Attention, Netgear router owners!

IMPORTANT! If you have one or more Netgear routers with a model number RP614, RP614v2, DG814, MR814 or HR314 then it is very important that you update the firmware in your router. You could be one of the more than half-million Netgear router users who, because of the default firmware in the router, are causing problems for the University of Wisconsin. Links to details and upgrade sources are available on my page, netgear-error.html.

How not to deal with computer security:

[A yellow sign with a black silhouette of an ostrich with its head in the ground.]

A Must-Read file:

English: Safe Hex - Safe Computing Tips
Français: Conseils "Safe Hex"
Deutsch: Safe Hex - Sicher am Computer.

W32/Klez.E@mm, W32/Klez.H@mm, etc. ...

... or "Virus-of-the-Month Club".

Bookmark this spot: Klez information.

I have received more than a dozen copies of this one and a bogus report that a message that I allegedly sent couldn't be delivered because it was infected (but I never sent the message). This worm has some really nasty features:

  1. On unpatched systems it can use the IE MIME-type vulnerability to get itself to run automatically.
  2. It can disable your antivirus program.
  3. It sometimes forges the sender address to some other email address found on the infected user's machine so it can appear to have been sent by an innocent third party. (That's what happened to me.) The envelope sender ("MAIL FROM:") in the SMTP transaction is also forged to some other address found on the infected machine. Addresses for the recipient and the two forged senders ("From:" and "MAIL FROM") are harvested from the infected user's addressbook or from his/her browser or newsreader cache.
    A request: If you are in charge of a server that filters for infected messages and attempts to notify the senders that they have infected machines, PLEASE do not send notices to the alleged senders when Klez is detected! Use appropriate lookup tools to find out who owns the connecting IP address and notify the person in charge there. The envelope sender and the alleged sender in the "From:" header are innocent third parties who probably have no connection whatsoever with the sending machine. Why should I get a notification (sometimes with the original virus attached) because some infected user in New Zealand or India was looking at my web site when the worm went scrounging through his machine looking for addresses to forge?
  4. The "H" variant will sometimes pretend it's a disinfection tool to wipe out the "E" version of itself and trick people into running it that way.

Links to more information:

  1. F-Secure Computer Virus Information Pages: Klez.H
  2. McAfee - AVERT -- W32/Klez.e@mm
  3. McAfee - AVERT -- W32/Klez.h@MM
  4. McAfee.com - Virus Information Library -- W32/Klez.h@MM
  5. Symantec Security Response - W32.Klez.A@mm
  6. Symantec Security Response - W32.Klez.D@mm
  7. Symantec Security Response - W32.Klez.E@mm
  8. Symantec Security Response - W32.Klez.gen@mm
  9. Symantec Security Response - W32.Klez.H@mm
  10. Sophos virus analysis: W32/Klez-A
  11. Sophos virus analysis: W32/Klez-B
  12. Sophos virus analysis: W32/Klez-C
  13. Sophos virus analysis: W32/Klez-D
  14. Sophos virus analysis: W32/Klez-E
  15. Sophos virus analysis: W32/Klez-F
  16. Sophos virus analysis: W32/Klez-G
  17. Sophos virus analysis: W32/Klez-H
  18. AVG Anti-Virus - Virus Alert -- Klez
  19. Metropolitan Network BBS Inc., AVP in Switzerland -- Win32.Elkern.c
  20. Metropolitan Network BBS Inc., AVP in Switzerland -- I-Worm.Klez
  21. Klez.J
  22. Download - Antivirus - Security - Norman -- Klez.G
  23. RAV AntiVirus - Virus Description -- Win32/Klez.H@mm
  24. Vet: Wib32.Klez.E
  25. Vet: Win32.Klez.F
  26. Vet: Win32.Klez.H
  27. (About the MIME-header vulnerability and how to get the patch to fix it.) http://www.microsoft.com/technet/security/bulletin/ms01-020.asp
  28. Klez Virus: Xtra Help
  29. Visit Norman De Forest's Anti-Spam Page and read up on viewing and interpreting full email headers because the worm can forge an innocent third party in the "From:" address.


Bookmark this spot: Gibe information.

A new worm going around starts off faking the source:

From:	"Microsoft Corporation Security Center" <rdquest12@microsoft.com>
To:	"Microsoft Customer" <'customer@yourdomain.com'>
Subject: Internet Security Update

with an attachment named q216309.exe. The body of the message (described in the pages linked below) may fail to display. The worm has a bug that inserts some ASCII NULLs in the message and at least one mailreader, pine, halts its display of body text when an ASCII NULL is encountered. Since the first two NULLS are at the start of the body text, nothing is displayed.

The page, "Microsoft Policies on Software Distribution" on Microsoft's web site clearly states that Microsoft never sends updates by email.

Since I have received three copies in the last five days (March 7, 2002 to March 11, 2002), this worm rates inclusion here. Here's what I could find about it:

  1. F-Secure Computer Virus Information Pages: Gibe.
  2. McAfee - AVERT.
  3. Symantec Security Response - W32.Gibe@mm.
  4. Sophos virus analysis: W32/Gibe-A.
  5. WORM_GIBE.A - Description and solution.
  6. Gibe.A Information (including the fact that some copies of the worm may be corrupted).


(a.k.a. W32/Magistr.b@mm and W32/Magistr.32768@mm)

Bookmark this spot: Magistr information.

This one has landed in my inbox a few times recently and a few users at my ISP have been infected with it. Be aware that there is more than one version of this worm out and the removal tools are version specific. If you get infected with W32/Magistr.A@mm you will have to look for the tool for that variant yourself. (If I tried to cover everything this page would take an hour to load and I would need 57 hours per day to keep the site relatively up-to-date -- besides the time needed to deal with spam.) Check several antivirus databases for aliases to see if your infection has more than one name.

This one is nasty. Besides making your icons run away from the mouse cursor, the worm can also trash your entire hard drive's contents or (on vulnerable systems) trash your flash BIOS so you need a new motherboard.

  1. McAfee.com - Virus Information Library.
  2. Viren News Forum bbs0104.html.
  3. Symantec Security Response - W32.Magistr.39921@mm.
  4. Sophos virus analysis: W32/Magistr-B.
    1. Instructions for disinfecting W32/Magistr-B.
    2. magibsfx.exe -- SWMAGISB disinfection utility (download to an uninfected machine) -- 53884 bytes.
    3. SWMAGISB notes -- for instructions on how to use the SWMAGISB utility to disinfect the W32/Magistr-B virus.
  5. PE_MAGISTR.B - Description and solution.
    1. PE_MAGISTR.B - Technical details.
    2. fix_magistr_b.com -- disinfection tool from Trend Micro.
    3. readme_magistr_b.txt -- instructions for fix_magistr_b.com ***READ FIRST***.
  6. A.C.V Reference Desk [other virus information sites]

It is important to follow disinfection instructions very carefully. The file at http://www.antivirus.com/vinfo/security/readme_magistr_b.txt warns people twice about the trojan portion of the worm:

I   Important Note:

  If during the scanning the Trojan was detected in WIN.COM or NTLDR,
  DO NOT RESTART WINDOWS. This Trojan portion of the virus will trash
  your hard drive after you restart.

  Please make backup copies of your WIN.INI and SYSTEM.INI before running
  this tool.

  If during the scanning the Trojan was detected in WIN.COM or NTLDR,
  DO NOT RESTART WINDOWS. This Trojan portion of the virus will trash
  your hard drive.

  For 9x/ME users, obtain a clean copy of WIN.COM and overwrite the one
  that was detected.

  For NT/2K, restore NTLDR from backup.


Bookmark this spot: Badtrans information.

November 24, 2001: I get a suspicious message with an attachment that has an extension doesn't match it's declared "Content-Type:" header. F-Prot for DOS with the latest definitions at that time (November 20, 2001) fails to find anything.
November 25, 2001: I get a similar message addressed to the user-support mailing list.
November 27, 2001: Another two arrive and now F-Prot does detect a worm in all four copies once I grab the newly updated virus definitions. It's the W32.Badtrans.b@mm worm. Then a fifth copy arrives from a user here.

Watch out for this one. Like a number of other worms, it exploits a vulnerability in Microsoft Internet Explorer that allows it to run automatically the moment you view the worm. It also contains a backdoor trojan and a password-stealing keyboard logging trojan. Check out the links below and fetch (and install, of course) the patch from Microsoft that plugs the Internet Explorer hole.

  1. Incorrect MIME Header Can Cause Internet Explorer to Run E-mail Attachment (Q290108)
  2. AXENT : SWAT : Disable Embedded Scripting
  3. Anti Virus Information
  4. Sensible Security Solutions - Worm_Badtrans.b Virus Information
  5. AntiVirus Alert, Nov 25, 2001
  6. How to NOT hide extensions in Windows
  7. OL2000: Information About the Outlook E-mail Security Update (Q262631)
  8. F-Secure Computer Virus Information Pages: BadTrans.B
  9. F-Secure Computer Virus Information Pages: BadTrans.B Disinfection Instructions
  10. McAfee - AVERT W32.Badtrans.b@mm
  11. Microsoft Security Bulletin (MS01-020)
  12. Symantec Security Response - W32.Badtrans.B@mm
  13. Sophos virus analysis: W32/Badtrans-B
  14. Instructions for removing W32/Badtrans-B
  15. WORM_BADTRANS.B - Trend Micro Virus Encyclopedia
  16. I-Worm.BadtransII, virus description [VirusList.com®]
  17. BadtransII Is Out There [ VirusList.com® ]
  18. Windows95 viruses information
  19. Win32.Badtrans.29020
  20. Metropolitan Network BBS Inc., AVP in Switzerland I-Worm.BadtransII
  21. Novinky [NOD32 Antivirus]
  22. Norman - the data security company
  23. RAV AntiVirus Website W32/Badtrans.b@mm
  24. Microsoft Security Update, March 29, 2001
  25. Vet: Win32.Badtrans.29020


Bookmark this spot: Nimda information.

Sep 20, 2001 (Nimda).
URLs in above:
   Removal Tools
   Central Command (AVP):
   Network Associates:
   Trend Micro:
   Further Info
   F-Secure Corp:
   Network Associates:
   SANS Emergency Incident Handler:
   Trend Micro:
   Patches for vulnerabilities:

The Code Red Worm.

Bookmark this spot: Code Red information.

Code Red had been pounding relatively ineffectively against my ISP's servers lately. View a tech report entry (with other data snipped). WARNING: May be dangerous to view with Internet Explorer. Although it is just plain text showing the URL that Code Red attempts to submit to an IIS server, and was previously on this page as plain <PRE>formatted text (and *not* as a hyperlink), I have had one report from an IE user that his browser locked up just viewing this part of my page.

While the attacks have died down -- due mainly to the fact that Code Red-infected systems have mostly been closed or infected with Nimda -- there are still some infected servers out there and the holes it exploited could be used by other worms so the appropriate patches to prevent it are still recommended.

Some links to information about the Code Red worm (and more to add later when I can find them again):

  1. Sensible Security Solutions - Code Red Virus Information.
  2. SARC and Symantec:
    1. Write-up - CodeRed Worm.
    2. Write-up - CodeRed II .
    3. Write-up - Trojan.VirtualRoot (dropped by CodeRed II).
    4. Reference - CodeRed Removal Tool (instructions and download link).
    5. How to back up the Windows registry (a good idea when making any changes to the registry in case an error is made -- not just when getting rid of references to worms or viruses).
  3. eEye Digital Security:
    1. CodeRed Scanner.
    2. (advisory about Code Red).
    3. News (currently mostly about Code Red).
  4. BugTraq Archive: Full analysis of the .ida "Code Red" worm.
  5. TROJ_BADY.A - Trend Micro Virus Encyclopedia
    (TROJ_BADY.A is another name for Code Red).
  6. McAfee - AVERT (W32/CodeRed.a.worm).
  7. PGP Security - Research - COVERT (Code Red alert).
  8. CERT Advisory CA-2001-19 "Code Red" Worm Exploiting Buffer Overflow In IIS Indexing Service DLL.
  9. CERT Incident Note IN-2001-08: "Code Red" Worm Exploiting Buffer Overflow In IIS Indexing Service DLL.
  10. National Infrastructure Protection Center (NIPC) - Warnings - 2001 Advisories - 01-013.
  11. National Infrastructure Protection Center (NIPC) - Warnings - 2001 Advisories - 01-015.
  12. Microsoft:
    1. Microsoft Security Bulletin MS01-033.
    2. Microsoft Security Bulletin MS01-044.
    3. Microsoft Security Bulletin (MS00-052).
    4. Microsoft Security Bulletin (MS00-052):
      Frequently Asked Questions
    5. Microsoft Personal Security Advisor.
    6. Information on 'Code Red' IIS worm.
    7. Windows 2000 Service Pack 1.
    8. Windows 2000 Service Pack 2.


Bookmark this spot: Sircam information.

I received 11 copies, one 754KB in size, before my ISP started blocking it. Not only is it larger than most worms but it also tacks on a random file from the infected user's computer to the end of itself and then opens that after running on a newly-infected computer to hide its real purpose. It can therefore cause a major privacy breach. The copies I have received have included Microsoft Word documents with an article about the works of Leonard Cohen a purchase confirmation from an Australian company with the customer's name and address (but fortunately not her credit card number), and a psychiatric paper probably intended for publication in some medical journal. A couple of Excel worksheets included one that appears to be a doctor's records about a (luckily unidentifiable) patient. And a ZIP file from Mexico that contained six extractable, boring snapshots of three young men.

Information I could find so far:


If your system is infected with the worm first please download this REG file and install it (by double-clicking on it):


This will remove the worm's reference from the EXE file startup key in the Registry.

Warning! This is really important! The system might become unusable if the worm's file is deleted without modifying the EXE startup key first.

After that the system can be safely disinfected with an anti-virus program. If for some reason the worm's file can't be deleted from Windows (locked file), then you have to exit to pure DOS and delete the worm's file manually or use a DOS-based scanner.


Hybris Worm.

Bookmark this spot: Hybris information.

I have received more than 180 copies of this worm (I lost exact count around 165) at the time of this writing and will probably get even more. Be aware that the worm does not really come from the alleged hahaha@sexyfun.net address in the "From:" header. That was a fictitious address and domain used by the worm's author. As a public service, someone else later registered the sexyfun.net domain to set up a web site on how to combat the worm. Following are links to some information on it:

Anti-Virus Info:

Hybris in the News:

The latest Alerts:

Links to the latest virus alerts from various anti-virus companies.


reported in the news.admin.net-abuse.email newsgroup:

A new tactic encountered by one regular to that newsgroup is to use JavaScript and ActiveX on a web site to attempt to install a bogus hosts file on your computer so the abuser can intercept your accesses to a number of web sites, act as a proxy to pass your password and cookie data back and forth between you and those sites, and also log your passwords and cookies so he has access to any accounts you may have on those sites. The postings include a list of the sites that can be intercepted: hotmail.com, yahoo.com, msn.com, altavista.com, google.com, paypal.com, ebay.com, buy.com, microsoft.com, icq.com, usa.net, usa.com, netscape.net, netscape.com, aol.com, web.de, excite.com, qwest.net, dell.com, hp.com, sony.com, gateway.com, ibm.com, bestbuy.com, prodigy.net, att.com, att.net, earthlink.net, earthlink.com, mail.com, lycos.com, av.com, mp3.com, hollywood.com, cnn.com, nba.com, nhl.com, nfl.com, usatoday.com, weather.com, money.com, geocities.com, amazon.com, bankamerica.com, wu.com, westernunion.com, c2it.com, visa.com, internet.com, ivillage.com, real.com, x10.com, about.com, www.hotmail.com, www.yahoo.com, www.msn.com, www.altavista.com, www.google.com, www.paypal.com, www.ebay.com, www.buy.com, www.microsoft.com, www.icq.com, www.usa.net, www.usa.com, www.netscape.net, www.netscape.com, www.aol.com, www.web.de, www.excite.com, www.qwest.net, www.dell.com, www.hp.com, www.sony.com, www.gateway.com, www.ibm.com, www.bestbuy.com, www.prodigy.net, www.att.com, www.att.net, www.earthlink.net, www.earthlink.com, www.mail.com, www.lycos.com, www.av.com, www.mp3.com, www.hollywood.com, www.cnn.com, www.nba.com, www.nhl.com, www.nfl.com, www.usatoday.com, www.weather.com, www.money.com, www.geocities.com, www.amazon.com, www.bankamerica.com, www.wu.com, www.westernunion.com, www.c2it.com, www.visa.com, www.internet.com, www.ivillage.com, www.real.com, www.x10.com, and www.about.com. Oh, and the malicious code installs a porn-dialler, too.

The ILOVEYOU Worm/Trojan and Variations.

First, see the Virus Alerts mentioned above. Then check out:

And on the lighter side...

Alien Invaders might want to check out this CERT advisory.

Is it "viruses" or "virii" when speaking about more than one virus? One poster to the alt.comp.virus newgroup has an answer:

"i thought we settled this a long time ago, the term varies depending on the number... viri for one, virii for two, viriii for three, viriv for four, virv for five, and so on..."

Has your favourite newsgroup been invaded by the porn spammers? One such spammer, advertising a CD with "10000 Celebrity Nude Photos", inspired this hilarious response in the alt.comp.virus newsgroup -- an imaginary review of erotic scanners. (My sincere thanks to the poster -- who granted me permission to include it here.)

From the "Are you sure it's satire?" department:

Foot-and-Mouth First Virus Unable To Spread Through Microsoft Outlook.

Fun and Games!

Core Wars:

Do you want to write your own programs designed to clobber others and run them with no fear of getting caught? Will your little sister's program trash yours first or will your grandfather's program beat both of yours? Write your own combatitive programs designed for a machine that doesn't exist and run them on the REDCODE simulator and may the best code win.

Other Security Issues.

Java Security

There is some concern over security leaks in the Java language. The following sites have some excellent information on that subject:

Princeton University Safe Internet Programming Group
News last updated 30-April-1997.
Sun Microsystems/JavaSoft "Applet Security" FAQ.
Sun Microsystems/JavaSoft "Denial of Service" White Paper
Last updated 10-May-1996.
Also, here is the Netscape Navigator 2.02 Security FAQ
Last updated 16-May-1996.

Links above last checked between
August 15, 2001 and August 17, 2001.

Back to Norman's Home Page.

Webmaster: Norman De Forest.
If you have any comments about this page,
please send me an email message.