JS fortnight

[Nel]

I just had this worm, and got rid of it finally. I'm now afraid to go to
my 'Sent Messages' and 'Deletes', because I probably had it when I deleted
or on the sent messages. Will I re-infect my PC
Thanks, anyone.....Nel

 

[Nick FitzGerald]

I just had this worm, and got rid of it finally. I'm now afraid to go to
my 'Sent Messages' and 'Deletes', because I probably had it when I deleted
or on the sent messages. Will I re-infect my PC

Unless you installed a sufficiently up-to-date _version_ of IE, it's
latest service pack and possibly the latest post-SP cumulative update
you almost certainly _will_ get re-infected by doing that.

Your news post suggests you are running a chronically outdated (and
non-updatable unless you run Windwos 2000) version of IE & OE:

X-Newsreader: Microsoft Outlook Express 5.00.2615.200

You should get IE 5.5 SP2 at least, then apply all updates for it, or
(much as I hate to say this) "better" IE 6.0 SP1 and the latest
cumulative update.

(In the meantime you can set OE to be in the Restricted Sites security
zone -- Tools, Options, Security, look for the obvious setting -- and
then make sure that Restricted Sites is set to default _or stronger_
security settings. This is purely a stop-gap though, as it is likely
MS will provide security patch support for IE 6.0 longer than it will
for IE 5.5, so if you are going to make the 50-90MB of downloads needed
to obtain, install and bring right up-to-date either version, you may
as well spend that resource on IE 6.0...)

Also, the fact that your IE is so badly outdated means that either you
do not use Windows Update or at least you do not take some of the best
advice it offers you (basically, if WU says _any_ kind of patch, update
or version upgrade of IE is available, you should jump for it. If you
are not in the habit of using WU, then _after_ installing and updating
IE, start using it on a regular basis (like at least once a month!).

 

[Zvi Netiv]

Unless you installed a sufficiently up-to-date _version_ of IE, it's
latest service pack and possibly the latest post-SP cumulative update
you almost certainly _will_ get re-infected by doing that.

Your news post suggests you are running a chronically outdated (and
non-updatable unless you run Windwos 2000) version of IE & OE:

X-Newsreader: Microsoft Outlook Express 5.00.2615.200

You should get IE 5.5 SP2 at least, then apply all updates for it, or
(much as I hate to say this) "better" IE 6.0 SP1 and the latest
cumulative update.

(In the meantime you can set OE to be in the Restricted Sites security
zone -- Tools, Options, Security, look for the obvious setting -- and
then make sure that Restricted Sites is set to default _or stronger_
security settings. This is purely a stop-gap though, as it is likely
MS will provide security patch support for IE 6.0 longer than it will
for IE 5.5, so if you are going to make the 50-90MB of downloads needed
to obtain, install and bring right up-to-date either version, you may
as well spend that resource on IE 6.0...)

Also, the fact that your IE is so badly outdated means that either you
do not use Windows Update or at least you do not take some of the best
advice it offers you (basically, if WU says _any_ kind of patch, update
or version upgrade of IE is available, you should jump for it. If you
are not in the habit of using WU, then _after_ installing and updating
IE, start using it on a regular basis (like at least once a month!).

Upgrading IE/OE is good advice but just upgrading wouldn't prevent JS.Fortnight.
Yesterday I remove it from IE/OE 6 SP1 with the latest cumulative updates
(November 03).

Regards, Zvi

 

[Zvi Netiv]

I just had this worm, and got rid of it finally. I'm now afraid to go to
my 'Sent Messages' and 'Deletes', because I probably had it when I deleted
or on the sent messages. Will I re-infect my PC

Possibly.

Fortnight is a simple worm that replicates by appending itself to outgoing
message through a bogus HTML "default signature" file.

Removing this worm is straightforward and can be done manually. With OE open,
select Tools, Options, then 'Signatures'. You'll see that the default signature
points to a HTM file in the Windows directory. Note the name of the file,
remove the bogus default signature from OE settings and set the default to your
correct signature, if you use one, or leave it blank. Confirm and close the OE
options dialog box. Find now the file which's name you noted down and delete
it. Plain simple.

To assure that you don't reinfect yourself, disable the use of OE's preview
pane, through 'View', 'Layout' and clear the 'show preview pane' check-box.
*Previewing* and infected incoming e-mail is how you probably got infected. You
may now safely delete individual messages from your various boxes.

Lastly, upgrade IE/OE as advised by Nick. It won't help against JS.Fortnight,
but can spare a lot of grief from newer and recent threats.

Regards, Zvi

 

[Nick FitzGerald]

Upgrading IE/OE is good advice but just upgrading wouldn't prevent JS.Fortnight.
Yesterday I remove it from IE/OE 6 SP1 with the latest cumulative updates
(November 03).

Yeah, well that depends a bit on what you accept is actually JS/Fortnight
and what various whacked out, pea-brained, inexperienced geeks who work in
various AV labs mis-classify as Fortnight...

The "real" JS/Fortnight variants depend on the (now _very_ old) MS VM
(Java) Exception vulnerability. Some dorks at one or more AV companies
have, more recently, classified what most AVs know as JS/Flea (and some
other clearly different malware) as Fortnight variants too (Flea, for
example, depends on the Incorrect Object Data Type vulnerability).

What these malware tend to have in common is that, to get on a victim's
machine, they depend vulnerabilities in IE that give up "My Computer"
security zone access to code that really is in the Internet (or an even
more restricted) security zone. The "My Computer" security zone has
virtually no restrictions, so script code runs with virtually all the
privileges of the current user. Without prompting for such things as
permission to use ActiveX controls added to the fact that "My Computer"
allows use of FSO controls, the initial scripts of these malware can
do everything useful for installing new software, modifying the file
system and registry and so on...

....

Anyway, in my initial post of describing what you have to do to fix
Fortnight I drew the line at pointing out that it _also_ depends on
what AV you have as some AVs incorrectly lump all manner of other,
unrelated stuff into their Fortnight detection.

Finally, I'll note that the the VM patches may not (always and/or
depending on your OS) be available from Windows Update because of
ongoing legal battles between MS and Sun over "what Java really is"
and MS' alleged (cough!) anti-competitive tactics allegedly (cough,
cough!!) aimed at curtailing acceptance of Sun's "proper" Java.

In short, your best bet is to do all the Windows Update stuff _and_
specifically hunt out the latest MS VM install/udpate version and grab
and apply that _THEN_ restart the machine and run WU again (just in
case there is an update for _that_ version of MS VM. (And, if you're
smart, you should probably then grab Sun's "real Java" and install and
enable it if you want/need Java support...)

 

[Nick FitzGerald]

Lastly, upgrade IE/OE as advised by Nick. It won't help against JS.Fortnight,
but can spare a lot of grief from newer and recent threats.

Well, it should help against what some AV's call Fortnight that is
something else (like the recent JS/Flea.A -- is it NAV that started
calling it JS.Fortnight.D ???).

As explained in my longer response to another of Zvi's messages in this
thread, "real" Fortnight variants require a Microsoft VM upgrade which
may not be offerred by Windows Update (depending on far too many things
thanks to the lawyers...).

 

[Clay]

Well, it should help against what some AV's call Fortnight that is
something else (like the recent JS/Flea.A -- is it NAV that started
calling it JS.Fortnight.D ???).

As explained in my longer response to another of Zvi's messages in this
thread, "real" Fortnight variants require a Microsoft VM upgrade which
may not be offerred by Windows Update (depending on far too many things
thanks to the lawyers...).

Heh...
http://www.microsoft.com/java

 

[Nel]

Thank you for all your answers. As you can see I'm not very clever when
it comes to the computer. I did up-date to OE 6 and I'll do the up grades
also. I'll try all the things that have been written to me. Though I don't
understand some of it.
Housecall says there is one JS Fortnight they can't clean, but they did
clean about four yesterday. I must be re-infecting myself big time.
Thank you again very much.
...... Nel

 

[Nel]

Zvi, Under Signature everything is gray except for New, nothing about HTM.I
clicked 'New', and there wasn't any signature. No name to delete?..
Thanks....Nel