Page 1 of 1

Be Careful!

PostPosted: Sun Jun 29, 2003 2:44 pm
by Ferguson Foont
Be careful on this forum. I have already made the mistake of "Previewing" a post without submitting it, and going to some other web page and losing my post.

Because you can edit your posts to your heart's content (no 30-minute limit like on Worldcrossing) it's not really necessary to preview your posts at all.

Illegal Characters in User Names

PostPosted: Tue Jul 01, 2003 10:44 am
by Ferguson Foont
This software is not as accommodating as Webcrossing when it comes to user names. It does not, for example, permit the use of an apostrophe.

Oh, it'll let you join up with an invalid user name all right. It just won't let you do anything to configure your own preferences after you do join. It also screws up the SQL queries on which everything in this forum is based, and all you'll get are error messages.

Please stick with the alphabet, numbers and hyphens, please.

WARNING: A Very Sneaky Bit of Spyware

PostPosted: Sat Aug 02, 2003 12:06 am
by Ferguson Foont
The following is NOT related to any use of this BBS and is provided for your information and awareness.

The system administrator of our local county Democratic Executive Committee just circulated the following warning about a product called "Hotbar." DO NOT PUT THIS APPLICATION ON YOUR MACHINE. It will store and transmit to a third party every email and every keystroke, and ingrain itself so deeply into your registry that you will never get it out. It will also install a wide variety of other pieces of adware and spyware onto your machine, sort of as a "cooperative" measure, I suppose.

DO NOT EVEN GO TO THE "HOTBAR" WEBSITE. If you do, I would suggest cleaning out your entire cookie cache immediately afterwards with something like Windows Washer.

This warning is addressed to all activist political Bloggers:

I recently analyzed the new and very popular add-on to Internet Explorer and MS Outlook. This applet is marketed as an add-on to "dress up emails" with flashy animations, backgrounds and e-business cards. On the Explorer side, it adds "hot buttons" to your browser that dynamically change to what the vendor thinks is your particular interests in a website are by analyzing sites you visit. This seems harmless enough and rather onvenient and interesting, certainly not original, Yahoo and MSN also have similar add-ons.

The license for hotbar does explain the fact that the applet does monitor the website addresses your visit in an effort to suggest other similar sites. When I say suggests, I mean very passively, in the context of an added feature in the list a many more useful features like e-cards and e-business cards, etc.... There are other similar applets (spyware), such clickhere.exe and clickbox.exe, symtray.exe, which most computers pickup at some point, that do exactly this and they are basically designed to be "cookie sniffers" that scan you cookie directory then pop-adds that match a category of sites matching your cookies. Cookie sniffers are pretty much harmless, they really do not reveal anything earth shattering about your computer, but are still considered "spyware."

Hotbar however, is much more than a cookie sniffer, it is a full blown spyware with the "SPY" part in the true definition of the word.

The first thing I noticed after doing the web-install of hotbar is that Norton Utilities' web-install monitor did not detect the install. Second, Windows Installer also did not detect the install. What this means is, to remove hotbar from your computer, you would have to do it manually, you can't go to Add/Remove Programs, like you can with many other add-on such as the Yahoo Button Bar.

Once installed, I sent a couple of emails from Outlook, using the background stationary and e-business card feature. Once the emails were sent, I rendered the email packet (yes I have a packet sniffer installed) only to find that hotbar was not just sending back to their data collection site, the email addresses to whom I sent mail, but also the CONTENTS of my email. (It is questionable whether or not this is legal, I personally don't think it is, but somewhere in the license agreement I probably agreed to allow this.)

On the Explorer side, after visiting Jane's Weekly and the Economist websites, I noticed the hotbar buttons change to "political" and "World News" so I click on the political button to be first directed the Heritage Foundation's website, and also supplied with a very extensive list of other conservative sites. I click on the World news button only to be sent to several Christian News sites. You get the picture, hotbar obviously has a conservative agenda when it comes to its customers.

The funny part is that they want you to upgrade hotbar to there Premium edition by agreeing to pay $2.95 a month on your credit card.

Looking at the code in hotbar.exe I find that it has a common utility that captures keystrokes, I assume to report what you are typing on your computer. That means passwords, and login names, and anything else you type in any application, regardless if you are in a secure site or not. This is really bad and the primary reason why you should remove hotbar from you computer.

Now here is the scary part, after deciding it was time to take hotbar off(keep in mind that hotbar purposely circumvents Norton utilities), I discovered that hotbar makes 62 entries in the registry file and adds 27 different programs. Pest Patrol (which I highly recommend) will find about 12 of the registry entries and 25 of the files. Spyferret has a special addition you can buy that will delete all 27 files and 62 entries (which they call hotbar remover). However, Hot bar has been busy and subsequently added some type of worm now that will copy 426 additional spy applets onto you hard drive. Updated pest patrol will find most of them, but I still had to remove about 15 of them by hand. Clearly, the hotbar people are aggressively attempting to stay on your computer, even if you think you have uninstalled it.

So please note this warning about hotbar.

If you have hotbar, sites that may help you are <>

You can also go to the Norton Security site to check your computer for other security issues. ... &venid=sym


PostPosted: Thu Aug 21, 2003 2:01 pm
by Ferguson Foont
I have never in all my days seen anything like this SOBIG-F virus. Nearly half the email I receive is infected with it. As I write this it's knocked out one of my ISPs' POP server.

Fortunately all of my ISPs screen it out and send me only a notification that a message containing it was received at the server end, where it was deleted, but one just got past their screening.

Right now I'm immune because I'm using only a Linux box while my own machine is in the shop, and non-Windows machines are not susceptible to it. But anything running 32-bit Windows (95, 98, NT, 2000 and XP -- ALL versions) are susceptible.

One interesting thing about this virus is that I received an infected email that seemed to be coming from one of my own accounts. None of my machines is infected, but this virus spoofs the "From:" field in the email to make appear as if it has a different point of origin from its actual sender.

Another interesting aspect to this virus is that it seems to have been developed by commercial spammers to provide an end-run around spam detection software. It places an SMTP proxy server onto the infected computer that can then be accessed by a third party to forward email. These proxy servers are NOT detected by currently available antivirus software, although I imagine that will change within hours.

I hope they catch the people responsible and lock them up for the rest of their lives. Malicious code writers and spreaders, and the spammers they now seem to serve, make me reconsider my opposition to the death penalty.

PostPosted: Thu Aug 21, 2003 2:13 pm
by David Campo
No question, this has been a bad week for viruses. At my last job as an assistant sys admin (and antivirus administrator), one of the programmers there told me that most viruses are just tests to see how far the creator can go. He said he knew he was capable of shutting down the whole shebang if he wanted to, and that there are many out there who could do likewise. It's just a matter of time, I figure.

PostPosted: Fri Aug 22, 2003 11:31 am
by Phoenix Woman
By the way: Anyone know how to close ports on an XP machine? My work computer has port 1025 open on it, which caused it to fail the ShieldsUP! test. (Alternatively, should this port be left open for any reason?)

PostPosted: Fri Aug 22, 2003 12:38 pm
by Ferguson Foont
Your work computer is undoubtedly connected to the outside world via a router. Have your network administrator close that port.

He or she should only have ports open that you're actually using anyhow, and that's unlikely to include anything with that high a number. There's not much legitimate reason to have anything open above 441 except maybe 8080 if you do web development.

By the way, this SOBIG-F virus is so nasty. I am now getting half my email containing that virus, and I am also getting notifications that I myself am spreading it around, which is 100% impossible.

My XP machine is in the shop right now and hasn't been turned on since Tuesday morning. I've been using a Linux box exclusively, and Linux is not susceptible to this trojan. So I cannot possibly be spreading this virus.

But SOBIG-F installs an SMTP proxy server on infected machines, modifying the "From:" field in the emails it sends to make it appear as if the sender is somewhere other than the actual sending machine. Interestingly, the worm aspect of this virus deactivates and will stop replicating on September 10, but will leave the proxy server intact and open to exploitation by spammers trying to evade address-based anti-spam software.

I got one from rightwing Nazi Republican congressman Tom Feeney today.

To find out if you're infected, do Start/Run, and type "regedit' in the field provided. When you hit "Return" this will invoke the registry editor.

In the left-hand column, go to HKEY_LOCAL_MACHINE > Software > Microsoft > Windows > CurrentVersion > Run. If you then see an entry in the right-hand column showing "TrayX = [the Windows folder (usually C:\Windows)]\winppr32.exe /sinc", you ARE infected and should remove this entry. Repeat this, replacing "HKEY_LOCAL_MACHINE" with "HKEY_CURRENT_USER."

The latest version of most antivirus software will remove the virus but not the SMTP proxy server. They may have fixed this already for all I know, because like I said I haven't haven't had my XP machine since Tuesday morning.

PostPosted: Fri Aug 22, 2003 1:01 pm
by Ferguson Foont
WHOA NELLIE! This SOBIG-F virus was just discovered to be far more malicious than was previously expected.

An article in MSNBC entitled <A HREF=""><B>"Massive virus attack expected,"</B></A> reveals that every machine infected with this trojan, and there are millions and millions of infected machines, will all attempt to contact twenty machines and activate some other code with which those twenty machines are infected, with unknown consequences:
Security experts discovered only late Thursday that the Sobig.F virus, which has sown panic since Monday by infecting Windows systems and using them to send a deluge of junk mail, was harboring a sinister secret.

Hidden within the virus is an instruction to the infected machines to make contact at 3:00 p.m. ET with the 20 computers, which host an unidentified program.

“The problem is we don’t know what that program is. It could mean a smiley face dances across your screen or it could be something massive,” said Carole Theriault, anti-virus consultant at Sophos Anti-Virus. “It’s still under the control of the virus writer.”

Even if the mystery program is a harmless gag, the sheer volume of Internet data converging on the 20 computer targets could slow the Internet to a crawl.

The time trigger is set to be activated again at the same time on Sunday, August 24.

The search for the owners of the 20 machines — to get them to disconnect before the deadline — has had some success.

“We’ve taken more than half offline,” said Mikko Hypponen, anti-virus research manager at Finland’s F-Secure. “But if one is left standing, there will be an attack.”

Boy I hope they catch these perps. They need to be made an example.

PostPosted: Tue Aug 26, 2003 5:07 pm
by D H
Ferguson Foont wrote:Boy I hope they catch these perps. They need to be made an example.

Not just them, but Billy Gates. SoBig is yet another of those stinking Outlook/Exchange exploit virii. Variants on this crap have been floating around since Melissa, which was YEARS ago.

M$ will not properly secure their crap until Gates himself is in danger of doing time over it.

PostPosted: Tue Aug 26, 2003 7:02 pm
by Ferguson Foont
The problem with Microshit software is that it's tailored to look impressive in trade shows with all its autoexec capabilities. But it's precisely these capabilities, the automatic opening of email attachments and auto execution of macros, that is exploited by virus writers to spread their shit.

SoBig would spread fast enough anyhow, because there are legions of morons out there who'll see something like "Click on below for details" from a name they now, and see "details.scr" as the attachment, and then mindlessly follow the instruction But Outlook, which used to be defaulted to auto-open (like Word and Excel used to come with settings defaulting to autoexecute macros), doesn't permit even a suspicious person to avoid the infections.

It's really stupid. MS does this just so their hucksters at trade shows can do these impressive demos. "See, Outlook can do THIS!"

The government should require Microsoft to subsidize third parties to produce and distribute constantly updated antivirus software to everyone for free.