Welcome to The Funny/Alerts Newsletter. Anne and I have been SO busy this past week! Josh, my son, was supposed to arrive last Tuesday from L.A.; then Wednesday; then Thursday; FINALLY he gets here Friday morning. He'd arranged to take some time off (he works for LAPD communications) so that he could come up with my brother for Street Vibrations. That's a motorcycle show-n-shine in downtown Reno. He apparently bought a very nice custom hardtail (no rear suspension) that's the envy of all my brother's friends. Woody (Josh's uncle) 

===
GRINS & GIGGLES:
Everything you need to know about the demographics of American newspapers:

* The Wall Street Journal is read by the people who run the country.
* The New York Times is read by people who think they run the country.
* The Washington Post is read by people who think they ought to run the country.
* USA Today is read by people who think they ought to run the country but don't understand the Washington Post because it has long sentences and no graphs.
* The Los Angeles Times is read by people who wouldn't mind running the country if they could spare the time between facelifts.
* The Boston Globe is read by people whose parents used to run the country.
* The New York Daily News is read by people who aren't too sure who's running the country.
* The New York Post is read by people who don't care who's running the country, as long as they do something scandalous.
* The San Francisco Chronicle is read by people who aren't sure that there is a country, or that anyone is running it.
* The Miami Herald is read by people who are running another country.
* The Orlando Sentinel is read by people who think Mickey Mouse is running the country.

===
CYBERSPACE ALERT:
Win32.Nimda worm (Also known as W32/Nimda@MM)

Nimda.A is an Internet worm spreading via a number of different methods and exploiting several known vulnerabilities in Internet Explorer and IIS systems. It also works as a file virus infecting Win32 Portable Executable programs as well as files with extensions: html, htm, asp.

This worm may enter a system in the following ways:

via an HTML e-mail with a specifically constructed MIME header (that's email that looks like a web page)
by visiting a Web site hosted on an infected system
via open network shares
via unpatched IIS systems (both 4.0 and 5.0)

When a user views an HTML e-mail carrying the worm or visits an infected Web site, Internet Explorer may launch the attached program executing the Nimda.A code (from the program: readme.exe). This is due to the "Incorrect MIME Header" vulnerability in Microsoft Internet Explorer 5.01 and 5.5. 

CAUTION: Nimda makes irreversible changes to the system. Thus some of the utilities cannot restore settings to their original state (as before the infection) but will make brute force changes to the system that may cause unexpected system behavior after running the utilities. 

For a detailed description of this security hole and links to the appropriate patches, please visit:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS01-020.asp bl

---
This latest worm spreads by email in the form of an attachment called README.EXE. Nimda (Admin spelled backwards) has been named a "super worm" because it has improved on its predecessors, Code Red and Sircam. It spreads in three ways: via email, through Web pages and across shared disks on networks.

Users of Microsoft Outlook and Outlook Express can become infected simply by clicking on the email, not even downloading and executing the attachment. The attachment has a malformed header which makes it appear to be a .wav or sound file. When Outlook or Outlook Express see the file as a sound file, it is immediately executed and Bingo, you're infected.

If you are using one of these email programs, you should disable the preview function by following these steps:

Outlook: Go to the View menu and click on Preview Pane to deactivate it.
Outlook Express: Go to the View menuj, choose Layout, and then de-select the checkbox by Show Preview Pane.

This worm can have as many as 16 different ways to propagate itself. One of the more unusual ways is for a web surfer to engage a web page and be lured into downloading an infected file. Nimda also uses Mailing API functions to read emails in the infected recipient's address book and send itself to the addresses it finds there. Finally, it propagates through local area networks by activating the "guest" user account which has no password and then adds itself to the Administrator group. It also creates a share to C:\ will complete access rights.

The worm leaves a lot of readme.eml, readme.nws, sample.eml and sample.nws files all over, many marked as system and hidden. It also creates load.exe in the windows systems directory - this is the actual operative virus that will continue to propagate the virus until removed. Once discovered, these files are no big deal; just delete them.

However, it infects many .exe files and seemingly without rhyme or reason for which ones are infected. It also infects many windows system exe's including mmc.exe. Nimda infects many .html, .htm files as well. These created and/or infected files all need to be deleted and replaced if needed.

In addition Nimda creates many infected copies of riched20.dll. These all need to be deleted and the "real" ones used by windows (word, wordpad, etc) replaced.

Nimda also creates a share C$ for the C: drive if one does not already exist. And most imporantly, it adds the user GUEST to the GROUP ADMINISTRATORS and then creates a share to C:\ with total access rights. Be SURE to go in and fix this immediately. (Remove GUEST from administrators and fix or remove the share if you do not use it.)

The virus fix programs (at least McAfee and Symantec) will NOT fix fix the C$ share problem or remove Guest from the Administrator Group. Go to the following pages for more detailed information on how to correct the problems caused by Nimda and prevent its return:

Panda Software - has a great set of tools and instructions on how to remove and prevent further infections.
TrendMicro - it's instructions are clear their tracking is up-to-the-minute.

If you have Norton or MacAfee now, make sure that you are updating your software frequently. That could be daily if you are using the internet often. Other options are to use different email programs from Outlook or Outlook Express. Options for alternate email software would be Eudora (my tool of choice) or Pegasus.

http://www.mcafee.com/

http://virus.pandasoftware.com/
http://www.antivirus.com/pc-cillin/vinfo/virusencyclo/default5.asp?VName=PE_NIMDA.A&VSect=T
http://www.eudora.com/
http://www.pmail.com/

---

PS
the "Vote" virus

W32/Vote@MM is a mass-mailing worm which can delete system files. It arrives with an email message containing the following information: 

Subject: Fwd:Peace BeTweeN AmeriCa And IsLaM !

Body:
Hi
iS iT A waR Against AmeriCa Or IsLaM !?
Let's Vote To Live in Peace! 

Attachment: WTC.EXE 

When the attachment is run, two VBScript files are created, MixDaLaL.vbs and ZaCker.vbs. MixDaLaL.vbs is saved to the WINDOWS directory and run immediately. It overwrites all .HTM and .HTML files on all fixed and network drives with the text: 

AmeRiCa ...Few Days WiLL Show You What We Can Do !!! It's Our Turn >>> ZaCkEr is So Sorry For You .

The hidden file attribute is also set on these files. 

ZaCker.vbs is created in the WINDOWS SYSTEM directory and a registry key is created to run this file at startup: 
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Norton.Thar=C:\WINDOWS\SYSTEM\ZaCker.vbs 

ZaCker.vbs contains instructions to delete all files in the WINDOWS directory, add a FORMAT C: command to the AUTOEXEC.BAT file (this action fails), display a message box containing the text "I promiss We WiLL Rule The World Again...By The Way,You Are Captured By ZaCker !!!", and exit Windows (this fails as well). 

Indications Of Infection:
- Overwritten .HTM and .HTML files
- Files missing from the WINDOWS directory and subdirectories
- Email correspondents telling you that you've sent them a virus when you did not knowingly do so

===
MEATSPACE ALERT:

===
TRUE STORY:

===
FUN SITE:

===
GREAT UTIL:
Stop the spread of pc viruses Here's a little trick you can use to stop the spread of pc viruses - Naturally this doesn't deal with the issue of the fact that viruses exist in the first place, but it does help you protect your Email software and contact list...
Create a contact in your email address book with the name !0000 with no email address in the details. This contact will then show up as your first contact. If a virus attempts to do a "send all" on your contact list, your pc will pop up an error message saying that: "The Message could not be sent. One or more recipients do not have an e-mail address. Please check your address Book and make sure all the recipients have a valid e-mail address."
You click on OK and the offending (virus) message would not have been sent to anyone.
Of course no changes have been made to your original contacts list. The offending (virus) message may then be automatically stored in your "Drafts" or "Outbox" folder. Go in there and delete the offending message. Problem is solved and virus will not spread. Try this and pass on to your email contacts.
This little trick can save a lot of trouble later, This also works with any name as long as there isn't an email address.
Point to make: Some email programs won't allow you to make a new contact without an email address associated with the name, so I create a fictitious address like !0000@novirus.com to apply to those email programs.

===
HARDWARE:

===
SOFTWARE:

===
(whatever):

===
QUICK WIT: