CIS Help
Request Form

Warning: Y2K Poses a Tempting Timetable for Launching Computer Viruses

The Department of Energy's Computer Incident Advisory Capability has relayed a warning from the FBI that "January 1, 2000, presents an appealing launch date for viruses. We assess the likelihood of malicious code incidents during the Y2K transition as high."

The advisory continues, "We have received reports of estimates that Federal, State, and local law enforcement officials have identified upwards of 30,000 malicious code threats from hackers and virus writers on or around January 1, 2000. In addition, we have received reports of virus writers planning to take advantage of the Y2K rollover by releasing new viruses. Some of these virus writers plan on writing viruses that will be triggered by Y2K dates or viruses disguised as Y2K-related problems.

"Individuals are using the Y2K hype to spread hoaxes about system vulnerabilities and to spread Trojans (programs with hidden, usually malicious capabilities). In one example, computer users received a program named Y2KCount.exe which purported to be a free utility, but actually contained a program designed to surreptitiously install a back door onto the victim's system."

Lab employees who use the lbl.gov server for their email will be protected against most viruses by the Lab's anti-virus applications. Employees can further protect their machines by downloading the latest anti-virus software.

The Virus Research Community has identified certain viruses which have payloads specific to the Year 2000 rollover. The following is a representative list, but not a comprehensive one:

W97M/MARKER (Marker) is a macro virus with a high to medium risk. Due to the Marker's numerous variants and its destructive capabilities, the virus industry has rated Marker the most dangerous at this point. It is currently rated as one of the most frequently reported viruses throughout the United States. Besides having destructive payloads and recording victim logs, the Marker virus has the unique feature of attempting to silently shell out to a DOS box and execute a batch script. This action enables the virus to FTP (transfer a file) to a specified IP address.

W97M/MMKV.A (MMKV) is a macro virus posing a medium risk. In the year 2000 this virus' payload will deploy several deleting commands that will try to remove all the files in the root directory of an infected system. After deleting the systems files, a message will be displayed with: "MK - Words By MMK 1999" and "Welcome to Y2K."

W32/Fix (FIX) is a Win32 virus of medium risk. When the attachment is executed the file will copy itself to the Windows/System directory and make several stealth changes to the user's registry keys so that the intruder can attempt to access the victims mail client. The user will then see a message that reads: "Your Internet connection is already Y2K, you don't need to upgrade it."

Count2K (Y2Kcount) is a Trojan horse-type virus with medium risk. This Trojan normally arrives attached to an email purporting to come from Microsoft. The email has six attachments including "Y2KCount.exe" that are loaded into the operating system. The purpose of this Trojan appears to be to intercept username and password information and presumably pass the captured information onto the Trojan's author.

W32/ska (Happy New Year) is a Win 32 virus, also of medium risk. The Happy New Year virus was released last year for the 1999 calendar rollover. Experts believe the hacking community will write a variant for virus program to accommodate the Y2K variables.

Millennium v2.0 (Millennium2) is a Trojan horse-type virus of low to medium risk. Millennium v2.0 is a Trojan, which is very similar to BackOrifice, however, it has a much nicer graphical user interface (GUI) even compared to NetBus. One major difference is that Millennium is more difficult to detect and remove.

W97M/Chantal (Chantal) is a macro virus with low risk. The Chantal virus will attempt to intercept the macro viewing commands in order to mask its presence. On January 1, 2000, or the 31st of any month, this virus' payload will activate. The purpose of this virus is to delete files in the current and root directory and display the message: "Mark says...Chantal B. 4ever!"

While each of these viruses may not pose a significant threat individually, the collective impact on the information and telecommunication infrastructure could be severe for limited periods. The time of greatest concern would not necessarily occur precisely at the Y2K date rollover, but would probably occur on January 3, 2000, when people, returning to work in significant numbers, would reboot their systems or retrieve their email, thereby activating and propagating preprogrammed virus payloads.