I learned about this situation, and before I could get this article into the I/O Port Newsletter.

There are indications that some brain-damaged person may have come up with something like a virus that can damage your system just by browsing a web page on which it has been installed.

Technically a virus is software that replicates and spreads itself without the user knowing it, and then later damages the system, so this is really more like a Trojan Horse, which relies on the unsuspecting user to do something to permit them access (like bringing the Trojan Horse inside the walls of Troy) but the potential for damage is there, none-the-less.

I just checked out the Virus Sites we have listed on http://www.tcs.org/software.htm#VIRUS and could not find anyone that had this Trojan Horse listed, but someone from another user group that I consider responsible reported:

"Recently, a local user received an unsolicited e-mail message that contained a link to a website. The message was written in a manner that appealed directly to the user's interests, and he didn't think twice about following up on it. What happened next was a real-life example of what could happen to any user who access a site containing damaging elements. Here's what he said in his own words:

"I clicked on a link in an e-mail ... (that) looked legitimate so I thought I would take a look. ... When I got to the website, it was a rather normal looking. Had a black background and the word "ENTER" written in blue in the center of the screen. Naturally I clicked on ENTER. In 5 seconds or less, 40 or more MSIE explorer windows were opened. Before I could react a rather nasty Java alert messaged popped up. What it said I cannot repeat here, but suffice it to say it indicated that my hard drive was doomed."

His attempts to shut down MSIE by activating the Close Program dialog box (CTRL+ALT+DEL), were unsuccessful. Within that, there were many entries for MSIE which he could not terminate as fast as they were being generated. Eventually, his system froze with the blue screened "Invalid Page Fault". When he did reboot, it wouldn't come up even in Safe Mode."

In an article "HTML Virus Harmless -- So Far" on TechWeb (http://www.techweb.com/wire/story/TWB19981110S0018) Andy Patrizio says "the latest -- and potentially most dangerous -- threat to Internet users is a Web-based virus that enters computers just by visiting a Web page." Andy reports that Keith Peer, president of Central Command, the U.S. distributor of AntiViral Toolkit Pro said "source code for HTML.Internal has already been posted on the Internet and undoubtedly will be used for some malicious purpose in the future. HTML.Internal works with only Microsoft Internet Explorer and Internet Information Server on the back end. In an all-Netscape environment, users are safe from the ill effects of the virus." This is because Microsoft expanded on the Java spec and allowed Javascripts and Active X to access anything on the hard disk, rather than being restricted to the "Java Sandbox".

The TechWeb article said they thought that MSIE should be safe as long as you were running with Medium Security, but the report I received indicated that problems were experienced with a system set at Medium Security, so until we get a better handle on things like this, I would recommend that people set their systems for High Security.

In IE4, click on View, then Internet Options, then select the Security tab, and set the radio button for Internet Zone to "High (most secure), Exclude content that could damage your computer." Medium says to warn users before running potentially damaging content, but people are too likely to just say "go ahead" and do it because they want whatever the screen offers. If you are reluctant to set your security to High, because there is some site you like to visit that requires a lower security setting, you can click the dropdown arrow on the box labeled Zone, and select Trusted sites zone, and set the security level for that zone whereever you want, and then click Add Sites and add the URL for any site you truly Trust (click off the check mark on "require server verification (https) for all sites in this zone unless all of the URLs you are adding use https:// rather than http://). But for all other sites, i.e. for the "Internet Zone" please set your security to HIGH.

The TechWeb article I sited refers to a statement made by a member of the Computer Emergency Response Team (CERT), which minimizes the potential problems posed by Back Orifice (see another TechWeb article at http://www.techweb.com/wire/story/TWB19980804S0015 for Back Orifice). Sophos thinks so little of the danger posed by Back Orifice that they lump it in with "virus hoaxes and scares" (http://www.sophos.com/virusinfo/scares/backorifice.html), which is astonishing since they clearly recognized it exists, because they said that they assume no well-informed administrator will want to allow its tools to be used on their network, and Symantec was concerned enough about it to publish Information on Back Orifice and NetBus (http://www.symantec.com/avcenter/warn/backorifice.html), and they recommend on http://www.symantec.com/avcenter/ to Download protection against the Back Orifice tool. Microsoft has acknowledged one particular problem with IE 4.01 referred to as Untrusted Scripted Paste, Cuartango Vul. (http://www.ciac.org/ciac/bulletins/j-011.shtml and http://support.microsoft.com/support/kb/articles/q169/2/45.asp), and there is a patch available at http://www.microsoft.com/windows/ie/security/?/windows/ie/security/paste.htm but while I have no problem with users installing that patch, I would not recommend dropping their Security levels just yet, until we see whether there are other potential threats out there, because, in my opinion, it is still possible to write nasty Active-X controls and use the extended JavaScript to do naughty things to a viewer's system.

So far none of the virus protection sites have acknowledged a known site with a dangerous version of the HTML.Prepend virus, also known as HTML.Internal, but more and more they are at least discussing the subject. Symantec says on http://www.symantec.com/avcenter/venc/data/html.prepend.html that the HTML.Prepend virus is a Windows script virus that will replicate by appending Visual Basic Script to other HTML files. This virus is not the first HTML virus, but the third known HTML virus, all of which are written by the same author.

They say that in order for the virus to infect, the virus requires Internet Explorer 4.0 or greater or a Visual Basic Script capable browser. The virus targets any file with a HTM or HTML extension in the current or parent directories. They suggest that you can not get infected with this virus by browsing an infected web page via the Internet, because the infected file must be viewed locally. This requires one to download or save an infected HTML file onto their local machine and then load that infected file into a Visual Basic Script capable browser with the appropriate security settings disabled.

Data Fellows talks about Strange Brew (http://www.datafellows.com/v-descs/sbrew.htm) as being the first virus to infect Java files. They say itt is unable to infect or spread from Java applets which are execute over the internet. However, it is able to spread from Java applet to another if executed locally with a tool like Java Appletviewer.

However with so many different sources acknowledging that it is possible for a local HTML virus to spread, and with the number of people currently working on expanded Java, J++, and Active X applications, it seems to me that we should not let our guard down. Accordingly my recommendation that IE4 users set their Security to High for any but the known "trusted" web pages.

In addition to the possibilities discussed above about an HTML virus, there are also a number of viruses out for Microsoft Word files (which hide in macros), as well as some for Microsoft Excel macros, and at least one for Access, so readers are urged to check out http://www.tcs.org/software.htm#VIRUS. Although these viruses are real, there are also a number of Virus Hoaxes, such as claims of viruses infecting email messages with particular strings, and these are also covered in the http://www.tcs.org/software.htm#VIRUS links.

For more information on the Tulsa Computer Society click here