Forwarded from: William Knowles <wkat_private> http://www.upi.com/view.cfm?StoryID=20030102-022005-9599r By Anwar Iqbal United Press International From the Science & Technology Desk Published 1/2/2003 2:54 PM WASHINGTON, Jan. 2 (UPI) -- The India-Pakistan conflict has entered the cyber realm as hackers across the subcontinent have infected hundreds of thousands of computers in more than 100 countries on New Year's Day and the virus is spreading. South Asia's two nuclear rivals have been fighting each other since their independence from Britain in 1947. They have fought wars in the air, on the ground and in the sea. When the Internet arrived, it quickly became yet another arena of conflict. Last summer, when a terrorist attack on the Indian parliament brought more than a million troops to the border, Pakistani hackers attacked the official site of the Indian defense ministry. They inserted messages proclaiming independence for the Kashmir region, a Himalayan valley under dispute between India and Pakistan for 55 years. This was not the first hacking bout between the two rivals, however. Both sides had engaged in this behavior previously. The latest virus attack has arrived with a warning for the Pakistani hackers: "Your days are over, now it is our turn to show that 'My India is great' ('Bharat mahan hai,' in Hindi)." The message continues: "Want peace and prosperity in India? Then (trash) corrupted politicians." It also warns politicians: "Talent and hard work should be respected. Self-styled (expletive) must be eliminated. No more (expletive) monopoly." The message includes an e-mail address -- qphat_private -- and a mailing address in New Delhi. Infected computers are automatically directed to an official Web site of the Pakistan government. Its virulent spread has enabled thousands of machines with the code to conduct a distributed denial-of-service attack aimed at the homepage of the Islamic Republic of Pakistan at pak.gov.pk. On Tuesday, the virus forced one Pakistani official site, infopak.gov.pk, to suspend service. An earlier message also challenged G-Force, a group of Pakistani hackers, to match the "intelligence and expertise" of the Indian hackers. The G-Force hackers, who reportedly operate from Lahore, Pakistan, had claimed responsibility for attacking the official site of the Indian defense ministry in the summer. "Come & work with us" against "the G-Force-Pak shiites," the message urged Indian hackers. Also earlier this week, e-mail management firm MessageLabs gave the new virus, dubbed W32/Yaha.M, the No. 2 spot on the list of the most virulent computer viruses. The first copy of the virus was detected June 15 in an e-mail from Kuwait. Most copies now being stopped are coming from Egypt, Saudi Arabia and the United Kingdom. The e-mail messages, which are about 45-47 kilobytes in length, try to lure the receiver to download "sexy screensavers." Some messages offer "love partners" and chatting "opportunities" with members of the opposite sex. "Enjoy this friendship Screen Saver and Check your friends circle," the message says. "Send this screensaver to everyone you consider a FRIEND, even if it means sending it back to the person who sent it to you. If it comes back to you, then you'll know you have a circle of friends," it advises. Most of the senders have South Asian names. The early senders had female names such as Savera, Madhuri and Rekha that seem to have been borrowed from India's Bollywood movies. South Asian names still dominate but now the senders have both Muslim and Hindu names and some IP addresses can be traced to both sides of the India, Pakistan border. When a receiver opens an infected file, the virus quickly spreads through the system. A distributed denial-of-service attack floods a Web site with user requests, overwhelming the server and locking out site visitors. It enters Internet explorer and installs itself as the default homepage with addresses that lead to either hirosh.tk or hackers.com but it does not seem affect Netscape. Every time users click Internet Explorer, they are automatically led to one of the two sites. The default action can be suspended temporarily by going to the security setting and placing the two addresses in the restricted sites. Because a hacked system does not allow access to Internet options, a user can go there through pop-up ads that still appear in the Internet Explorer window. Although the two addresses reappear as the default home page every time a computer restarts, this temporary relief allows a user to download antivirus software. Yaha virus, which is also spelled Yahaa, is a mass mailer that sends itself to all e-mail addresses in the computer's Microsoft Windows Address Book, MSN Messenger List, Yahoo! Pager list, and ICQ list. It disables some anti-virus and firewall programs. All anti-virus programs currently have up-to-date definitions to protect against Yaha or Yahaa. Those who use Norton Anti-Virus tools can download removal instructions from sarc.com. If the worm has run already, the user first must reverse the change it effected. If the worm has not run: -- Configure Windows to show all files. -- Copy Regedit.exe to Regedit.com (in most cases). -- Edit the registry and reverse the change that the worm made. -- Update the virus definitions, run a full system scan, and delete all files that NAV detects as W32.Yahaa.E. Computer users without antivirus protection can go to bitdefender.com for a free removal tool. *==============================================================* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen Alfred. M. Gray, USMC ================================================================ C4I.org - Computer Security, & Intelligence - http://www.c4i.org *==============================================================* - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Fri Jan 03 2003 - 09:13:15 PST