W32.Ukuran.Worm attacks FoxPro DBFs
The W32.Ukuran.Worm, which is running wild currently in Vietnam, attacks FoxPro data files by truncating them and replacing them with spam data, according to the Bach Khoa Internet Security firm. The problem is estimated to be that 50,000 computers are infected or at risk.
What I find interesting about this article is that it appears there are quite a lot of FoxPro programs floating around in Vietnam! But why is there only 1 signature on MasFoxPro?
Anyway, the moral is (as it always is): make and keep reliable backups. I’ve got in the habit of dumping my tables to CSV (COPY TO filename TYPE CSV) as well as physically copying them as part of my backup routines (this is in additional to the normal backup software that runs on my client’s servers). The CSV file allows me to recover data that might otherwise be lost due to some extremely damaged file that can’t be recovered by other means. I’ve never needed to go back to the CSV, though.
The other moral is to keep your virus files up to date!
I'm a Quant Technical Specialist (Data Warehousing and Business Intelligence), with expertise in business analysis, data modeling, and data integration. I have extensive experience developing vertical and integrated desktop, Internet, and BI applications spanning municipal, clinical, and financial industries.
August 7th, 2007 at 11:29 am
1) How do we know we are even protected in our anti-virus software?
I checked for the worm identified in the article at the Symantec site (I no longer use their a/v software though) and their threat database doesn’t include the W32.Ukuran.Worm.
I use Eset’s NOD32 a/v software and I can’t seem to even figure out what I’m covered for in that yet. I guess I need to get more familiar with it.
I’m wondering if anyone knows for sure that their a/v software already prevents this worm from daming their Fox data.
2) We know what Fox data is that they reference. What is SQL data? Is that Fox data queried via FoxPro’s SQL commands or are they actually talking about SQL Server data?
I’m sure since the worm has orihinated in Indonesia that we have a language barrier problem here in getting more detail. But, it sure would be nice to see one a/v software vendor to detail this worm at its web site.
August 7th, 2007 at 11:30 am
“daming” should read “damaging”
“orihinated” should read “originated”
August 7th, 2007 at 1:20 pm
I agree Carl. I could only find 2 meaningful articles (both from VietnamNet) and a few blog postings regarding the worm in English. There does seem to be mention of it elsewhere if you do a Vietnamese Google search. But I slept through Vietnamese in high school so those links don’t do me much good!
As far as SQL files, I assumed MSSQL — but come to think of it, I doubt that’s what they mean. Certainly more information would be handy. Hopefully this isn’t some false alarm :-s
August 7th, 2007 at 2:57 pm
If they would make VFP 64-bit, that old W32 stuff wouldn’t affect the product. rofl