A new "web virus" was reported within the last couple of weeks that can download a small "bug" that once on your machine would connect to a site where spyware would be downloaded. The spyware was of the nasty "keystroke logger" variety that attempted to record things like credit card numbers etc.

The significance(?) of this particular one was that the "infection" was on servers, in the form of corrupt JavaScript. To be successfully placed on a server, three separate "vulnerabilities" had to be present on the server. Fixes for two of the required vulnerabilities were published a year or more ago, so any server with either or both of the patches could not be infected - at least not with a "functional" bug. There is no "fix" as yet for the third "vulnerability," but users can prevent download of this particular spyware by setting browser security to "the highest levels" and by disabling JavaScript. A Microsoft "fix" for the third vulnerability is available, but it does not, at this time, actually repair the vulnerability. It just turns off one specific JavaScript function exploited by the virus.

Since many server sites rely on heavy use of Java, disabling JavaScript may significantly affect your "browsing experience."

Both of the sites that versions of this virus used to actually download the keystroke logger have been shut down.

Since the virus relies on "piss poor maintenance" of server software, mudcat is NOT AFFECTED; but there are a few sites on the web that were. The infection was classed as "mild" as of yesterday. The observed (so far) infections do not attempt to spread themselves, so you must actually visit an infected site to pick this one up.

Since the original JavaScript download looks like a "normal" Java transaction, it is NOT DETECTED by any current AV software. The script that runs on the user's machine functions as a "normal" program, so it is NOT DETECTED by any AV software, although some firewalls, hardware or software, may block the communication with the download site - or at least tell you that your machine is trying to communicate.

Neither the script nor the downloaded keystroke logger is detected by ANY CURRENT ANTISPYWARE program, and NO CURRENT ANTISPYWARE PROGRAM can remove this p.o.s. Removal instructions are available from major AV suppliers, but it is rather difficult to know that you've been infected.

Users can determine if this malware is present on their own machines by searching for the file "Kk32.dll" or "Surf.dat." (You should be sure to include hidden and system files in the search.) If either file is found (odds are very low) details of removal can be found at major AV sites under the virus name "Scob."

There is little reason to believe that more than a very few persons might need to be concerned about this one; but being aware of the kinds of threats that appear on a daily basis is just part of "living with the web."

There have been several other "server side" viruses (Qhost is best known) but the above is the first that has appeared that was apparently aimed at identity theft.

A second concern, less than a month since first appearance, is the use of "Instant Messaging" connections to transmit viral crud. Since IM requires a continuous connection, such infections do not have to rely on "hit or miss" methods to attack. They can simply "send to all possible addresses. "Code Red," which appeared recently, infected all vulnerable machines in less than 14 hours, according to Symantec (Norton). A newer one, "Slammer," took less than 20 minutes. A Symantec spokesman suggests "An instant-messaging threat could spread to a half a million machines in 35 seconds." (Neither of these threats were reported as affecting machines with current OS updates.)

It doesn't just come as email attachments any more. (Neither of the above threats uses an "attachment" or even email.)

The above should NOT BE reason for anyone to be paranoid about infections; but you MUST keep your OS up to date with frequent (preferably automatic) updates, you MUST USE a good AV with CURRENT signatures, you should probably have AND USE REGULARLY at least one or two of the recommended "AntiSpyware" programs WITH CURRENT DATA FILES. Most importantly - you must be aware of "where you're at" on the web, and be alert on the web and after for any unusual "event" that might suggest that someone's trying to hurt you.

John