM into Windows\System and IFNHLP.SYS to \Windows. LOADPE.COM is registered in the auto-run Registry key "HKCR\exefile\shell\open\command = LOADPE.COM." Subsequently, if any other Windows .EXE is run, it too is infected. SCANREGW.EXE in Windows\System is also registered as "HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices ScanRegistry = %SystemDir%\scanregw.exe." The worm transmits your remote access password and logins, local network logins and passwords, CuteFTP information, Netscape and TheBat! system parameters (if installed) as well as system configuration to its creator.

And finally before I go, checkout a ShockWave Fight Sequence file that may be big (2 MB) and slow to load. But the results are truly worth the time taken. My thanks to the Lockergnome site for pointing me to this file.

That's all from me, see you again next week. Same time, same place.