Site hosted by Angelfire.com: Build your free website today!
New HTML Viruses - (not yet) a serious threat...
by Kilen Matthews

In November 1998, a new family of Windows script viruses infecting html files were found.
One HTML virus, created by the Virus Information Center and released in early November, 1998
was built as a demo and does not present a large security risk... yet.

Central Command, the US and Canada Distributor of AntiViral Toolkit Pro (AVP), claimed its software lab in Moscow discovered the first HTML virus.

HTML stands for Hyper Text Markup Language and is the basic language of web pages.

The new HTML virus, officially named "HTML.Internal" is written in Visual Basic Script which is capable of working with and producing "active content" on web pages, similar to javascript.

HTML.Internal is a "concept virus" which was created to demonstrate that such a virus can be designed and implemented and is not destructive.

There have been three other various HTML infecting viruses discovered at the time of the appearance of HTML.Internal, also known as HTML.Prepend. Since then at least two dozen variants and copy cat efforts have surfaced.

Most noteworthy is that HTML.Internal is the first virus of its type which does not simply overwrite or require a companion file.

Netscape and Windows 95 users probably safe

Because of the Active X controls utilized by the HTML.Internal, it infects users only via Microsoft Internet Explorer (MSIE) 4.0 or later releases but  poses no risk to users of Netscape Navigator, Opera or other Web browsers.

A Windows 95 and NT system must have Windows Scripting Host (WSH) is required to be running on the system to enable such an HTML virus to do its work.

WSH is installed by default with Windows 98 and is also available from Microsoft as a system enhancement to Windows 95 and Windows NT but is not installed by most users.

How you know you've been infected...

If you load one of the infected HTML pages, the status bar at the top of the screen will read
"HTML.Prepend/Internal."  and the following error message will pop up:

An ActiveX object on this page may be unsafe.

Do you want to allow it to initialize and be accessed by scripts?

YES             NO
Figure 1. Warning sign for HTML.Internal virus
Click on NO ... !

The default response in "No" but if the user clicks Yes, the Visual Basic script embedded in the page will execute.

Under the Hood / how HTML.Internal works

HTML.Internal is very picky under which circumstances it will do any infecting. First of all, you have to be offline. That's right, you can't get infected by this virus by browsing a live web page.

The virus first checks the protocol of the web page and stops executing if the protocol is not equal to the string "file:" - which happens only the page is loaded from a local disk rather than from a web server.

If the user then specifically gives the script permission to execute by clicking on the "Yes" button in the pop up warning box (see Figure 1. above), the  HTML.Internal virus script attempts to replicate. It searches the local hard disk for any .htm or .html files in the current directory and all parent directories. These files then are then rewritten with the virus code added to the beginning of each file.

HTML.Internal uses a VBScript module to "prepend" (insert at the beginning) its virus code into the host HTML file and utilizes the  'OnLoad" event called in the HTML <Body> tag.

This method allows the virus to spread without affecting any other functionality of the infected web page files.

Preventing Infection

This section should be called how to avoid enabling infection.

If you use MSIE 4.x or later and leave the default security settings alone, you don't have to worry. You will be warned before such virus could run on your system and do any harm.

In order to be at risk, you would have to lower the default  IE's security level below "Medium". Don't do it.

Remember, this particular virus can only run offline, which means you CANNOT get by surfing the web. Of course, there are no guarantees that the next generation of HTML viruses will have this limitation...

Protecting Yourself - from software viruses in general...

If an alert box pops up asking permission to execute a script that may be unsafe, your best bet is    to click NO and deny permission for that script to run.

Remember, NEVER execute software that you get from an untrusted source - use well known download sites - and virus scan EVERY file you download.

The future of HTML Viruses

While these new web-aware viruses are not considered a threat at the present time and are not in active circulation, they signal a new advance in software virus development. The potential there is scary because they can theoretically spread and do harm without requiring any activating actions by a user beyond browsing a web page.

Visual Basic Script is a powerful language exploited by many web developers to make web pages highly interactive. The language could just as easily be used to destroy files, destabilize systems or even collect and steal files and data.

Netscape users probably won't be immune for long. JavaScript, which can run from in Navigator as well as IE can also be used to create mischievous code. So far, however, no Java script viruses have been found.

If the HTML viruses follow the normal pattern of other software viruses, we can expect to see them in more frequent and more nefarious forms.

The first stage is the theoretical test of the virus in controlled environments. Hackers and crackers with an agenda of making a political statement or just looking to make a name for themselves in the Hacker community are likely now vying to exploit this new hole in web browsers.

We'll keep you posted.

Kilen Matthews is an Internet and Year 2000 Consultant for Y2KEgypt LLC. He can be reached by email at kilenm@y2kegypt.com or at https://www.angelfire.com/ma/kilenm.