(Evans)-Further-details-about-the-latest-VIRUS-(fwd)

Subject:  (Evans) Further details about the latest VIRUS (fwd)
Date:     Mon, 14 Jun 1999 085441 -0500 (CDT)
From:     "Roy L. Beavers" <rbeavers@llion.org>
To:       emfguru <rbeavers@llion.org>
--------------------------------------------------



---------- Forwarded message ----------
Date: Mon, 14 Jun 1999 09:37:34 -0400
From: "John D. Evans" 
To: "Roy L. Beavers" 
Subject: Further details about the latest VIRUS

Roy,

Here is more detail about the virus mentioned in your transmission of
today.  It sounds pretty bad.

******************Forwarded Info*****************

June 11, 1999

New Infection Is Killing Files Through E-Mail 

By JOHN MARKOFF,   New York Times,  p.  A!

SAN FRANCISCO -- Computer researchers Thursday reported a malicious
computer program that is spreading rapidly
through the Internet by E-mail and destroying documents created by widely
used Microsoft software programs. 

Several large corporations, including Boeing, AT&T and General Electric,
said their computers had been infected and moved
to limit the damage, in some cases by shutting down their E-mail systems.
Employees of Microsoft, Intel and the anti-virus
software maker Symantec said they had also been hit. 

The attacking program shows up as an E-mail attachment. When opened, it
embeds itself in the computer's software,
destroying files created by common applications like Word, Powerpoint and
Excel and propagating itself to the victim's E-mail
correspondents. It is far more dangerous than the Melissa computer virus,
which spread rapidly in March as a sort of an E-mail
chain letter but was not designed to destroy files. 

Thursday anti-virus companies made updated scanning programs available
through their Web sites to fend off the attack. But
anti-virus experts said that the program, known as a worm, was difficult to
detect and that the best defense was for computer
users to avoid opening suspicious E-mail attachments. 

Several anti-virus software companies said they believed that the worm had
originated in Israel, where it was first detected on
Monday. It had begun spreading in Europe and the United States by Wednesday. 

The program is particularly insidious, anti-virus experts said, because it
is attached to an E-mail message -- ostensibly from
someone known to the computer user. The message has a salutation with the
recipient's name and then says: "I received your
E-mail and I shall send you a reply ASAP. Till then, take a look at the
attached zipped docs. Bye." 

At AT&T's headquarters in Basking Ridge, N.J., the company intercom
broadcast an alert at lunch time warning employees
that the program was spreading and a spokesman said he believed that
several hundred computers had been infected within the
building. 

At Boeing, computer security personnel issued an alert this morning that a
malicious program was on the loose, then shut down
the E-mail system in mid afternoon while updated anti-virus software was put
in place, said David Suffia, a company
spokesman. The system was expected to be down overnight, he said. 

At Intel, the program was first discovered during the day at the company's
development facility in Israel and computer
administrators severed networks linking the company to Europe and the
United States to halt the spread of the program,
according to a company memo. 

Microsoft executives said that they cut off network connections for several
hours on Thursday morning. 

Some companies said they had already faced down the virus and quelled it by
installing anti-virus software. "It's gone and past;
it's a great tornado that zoomed through and left," said Pam Wickham, a
spokeswoman at General Electric. She said the
company had been warned on Wednesday and that anti-virus software had been
quickly distributed, minimizing the impact. 

The worm preys on Microsoft E-mail programs like Outlook, Outlook Express
and Exchange, and other programs that use a
Microsoft protocol called MAPI. It uses those programs' features to spread
itself to other computer users who send mail
messages to the infected machine. 

The program, which comes in a file identified as zip files.exe, is a kind of
attack known as a Trojan horse because it fools users
into executing a malicious program by opening the attached mail document. 

The program then creates another file named explore.exe, which is launched
every time the infected computer is restarted. 

Such an approach, known in the computer underground as "social
engineering," relies on the gullibility of computer users who
are lulled into believing that the program has actually been sent as a
reply from the person to whom they recently sent an
electronic mail message. 

"The Explore worm is even worse because you get it from someone you know,"
said David Chess, a research staff member at
I.B.M.'s Watson Research Laboratory in Hawthorne, N.Y. "People are going to
be lulled into thinking it is O.K." 

Once the worm establishes itself, it systematically searches for documents
created by three programs that are part of the
Microsoft Office suite -- Word, Excel and Powerpoint -- as well as some
programmers' files and erases them. Word is the
world's most widely used word processing software and Excel is the most
widely used spreadsheet program. Powerpoint is
software for creating graphical business presentations on a computer screen. 

Thursday, experts at anti-virus companies said the new program represented
a disturbing trend in the virus underground, which
appears to be developing more lethal programs. 

"In the last few weeks we've begun to see attempts by virus writers to
combine the rapidly spread capability of the Melissa
program with a more destructive payload," said Wes Wasson, director of
security product marketing at Network Associates, a
Silicon Valley software developer whose products include anti-virus programs. 

He said he expected to see a number of copycat programs as virus writers
attempt to mimic the Explore program. 

Network Associates has recently established "risk assessment" guidelines
for gauging the danger of new malicious programs,
and Mr. Wasson said the company had assigned the Explore worm a "high"
rating, its most threatening category because of its
destructive ability. 

The new program is known as a worm rather than a virus because it is
self-propagating from computer to computer through
networks, in this case by generating a reply to each incoming E-mail. 

In contrast a virus is spread by inserting itself into files on a computer
system that are then passed along. (The Melissa program
exhibited properties of both a virus and a worm, computer researchers said,
because it both attached itself to Word documents
and used E-mail to spread itself.) 

The term "worm" was coined by the science fiction author John Brunner in
his 1975 novel "Shockwave Rider." In the novel
worms were programs created by a rebel group that helped destroy an
oppressive computer network. 

Although the new Explore worm does not have the ability to spread as
quickly as the Melissa virus, which mailed itself to 50
computer users at a time, it still has the capability to quickly
proliferate because an infected machine tries to infect any other
computer that it receives mail from, researchers said. 

Officials at the Computer Emergency Response Team, or CERT, at Carnegie
Mellon University in Pittsburgh said today that
they were studying the problem. 

"We're still trying to understand the scope of the problem a little
better," said Shawn Hernan, a CERT security expert. He said
that by late this afternoon the security organization had received only 10
reports of worm infections, though he said the program
had spread rapidly at the afflicted organizations. 

Today, some virus experts said they were puzzled by the recent destructive
bent within the virus writing community. Many of
the programs in the past have been written as a form of cybernetic graffiti
and are annoying but do not do physical damage. 

But a program like the Explore worm has the power to destroy years of work. 

"I can't imagine what these people who write these programs are thinking,"
said Chess, the I.B.M. researcher. 

*******************End of Quote**************

SIN-cheerily,

John
**************************************************************
*  John D. Evans, PhD, Retired Professor/Counsellor
*  8 Monroe Court
*  Wellington, ON  K0K 3L0
*  Canada
*
*  E-mail: jdevans@sympatico.ca
*  Phone:  613-399-5089
*
*  The heart of education is in the education of the heart
***************************************************************



Archive provided courtesy of WaveGuide, http://www.wave-guide.org
Reprinted with permission of Roy Beavers, http://www.feb.se/EMF-L/EMF-L.html