While first discovered almost a year ago as a simple Java script file, apparently from the Philippines, multiple variations now appear in both Java script and simple visual basic scripts. This code is sometimes imbedded in websites by webmasters who may receive commissions for each window opened by the worm or for each ad that appears. The code itself is typically a very small part of the website it is hidden in, typically only about seven thousand bytes, and loads and executes almost instantly. This practice may be unethical as well as irritating, but I have been unable to find any reference claiming that it is illegal. What is frightening is that similar scripting invisibly embedded in a web page could (and in some cases, has) contain a dangerous payload. At least five variants of the Java script NoClose have been identified, with suffixes from “A” to “E”. Other variants have been written in a similar Visual Basic script that can also be embedded into a website, ant not appear to the casual surfer, except when endless browser windows appear. Simply opening a website containing the questionable code can start the continuous loop of browser windows opening that may only be stopped by shutting down the connection or turning the power off to the computer.

While most variations of NoClose disappear once the computer has been shutdown, some versions may change the website that appears when the browser is loaded, starting the process all over again. If this happens, the solution may be as easy as changing the startup page. In Internet Explorer, click on TOOLS – INTERNET OPTIONS – and in the box labeled “Home Page” simply enter the address of the page desired. With Netscape and Opera, the process is somewhat similar. While this works on many computers which have been a NoClose victim, some type of the NoClose worm actually embed code in the Windows registry which automatically restores the illicit page as the “home page” opened when the browser is started. A vicious cycle has thus been created.

While some antivirus programs will not detect and kill NoClose, several will. The free online scan from TrendMicro, available at housecall.antivirus.com, may identify and remove some versions of NoClose. According to the Housecall website, just the “E” variant of NoClose has been detected on about 250,000, or about 2.4 percent of the computers scanned by Housecall since May. The free utility Ad-Aware, downloadable from www.lavasoftusa.com, can also detect and kill some embedded versions of NoClose. While neither Ad-Aware or Housecall can prevent future NoClose attacks, some firewall and pop-up utilities can identify and neutralize NoClose. Some users claim that they prevent NoClose from setting their browser security to a very high level, and not allowing Java scripts to execute. While this may work, these same users often find that many other legitimate websites will not load or function, as they also may utilize Java utilities.

Since many users have found pop-up ads annoying, some internet service providers are now offering some protection against unwanted pop-ups. A number of utilities are available to minimize the number of pop-up ads appearing while web surfing, many of which are free. Several can be found at http://tucows.exp.net/adkiller95.html.

For more information on the Tulsa Computer Society click here