TEK THOTS


Electronic Newsletter


+-+-+-+ +-+-+-+-+-+
|T|e|k| |T|h|o|t|s|
+-+-+-+ +-+-+-+-+-+


TEK THOTS
Volume 4, Number 1
February 23, 1999
Published irregularly by Scott C. Holstad

=============================================================
Copyright Notice
Copyright (C) 1999  Scott C. Holstad
All enclosed material may be used for non-commercial purposes.
=============================================================

************************************************************************
DISCLAIMER The views and analysis expressed in Tek Thots are the author's own, and do not
in any way reflect the views of EarthLink Network, Inc., the author's employer.
************************************************************************

CONTENTS

-- News/Editorial
-- PC Thots
-- Programming Thots
-- Web Development Thots
-- This Issue's Software-O-Rama
-- Stock Thots
-- Newbie Thots 
-- Privacy/Security Thots


=============================================================

News/Editorial
------------------

*	Hello, and welcome to another issue of Tek Thots.  Thanks to all of you who send it
info, be it fraud/hoax reports, new viruses, tips, or simple opinions - I appreciate it. 
I actually took some time off since the last issue and have kind of been "out of" the
technology world for awhile.  I also have had many health problems since the last issue,
so thanks for bearing with me.  Hopefully, then, some of the stuff here won't be too
dated.... 


*	Win98.  Yep, it's here.  So far, no one's buying, at least not in bulk.  No big
surprise there - it's basically Windows 95.5.  Still, I got a new computer recently and
had my choice of 95/98 and I went with 98 (yep, knowing that ALL first releases from
Microsoft are buggy betas).  I have to say, I've had no problems with it, and I'm even
happy about a few things.  It starts up faster and shuts down faster that 95, apps open
faster, I'm having a MUCH easier time playing games in 98.  So far, so good.  No w,
should companies go out there and upgrade?  Not on your life!  It's nice for Joe User get
a new PC, but there's nothing there to merit spending tons of cash to upgrade your
company. 


*	This *wonderful* (sarcasm intended) baby was taken straight from Zdnet.... Anti-spam
forces take a loss in House subcommittee


By Will Rodger
08/06/98 08:22:00 PM

Groups opposed to the spread of unsolicited e-mail suffered another setback in the House
Thursday as the body's Telecommunications Subcommittee approved legislation to allow
purveyors of unsolicited commercial e-mail to target any e-mail address at least once
before being forced to stop. 

At the same time, the subcommittee quietly banned states from taking more restrictive
measures themselves. Members of the subcommittee were unanimous in expressing sympathy
for consumers and Internet service providers who may be inconvenienced by the floo d of
commercial e-mail that courses through Internet pipelines each day. But they also said
commercial and, sometimes, free-speech considerations demand a go-slow approach to spam. 

"These are, in fact, particularly thorny questions to address because there are multiple
players involved," said ranking Rep. Edward Markey (D-Mass.). "In any regulation of the
Internet that this subcommittee passes, we must be careful to protect First Am endment
rights." 

Return address required Under language passed Thursday, spammers would be allowed to send
commercial e-mail as they wished. Nonetheless, they would also be required to place a
notice within the mail noting its commercial purpose as well as the name, physical
address and return e -mail of the sender. 

Senders would also have to give an e-mail address for recipients to request removal from
their mailing lists. 

Ray Everett-Church, co-founder of the Coalition Against Unsolicited Commercial E-mail
(CAUCE), said the legislation nearly amounted to an endorsement of spam. 

Had the subcommittee required that spammers identify their messages in the subject lines
of e-mails, Internet service providers (ISPs) and consumers alike might have a chance to
filter it out of their systems automatically. 

Instead, consumers would be forced to read the e-mail to verify its content, he said. If
ISPs wanted to filter it out of their systems themselves -- an option suggested by
drafters -- their e-mail systems would likely slow to a crawl under the processing power
required for the task, he said. 

Difficult for ISPs "It's going to be extremely difficult for ISPs to implement those
tagging and filtering requirements," he said. 

The issue is more than just an annoyance for hundreds of ISPs.  Spammers, who typically
single out individual ISPs in order to launch their waves of spam on the Internet, can
shut down entire mail systems for hours -- if not days -- at a time, sending out millions
of messages as they do so. 

In some cases, ISPs have lost hundreds of customers as a result of spam attacks by unethical spammers.


============================================================

PC Thots
-----------

*	Packard Bell NEC is leaving the Intel fold to go with Cyrix chips.  Could this be the
move AMD and Cyrix need to finally unseat Intel?  If not, it looks like the Justice
Department is more than will to help them out.... 


*	Speaking of Intel, how about Andy Grove finally stepping down and Craig Barrett
stepping up?  Is this simply Grove getting out while the getting's good?  AMD and Cyrix
are catching up, the Justice Department is suing.  Makes ya wonder.... 


*	Wasn't it about a year or so ago that we saw NCs (Network Computers) being pushed as
the next great thing, and the product which would finally unseat Microsoft?  I believe I
was, back in some early issues of Tek Thots, that these would die horribly.  We ll, you
know how much I love to say "I told ya so."  PCs are down below $900; NCs are up at
$1500.  Which moron thought this up anyway...?  What's appalling is that Sun is still
running ads all over television for them.  Seems like Sun's increasingly desp erate. 


=============================================================

Programming Thots
-------------------------

*	God knows there are tons of UNIX vs. NT bits out there, but this is the first time I've
seen LINUX vs. NT
(http://www.sunworld.com/sunworldonline/swol-08-1998/swol-08-linuxvnt.html).  Check it
out.  It's not as thorough as I would prefer, but makes some
 interesting comments.


=============================================================

Web Development Thots
-------------------------------

*	The "Java Lobby" has produced a "JavaReady PC initiative" in which they're petitioning
OEMs to pre-install a "standard" Java environment in their machines before shipping them
(read: not Microsoft).  The petition, in part, reads: 

"Due to the importance of the Java platform and open standards, I firmly believe that it
is in the best interests of consumers and PC Hardware Vendors to provide a standard Java
environment on all new PCs. 

The pre-installation of a standard Java Runtime Environment (JRE) and the Java Plug-In on
PCs will provide consumers with the real Java support they need. This is beneficial to
businesses, consumers, developers, software publishers and PC manufacturers. 

I am asking that all PC Hardware Vendors respect open standards, consumer choice, and the
freedom to innovate by shipping JavaReady PCs." 

There are claims that Sun is NOT behind this movement, but - shockingly - Sun welcomes
the petition and, gee, thinks it's a darn good idea.  Personally, I think nothing will
come of it.  Having seen Microsoft's standard complete and total destruction of i ts
competition in the past, I have no reason to think that there's a fighting chance that a
movement not supported by or viewed as healthy by Microsoft has a chance. 


=============================================================

This Issue's Software-O-Rama
-------------------------------------

*	Believe it or not, I've gotten to know a lot of folks who are into genealogy and who
try out various genealogy programs, whether it be for forming a family tree or for
tracing a family's medical history, etc.  I've recently come across a cool program wh ich
is for people interested in family medical history software.  It's called
HealthTrackerPC, produced by VitalWorks (http://www.vitalworks.com/).  It's an amazingly
robust program which allows one to track virtually everything anyone would ever want to
track regarding family medical records/histories.  Some of the features include tracking
dietary items, fitness issues, medications, illnesses, doctors, hospitals, insurance
companies AND claims, and so much more. It's GUI-based, you can create and print various
reports, and I believe it's freeware, which makes it all the better.  Check it out! 


=============================================================

Stock Thots
--------------

*	EarthLink has completed formalizing its alliance with Sprint, which is clearly a good
thing for both companies.  EarthLink looks like an increasingly solid company to hang on
to.  Meanwhile, rumors continue to persist about Mindspring being bought by on e of the
big boys, even thought they just bought Netcom.  Again, another good company to hang on
to.  Internet stocks in general have been all over the place, and as long as your heart
is up to it, it's a fun roller coaster ride. 


*	Apple certainly has turned it around, and while I consider it too little too late, it
looks like I was wrong about the Steve Jobs strategy - at least in the short term.  All
of my Apple friends are increasingly cheered up, so here's to the chance that a good
product might finally get some decent management in place, some much needed humility, and
a good marketing strategy.  I also will acknowledge being wrong for all of my Mac friends
- at least in the short term. 


*	SGI has been buying back 12.5 million shares of its stock, most of it to be used in
employee stock plans.  People are always asking me why SGI's stock price sucks.  Well,
their purchase of dead weight Cray didn't help any.  However, the company is plann ing to
spin off their MIPS division, a la AT&T/Lucent, in hopes of reviving its future.  BTW, I
got to go up to Lawrence Berkeley Labs recently, and I got to stand beside my first Cray
(in a room full of huge Cray-like machines).  This particular one, "T1 ," is allegedly
the world's 5th most powerful computer and the world's most powerful unclassified
computer.  Cool! 

=============================================================

Newbie Thots


I wrote this article for a recent issue of Web Novice (http://webnovice.com/index2.html). 
Read on, oh newbie. 



Cyber-Sleuthing on the Net


So, you're going through the old high school or college yearbook and you run across a
picture on an old flame or perhaps your best buddy on the football team.  It's been
awhile, and you wonder what in the heck happened to that person.  Where are they livi ng? 
What have they been up to?  What are they doing now?  Well, friends, you asked, and I'm
here to tell ya - turn to the Internet.  You might be surprised at how many resources
exist to aid in finding lost-lost chums. 

First of all, please understand there is no central infohaus storing every single name,
address, telephone number and every other bit of information about every single person in
the universe.  There are, however, several mini-infohauses, and it's quite po ssible that
you'll find who you are searching for through these.  One of the first places to turn
used to be Four 11 (http://www.Four11.com/).  Now, when you go to that URL, you wind up
at Yahoo! People Search (http://people.yahoo.com/).  The site maintai ns more than 6
million pages of email and Web addresses for your perusal.  It's a pretty good resource
to find out if the person you're looking for has an email address, telephone number, etc. 

Another good people search engine is Who Where? (http://www.whowhere.lycos.com/),
recently purchased by Lycos for $133 million.  It indexes more than 9 million email
addresses, homepages, telephone numbers, and regular street addresses. 

I decided to try both out and see how they worked for me.  At last count, I have four
active email addresses and at least three extinct email addresses. Yahoo! People Search
found two active and two extinct ones. Who Where? found three active and two exti nct
addresses, as well as a bunch of dynamic dial-up addresses which confused the heck outta
me.  Why in the world would something like that turn up? 

Well, sometimes you want more than email addresses; you want phone numbers.  Both of the
previously mentioned search tools will search for phone numbers as well as email
addresses.  I searched both for myself and nothing turned up, which was a relief, as I'm
unlisted.  In addition to these tools, there's a monstrously large directory boasting at
least 200 million telephone numbers taken from various White Pages around the country: 
Switchboard (http://www.switchboard.com/).  Obviously, unlisted/unpublishe d numbers (it
didn't find mine) generally won't be available, but Switchboard should be more than
sufficient to aid you in finding general info. 

(In all candor, it had been awhile since I've visited the Switchboard site.  The company
has branched out, and it's now in the business of competing with the others in providing
email searches as well.  However, I found it to be a big disappointment, as i t only
found one email address for me.  I wouldn't advise using it for email searches.)

Back to telephone numbers.  There are other alternatives available to you as well. 
SearchAmerica (http://www.searchamerica.com/) is another enormous database, with over 220
million names and numbers, but it is a fee-based service (the last time I went th ere it
was 25 cents per page, via major credit card). The Ultimate White Pages
(http://www.theultimates.com/white/) may also be a help, as it's a compilation of a
variety of people search engines. 

Another possible way of finding certain people is to use an online alumni service for
finding old classmates.  Once service, Now and Then (http://www.nowandthen.com/reunion/)
is a great resource for finding old high school chums.  Another similar service,
Classmates! (http://www.classmates.com/) indexes more than 15,000 high schools, making it
an additional great resource for this type of search.  However, note that you have to pay
for this one:  $20 for three years. 

Perhaps you don't want to find an old classmate, but a former military buddy.  The
Veterans Archive (http://www.wavenet.com/~beerborn/index.html) is a database designed to
help people find long-lost servicemen and women.  Nearly 15,000 people are entered in the
database.  The American War Library (http://members.aol.com/veterans/index.html) is
another site that provides information on more than 14 million vets.  Another good site
is The Lost and Found (http://grunt.space.swri.edu/lostfnd.htm). 

Sometimes you may have ... oh, "different" reasons for finding people.  (Like when you
want dirt on that uninsured driver who totaled your new car last weekend!) You have a
number of possibilities here.  Some include Worldwide Intelligence Network (http:
//www.wincor.com/), V.E.S. Associates (http://www.aini.net/ves/), specializing in finding
"lost" people, Sheafer and Associates (http://pw2.netcom.com/~cr-guru/als.html),
Pellicano Investigative Agency Services (http://www.pellicano.com/), and others.  Ma ny
of these services can be pricey, but we all have our reasons, eh? 

Finally, you may want to try the standard search engines.  Alta Vista
(http://www.altavista.com/) was able not only to find numerous references to me (76,
mostly articles, etc), but also one of my father - who has never even been on Internet! 
Looking for that long-lost love (or best friend or enemy, etc.) can be a time-suck.  But,
hopefully, with the aid of these Web services, you'll soon be reunited, sipping lattes
and exchanging Net gossip. 


=============================================================

Privacy/Security Thots
---------------------------

*	I keep getting Good Times virus hoax rip-offs.  The latest is "WIN A HOLIDAY."  Please,
folks, make sure you educate yourself and your colleagues about these hoaxes.  The hoaxes
themselves cause greater damage (lost man-hours, stress, rumors, unnecessar y file
destruction, etc.) than if they were authentic viruses.  Read these messages carefully
and ponder as to their probability before sending them on to others.  Heck, look 'em up
while your at it. 


*	A very disturbing piece of news for most of us.  This tidbit was passed around and
around; I'm assuming the source was Compuserve.... A Bavarian court convicted a former
Compuserve manager recently of spreading porno over the Internet, shocking industry
experts and raising concerns about the medium's future in Germany. The Munich district
court, ignoring a change of heart by the state prosecutor, convicted the former head of
the German division of the online service of distributing child pornography and other
illegal material over the Internet. "Even on the Internet, there can be no law-free
zones," the court said, handing down a 2 year suspended sentence to Felix Somm. "The
accused is not a victim. He abused the medium." The German government said it w ould
study the court's decision carefully. 

We've seen this sort of thing before, and every time it rears its ugly head, it seems
more disturbing.  Logistically, how in the world is any ISP going to be able to police
its members' content, even if it wanted to?  This medium simply doesn't translate well
into what the legal world is used to seeing, and I find it disturbing that a greater
attempt at educating the public isn't taking place.  Keep your eyes open for further
developments of this type. 


*	I was going to write on this topic, but this alert seems to do a pretty nice job on its
own, so I received reprint rights, and here we go: 


ISS Security Alert Advisory
August 6th, 1998


Cult of the Dead Cow Back Orifice Backdoor

Synopsis:

A hacker group known as the Cult of the Dead Cow has released a Windows 95/98 backdoor
named 'Back Orifice' (BO).  Once installed this backdoor allows unauthorized users to
execute privileged operations on the affected machine. 

Back Orifice leaves evidence of its existence and can be detected and removed.  The
communications protocol and encryption used by this backdoor has been broken by ISS
X-Force. 

Description: A backdoor is a program that is designed to hide itself inside a target host
in order to allow the installing user access to the system at a later time without using
normal authorization or vulnerability exploitation. 

Functionality: The BO program is a backdoor designed for Windows 95/98. Once installed it
allows anyone who knows the listening port number and BO password to remotely control the
host.  Intruders access the BO server using either a text or graphics based client.  Th e
server allows intruders to execute commands, list files, start silent services, share
directories, upload and download files, manipulate the registry, kill processes, list
processes, as well as other options. 

Encrypted Communications: All communications between backdoor client and the server use
the User Datagram Protocol (UDP).  All data sent between the client and server is
encrypted, however it is trivial to decrypt the data sent. X-Force has been able to
decrypt BO client reques ts without knowing the password and use the gathered data to
generate a password that will work on the BO server. 

The way that BO encrypts its packets is to generate a 2 byte hash from the password, and
use the hash as the encryption key. The first 8 bytes of all client request packets use
the same string: "*!*QWTY?", thus it is very easy to brute force the entire 64k key space
of the password hash and compare the result to the expected string. Once you know the
correct hash value that will decrypt packets, it is possible to start generating and
hashing random passwords to find a password that will work on the BO server. In our tests
in the X-Force lab, this entire process takes only a few seconds, at most, on a
Pentium-133 machine. With our tools we have been able to capture a BO request packet,
find a password that will work on the BO server, and get the BO server to send a dialog
message to warn the administrator and kill its own process. 

Determining if BO has been installed on your machine:
The BO server will do several things as it installs itself on a target  host:

* Install a copy of the BO server in the system directory 
(c:\windows\system) either as " .exe" or a user specified file name.

* Create a registry key under
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices with the file
name of the server file name and a description field of either "(Default)" or a user
specified description. 

* The server will begin listening on UDP port 31337, or a UDP port specified by the
installer.  You can configure RealSecure to monitor for network traffic on the default
UDP 31337 port for possible warning signs. 

In order to determine if you are vulnerable:

1. Start the regedit program (c:\windows\regedit.exe). 2. Access the key
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices.  Look for any
services that may not have been intentionally installed on the machine.  If the length of
one of these file is close to 124,928 (give or take 30 bytes) then it is probably BO. 

Recommended action: BO can be removed by deleting the server and removing its registry
entry.  If possible, you should back up all user data, format your hard drive, and
reinstall all operating systems and software on the infected machine.  However, if
someone has installe d BO on your machine, then it is most likely part of a larger
security breach.  You should react according to your site security policy. 


Determining the password and configuration of an installed BO: 1. Using a text editor
like notepad, view the server exe file. 2. If the last line of the file is '8
8$8(8,8084888<8@8D8H8L8P8T8X8\8'8d8h8l8', then the server is using the default
configuration.  Otherwise, the configuration will be the last several lines of this file,
in this order: 







Conclusion: Back Orifice provides an easy method for intruders to install a backdoor on a
compromised machine.  Back Orifice's authentication and encryption is weak, therefore an
administrator can determine what activities and information is being sent via BO.  Back
Orifice can be detected and removed.  This backdoor only works on Windows 95 and Windows
98 for now and not currently on Windows NT. 


----------

Copyright (c) 1998 by Internet Security Systems, Inc.

Permission is hereby granted for the redistribution of this alert electronically.  It is
not to be edited in any way without express consent of X-Force.  If you wish to reprint
the whole or any part of this alert in any other medium excluding electroni c medium,
please e-mail xforce@iss.net for permission. 

Disclaimer The information within this paper may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There are NO warranties
with regard to this information. In no event shall the author be liable for any damages w
hatsoever arising out of or in connection with the use or spread of this information. Any
use of this information is at the user's own risk. 

X-Force PGP Key available at:  http://www.iss.net/xforce/sensitive.html as well as on
MIT's PGP key server and PGP.com's key server. 

X-Force Vulnerability and Threat Database: http://www.iss.net/xforce

Please send suggestions, updates, and comments to: X-Force  of Internet
Security Systems, Inc. 


*	---------- Forwarded message ----------
From: Aleph One 
To: BUGTRAQ@NETSPACE.ORG
Subject: SSL Vulnerability

http://www.c2.net/products/stronghold/support/PKCS1.php

  Background

Recently, RSA Data Security notified C2Net Software of a potential vulnerability that
affects the SSL protocol. C2Net Software has developed a pre-emptive patch which is
implemented in the latest version of Stronghold 2.3. This document is intended to ad
dress questions C2Net customers may have about the implications of that discovery to
their own site. 

  Technical information

   This vulnerability involves a chosen ciphertext attack discovered by researcher Daniel
Bleichenbacher at Bell Labs against interactive key establishment protocols that use
PKCS1, such as SSL.  This can result in the compromise of the session key used f or a
particular session after repeatedly sending approximately one million carefully
constructed messages and observing the server's response. 

   Please see our press release and advisory for additional details.  RSA Labs brought
this attack to our attention and their site contains a more technical overview. CERT will
also issue a bulletin, as will a number of other web server vendors. 

  What does it mean?

   There is potential for a sophisticated user to be able to decrypt a recorded session's
session key and use that to obtain the data transmitted during that session if they have
access to a server they can use to send approximately one million carefully selected
messages to your server and see what errors it reports. Note that this attack has to be
repeated approximately a million times for each and every session that an attacker wishes
to compromise, because the server's private key remains uncompromise d as a result of
this attack. 

  How can I tell if I'm being attacked?

   For each of the approximately 1 million or so messages necessary to attack a single
session, the following 3 lines will be logged in your ssl/error_log file: 
   1575:error:0407006B:rsa routines:RSA_padding_check_PKCS1_type_2:block
   type is not 02:rsa_pk1.c:207
   1575:error:04064072:rsa routines:RSA_EAY_PRIVATE_DECRYPT:padding check
   failed:rsa_eay.c:330
   1575:error:1408B076:SSL routines:SSL3_GET_CLIENT_KEY_EXCHANGE:bad rsa
   decrypt:s3_srvr.c:1259

   NOTE that this equates to about 300MB for an attack on a single session. Although
running out of space on the partition your log files are written to could definitely be
an indication, we suggest keeping an eye out for any usual growth in the size of t his
file. 

  What can I do to protect myself?

   This vulnerability has only been reported in a research environment and there have not
been reports of sites experiencing this attack outside of that. However, the publication
of this type of vulnerability may enable sophisticated users to implement it . Customers
are urged to upgrade as a precaution to the latest version of Stronghold 2.3, which
supports this fix as of build 2010 for customers in the US/Canada, build 2051 for
customers elsewhere. You can determine which version you are running from the
 output of httpsd -v.

  What other vendors/products are affected?

   All major vendors have announced that they are working on patched versions of their
web servers products to combat this potential vulnerability. This vulnerability is not
limited to web servers.  Products using SSL to do secure tunneling, for example, may also
be affected. 


*	Yet another disturbing piece of news. The World Intellectual Property Organization
(http://www.wipo.int/), a new organization voted into existence by the US Senate
recently, is calling for a "treaty"  that includes spurious language making it illegal to
reverse-engineer software to expose its security vulnerabilities.  Um..., Dan Farmer
would be out of business.  So would tons of other security experts who crack code - and
systems - for a living.  We're not talking small potatoes here.  The proposed "tr eaty"
imposes fines of $500,000 to $1 million and imprisonment of 5 to 10 years for
violations!!!  If you'd like to see some of these other New World Order treaties being
thrown around, just go to http://www.wipo.org/eng/iplex/index.htm. 


*	Most people know (or should know) that Macintosh viruses have been a pretty benign
field over the years.  In fact, until a year or two ago, there were only about 49 known
Mac viruses, all old, all catchable by Disinfectant.  However, over the past coupl e of
years, the Macs have been getting some of the macro viruses, which do virtually nil and
really amount to not too much of a big deal.  Until now.  Seems there's a new one - a
real one - making the rounds, first seen in Hong Kong.  Called "AutoStart,"  this virus
(actually a worm) adds invisible files to every disk partition and periodically causes
extensive disk activity (and even network activity if mounted).  Files, often graphic
file, will be overwritten with random data.  This infection usually nee ds QuickTime 2+
to get infected and spread.  Still, there are easy ways to guard against it and eliminate
it.  (I'm stealing much of this from http://www.macintouch.com/hkvirus.html#description
with many thanks.)

Symptoms

The worm has numerous symptoms that make it reasonably easy to identify:

     1) The system unexpectedly restarts after mounting a diskette or other
     volume. This will only happen when the initial infection occurs.

     2) The "DB" application name flashes briefly in the menu bar when a disk
     is mounted.

     3) The presence of an invisible application file named "DB" on the root
     of disk volumes, or the invisible "Desktop Print Spooler" file in the
     extensions folder. Any file or disk utility program (such as ResEdit)
     that shows invisible files in its file selection dialogs can be used to
     check for the files. Be sure not to confuse the legitimate "Desktop
     Printer Spooler" file with the worm.

     4) A process named "Desktop Print Spooler" is found (use Process Watcher
     or Macsbug).

     5) Extensive, unexplained disk activity every 30 minutes.

Prevention

     The risk of infection can be effectively eliminated by manually disabling
     the AutoStart option in the QuickTime Settings Control Panel. This will
     not help if the system is already infected.  It will also not prevent
     an infected Mac from creating the invisible "DB" files on any
     partitions you share with them on a network.

     Versions of QuickTime prior to 2.5 do not seem to have a way to
     disable autoplay.   You should disable QuickTime or upgrade to a
     recent version if you have an old release.

     Note: recent versions of QuickTime also have an "Enable Audio CD
     AutoPlay" option.  This option can be left on.  Note that disabling
     the autostart feature does not have any affect on the normal operation
     of QuickTime, and can be safely turned off.

Removal & Recovery

     Most of the major anti-virus developers have prepared updates to their
     software.  The remaining vendors will undoubtedly have updates soon.
     Users are *strongly* encouraged to run current, up-to-date anti-virus
     software, and to regularly incorporate vendor-supplied updates.

     In the absence of such software, you can remove the virus using the
     following steps.  However, you will need to restore damaged data files
     from backups (you *do* make regular backups, don't you?).

     1) Reboot your system with extensions off.  (Reboot while pressing the
     shift key.)

     2) Start the Apple "Find File" utility.  Use it to search all volumes
     for files whose name is exactly "DB" and which are invisible.  (To
     select for visibility, hold down the option key when clicking on the
     "Name" pop-up menu; use "more choices" to select both search
     criteria.)  Drag found files from the Find window to the trash.

     3) Search again, for the "Desktop Print Spooler" file.  Delete it
     also.  (Be sure to NOT delete the legitimate "Desktop Printer
     Spooler"!!).

     4) Empty the trash.

     5) Open the "QuickTime Settings" control panel and disable autostart
     unless there is some significant reason you need it.

     6) Restart.


Also, Dr. Solomon's, SAM, and Virex claim to have working AV code for this virus for both prevention and elimination.  So, you few Mac-heads who read this rag, be aware of this one going around and take the appropriate precautions.


*	Tek Thots AV Scanning Results:

PRODUCT			Number Caught (out of 200)		%

Anywhere AV				199				99.5%
Dr. Solomon's FindVirus (7.68)		199				99.5%%
F-PROT (v. 2.24c) 			198 				99%
Sophos Sweep 				196 				98%
Leprechaun				196				98%
ThunderBYTE  				195 				97.5%
   (Tbav for Windows 95 v7.06)
Invircible				195				97.5%
Norton AntiVirus 			195				97.5%
McAfee VirusScan 95 (2.01.218)		194				97%
IBM Antivirus 				192 				96%



=============================================================

SUBSCRIPTION INFO

To Subscribe:  Send email to sch@well.com.  In the subject line, write "subscribe tek
thots."  In the message area, write your email address. 

To Unsubscribe: :  Send email to sch@well.com.  In the subject line, write "unsubscribe
tek thots."  In the message area, write your email address. 


At this point and until further notice, the email list will be handled manually.

=============================================================

Online versions of this electronic newsletter will be archived at:
http://www.well.com/user/sch/tekthots.html. 


Copyright (C) 1999  Scott C. Holstad
ASCII Tek Thots logo courtesy Teri Osato




Click on to return to Tek Thots.