FITUG e.V.
Förderverein Informationstechnik und Gesellschaft
FITUG e.V.Förderverein Informationstechnik und Gesellschaft |
|
Das FBI bietet auf seiner Website einen aeusserst informativen Service an, den man nicht verabsaeumen sollte, wenn man fuer On-Line- Systeme Verantwortung traegt:
http://www.fbi.gov/nipc/cybernotes.htm
CyberNotes is published every two weeks by the National Infrastructure Protection Center (NIPC). Its mission is to support security and information system professionals with timely information on cyber vulnerabilities, hacker exploit scripts, hacker trends, virus information, and other critical infrastructure-related best practices.
[...]
In den CyberNotes findet sich schoen uebersichlich eine Zusammenstellung aller neuen Sicherheitsloecher, nach Produkten sortiert.
In der juengsten Ausgabe fand ich nun aber folgendes:
http://www.fbi.gov/nipc/cyberissue2000-01.pdf
NIPC CyberNotes #200001 Page 18 of 23 01/19/2000
[...]
W32/Mix.2048: (Aliases: VMS/Mix, W32/HTM.H[H04.2048, W32/Mix, W32/Mix.dll.dr) This is a virus coded in JavaScript and Hypertext Markup Language to infect web page files of extensions .HTM, .HTML. and .ASP. The virus also writes a debug script and implements the program DEBUG.EXE to build a PE infector. The virus first searches through all the directories on the hard drive in which web pages might be found (HTM, ASP, HTT and HTML file extensions) and infects them, increasing them in size by 23549 bytes. The exact directories in which the virus searches are the following:
C:\My Documents
C:\Windows\Desktop
C:\Windows\Web
C:\Mis Documentos
C:\Windows\Help
C:\Windows\Escritorio
C:\Win2000\Web
C:\Win2000\Help
C:\Program Files\Internet Explorer\Connection Wizard
C:\Program Files\Microsoft Office\Office\Headers
C:\Inetpub\wwwroot
Once it has finished this first action, W32/HTM.H4[H04.2048 creates a file in the root directory called [H4[h04.DLL, which contains the machine code for the virus that accompanies it (dropper). In order to compile the dropper machine code, three new BAT files are created:
Help.bat, in C:\Windows\Desktop\
SEXYNOW!.BAT, in C:\
README.BAT, in C:\
When a user executes any of these files, [H4[h04.DLL is compiled and converted into a Windows virus. This is a direct action virus that infects EXE, CPL and SCR files in the current folder and in system directories such as C:\Windows and C:\Windows\System. The virus does not infect files smaller than 10000 bytes in size and is encrypted using an XOR operator with a Dword mask. It copies itself at the end of targeted files and increases the last section of code by 2048 bytes. The damaging effect of this virus is the deletion of external vaccine files and the virus signature files of several AntiVirus manufacturers. The files that are deleted are the following:
Antivir.dat
Chklist.dat
Chklist.tav
Chklist.MS
Chklist.cps
Avp.crc
vb.ntz
Smartchk.cps
Avp.set
Scan.dat
Dec2.dll
Ap.vir
Ap.sig
Tbscan.sig
Mag sein, dass ich etwas hinter dem Mond bin, aber dies ist fuer mich der erste *konkrete* Aufweis eines HTML / JavaScript-Virus.
Wenn ich das recht interpretiere, sollten damit die Tage, in denen HTML-e-Mails (insbesondere in Listen) noch toleriert wurden, nunmehr endgueltig ihrem Ende entgegengehen.
Axel H Horns