New Kit Renews E-Mail Worm Scare

[InfoSec News <isn () C4I ORG>]

http://www.wired.com/news/technology/0,1282,42375,00.html

by Michelle Delio
12:45 p.m. Mar. 12, 2001 PST

A slew of new worms may be on their way to your e-mail inbox even if
you run anti-viral software.

A new version of VBS Worm Generator, the virus creation program used
to write the Anna Kournikova worm in February, has been released by
the program's creator, who claims that worms created with the newest
version of his program will be undetectable by most antiviral
software.

The new tool's ease of use -- including its remarkably lucid help file
-- indicates the next generation of worms will reduce the number of
copycat worms, which in turn will make them harder to contain once
they are released in the wild.

The writer of the VBS Worm Generator program, an Argentine teenager
formerly known as Kalamar (who now wishes to be known simply as [K]
complete with brackets) released Version 2 of VBS Worm Generator on
Friday and followed it with a bug patch on Monday.

"This is a very impressive tool," said Dave Kroll, director of
security research at Finjan Software.

"Our security team has reviewed the new tool and is very impressed
with its simplicity and ease of use. A lot of bugs have been fixed
since the first version," Kroll said. "Worms created by this tool can
spread and attack using multiple methods (e-mail, IRC, file
infections), and it will be difficult to detect or remove them.

"This signals a new age in worm generation. Unique worms now can be
created with ease -- you won't see copycat variants like ILOVEYOU had.
Each new worm will be new code and unique. Worms generated with this
tool may wreak havoc on anti-virus software. We expect to see new
worms coming in the near future that will spread very fast," Kroll
said.

Version 2.0 of the program is now available on several Argentine
websites, including the site owned by [K]. It is free and an easy
download at 208 kilobytes.

VBS Worm Generator Version 2 contains a simple point-and-click
interface that allows even the most non-technical person to create and
e-mail a virus.

"If they can manage to find the website and download the program they
can create a powerful virus and e-mail it around the globe with
absolutely no effort or thought," said Ken Durham of Security Focus.

[K] informs users of the software that any worms created with his free
program are not his responsibility.

"You have to agree to take full responsibility of any damage caused by
the files that you could create with this program. The files created
with this program may have the ability of really fast spreading by
e-mail around the world, and that could hang up some e-mail servers.
The worms are just for learning, not for spreading," [K] states in the
program's documentation.

OnTheFly, the 20-year-old from Holland who created and spread the
virulent Anna Kournikova worm, has since expressed remorse for
unleashing the program.

"This program and the files created with it are for educational
purpose only," [K]'s notice continues. "You have to agree that [K] is
not responsible for any damage caused by the files that you are going
to create."

VBS 2.0 has an extensive and impressive help file, which guides a
wannabe worm writer through the process.

"This guy's help section is easier to understand and work with than
the help functions included with most mainstream software," said Dave
Smith, a support technician with Techserve.

As in previous versions of VBS, a user simply clicks on clearly
labeled boxes to create the worm.

New features include a fast-spreading option that allows a VBS v.2
worm to look for and infect other devices on the network.

The worm kit also has a new encryption scheme that allows viruses to
sneak under anti-viral software's radar by varying the virus' code.

Many anti-viral applications look for specific sets of codes when
screening for viruses. The upgraded version creates a random 10-number
variation on the codes, making each released copy of the virus appear
to be different.

[K] noted in the documentation for the program that he has Norton
anti-viral 2001, Kaspersky Anti-Virus (AVP), McAfee and F-Secure's
"Fprot" installed on his home machine, "and none of them detect my
worms."

Officials at F-Secure's main office in Finland and Kaspersky's
Switzerland offices could not be reached for comment. McAfee and
Symantec did not immediately reply to e-mail queries about whether
their software could protect against Version 2.

Finjan Software's desktop product, SurfinShield, blocks any .VBS worm
because it monitors the real-time behavior of code, and does not use a
database of virus signatures, Kroll said. This new proactive approach
is gaining a lot of acceptance as a good way to complement
traditional, reactive anti-virus software.

Other new features of VBS 2 include the ability to attach an
executable program to the worm, which in theory would allow a user to
create a more dangerous worm because an executable file (.exe) can do
more damage than a Visual Basic script.

"Chances are an unskilled worm writer won't know what to do with this
feature, since they would need to have access to a virus-laden .exe
file to attach," Techserve's Smith said. "I suppose a more skilled
programmer could do something useful with it, but most computer users
are aware that they shouldn't click on an executable file."

As in previous versions, worms created with VBS Worm Generator will
replicate quickly.

Clicking on the "anti-deletion" option while creating a worm will
program the worm to check whether it has been deleted, and if it has,
to re-create itself. The only way to delete it is to press
Control/Alt/Delete keys and close "Wscript" in the pop-up window that
appears.

Worms created with VBS Worm Generator are able to infect files and
shut down an infected computer. [K] notes the shutdown feature doesn't
work with machines running Windows 2000.

A new feature allows the worm writer to change the name of a
computer's registered owner by changing the information contained in
"HKEY_LOCAL_MACHINESoftwareMicrosoftWindows
CurrentVersionRegisteredOwner" to any name chosen by the worm's
creator.

[K], who did not reply to an e-mailed request for an interview, had
previously told Durham he would not be releasing new versions of the
program.

It was assumed that this was in reaction to the widespread publicity
over the Anna worm, although [K] stated it was a choice he had made
before the Kournikova debacle, but he refused to explain why he
wouldn't be updating.

[K] now states in the program documentation that he didn't update the
program earlier because the source code to VBS Worm Generator was lost
when his own computer's hard drive crashed.

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".