WSH and SmatDownload updates, Microsoft ships a virus and CIH fizzles

Vendors and Vendors shipping viruses; PC seller sends competitor a virus...; First e-mail worm for TheBat!; Almost quiet on the CIH front...

A fairly quiet week on the security front this week, but with an important WSH patch re-release by Microsoft and SmartDownload update from Netscape. Microsoft makes the virus news section too, with confirmation that it shipped some hotfixes infected with the rather nasty (but old and well-detected by antivirus software) FunLove virus.

Virus News

Vendors shipping viruses

Spammers have been doing it for a while -- the self-mailing virus JS/Kak, and more recently VBS/San, both had significant distribution boosts when they happened to infect the machines of e-mail and/or Usenet news spammers.

Close to three years ago, CIH's initial spread (particularly in Europe) was assisted by several major computing magazines distributing infected programs on cover CDs. The Marburg virus had a similar boost. Around the same time a major Japanese hardware vendor put CIH-infected drivers for one of its popular products on a support FTP site.

And it continues. Last month Pioneer distributed Hybris-infected e-mail messages to about 10,000 of its customers. The company posted out an apology and a fix for the virus. At least 19 of those who received the viral attachment have reported to Pioneer that they ran it.

This week it was Microsoft. A few days ago rumblings about Microsoft posting FunLove-infected hotfixes to a "premier support" area started surfacing and these have now been confirmed publicly my Microsoft. To quote from the announcement posted to the security area on Microsoft's TechNet web site:

Here are the most important facts regarding this issue.

  • The affected hotfixes were not accessible to the general public, and weare identifying and proactively notifying the specific customers who downloaded them.
  • Only a limited number of hotfixes were infected, all of which were released during the past two weeks. No security patches were infected.
  • The specific virus is a known one that most commercial virus scanners will detect and remove.
The announcement went on to claim "the infection resulted because Microsoft’s corporate standards regarding virus-scanning procedures were not followed on one of the servers used to prepare hotfixes". The infected hotfixes were posted to web servers that are only accessible to "Premier Customers" and "Gold Partners". The infected hotfixes are thought to have been available from 6 April to 20 April this year. All infected hotfixes were pulled when the virus was discovered and Microsoft has been replacing them.

Unconfirmed reports are circulating that the infection occurred post-signing, meaning that anyone checking the certificates on the affected hotfixes should have been told the code had been modified. If this is the case, it seems odd this was not mentioned in Microsoft's official announcement.

News articles:

Pioneer Infected Its Own Customers -

Microsoft gives a virus to its support customers -

Microsoft security fixes infected with FunLove virus - The Register

- Microsoft announcement

PC seller sends competitor a virus...

In light of the preceding story, the news story referenced below may be of interest. "The Register" has reported on an apparent feud between two competing PC dealers in the UK, with one deciding that sending his competitor a virus was a feasible solution to some preceived problems. He got 175 hours community service and his computer equipment confiscated for his efforts...

- News article

First e-mail worm for TheBat!

Win32/Stator was isolated earlier this week. It is a companion virus that also mails itself via TheBat! e-mail client. Ths latter functionality means many antivirus researchers classify it as a worm. TheBat! is quite a popular e-mail program in Russia and the message Stator distributes is in Russian. A file attached to the mesage purports to be a picture of a girl but is, in fact, an EXE renamed to a PIF

extension. This is "obfuscated" with the so-called double-extension trick -- the file is named "photo1.jpg.pif". More technical details are available from the URLs below.

Various antiviruse developer's descritions:,,

Almost quiet on the CIH front...

Yesterday was "CIH day" -- 26 April being the trigger date for by far the most common variant of the CIH virus family. If previous years are anything to go by, initial reports on the day (and remember it is still

26 April where a large number of the world's PCs are) tend to seriously underestimate the eventual exposure of this virus' destructive payload, but so far there hve been extrememly few reports and few of those account for other than single machines.

Security News

MS01-015 updated to fix WSH regression error...

Microsoft has re-issued its MS01-015 security bulletin to reflect the discovery of regression errors in the Windows Script Host (WSH) v5.1 and v5.5 updates annouced in the original bulletin. No description of the nature of those errors is provided, but Microsoft recommends anyone who installed either of the earlier WSH patches to install the updated patches. WSH users who did not install those patches should consider installing the updated patches.

- Microsoft security bulletin

Netscape SmartDownload v1.3 update

An update that fixes a buffer overflow that can allow remote execution of arbitrary code on Windows machines running SmartDownload v1.3 has been released. The overflow was discovered by @Stake security researchers, but is not known to be actively exploited as yet. There are two approaches to fixing this issue - uninstalling SmartDownload or installing the update. The first is easily achieved via the Add/Remove Programs control panel and the latter by downloading the update from the URL below.

Note that even if you use Internet Explorer (and possibly other browsers), simply having SmatDownload v1.3 installed opens you to the vulnerability. Also, setting SmartDownload to "disabled" via its "Disable SmatDownload" menu option is insufficient, as the faulty software still parses all URLs accessed by the browser and the overflow is in that parsing code.

- @Stake security advisory

- Netscape SmartDownload update

MS01-015 updated to fix WSH regression error...

Netscape SmartDownload v1.3 update

When will they ever learn???

In researching the previous item, your newsletter compiler noticed the "Computer MD" link on Netscape's home page, with its description "Protect your computer against viruses and related problems". Being the inquisitive sort, an attempt to check that page's content was made.

Should I have been surprised that the page was "JavaScript enabled"? No. However, it was worse that that. The page refused to even load because I browse the net with JavaScript disabled:

You have tried to access a feature which is not available for your current browser configuration. To use this feature, you must have:

JavaScript enabled in your Preferences, and

A browser that is Netscape Navigator 3.0 or newer, or Internet Explorer 3.0 or newer.

Given that page purports to be a guide to "securing" your computer, that experience alone convinces me the page is not worth visiting and the views and opinions of its writers next to worthless. I understand the "need" for modern web pages to use scripting for all manner of "useful" things like text that changes colour or icons that animate when your mouse pauses over them, but to _refuse_ to load a security "tutorial" because the reader has taken the prudent option of disabling scripting in their browser?

There's only one reaction for this sort of idiocy...


Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

More about MicrosoftPioneerTechNet

Show Comments