Jump to content


Viruses Worms Trojans ... Oh, my!


  • Please log in to reply
153 replies to this topic

#51 OFFLINE   LilBambi

LilBambi

    Australisches Googler

  • Forum Admins
  • 22,553 posts

Posted 27 January 2004 - 07:23 PM

nlinecomputers, on Jan 27 2004, 06:16 PM, said:

I noticed that too.  The only thing I can think is that reporters misunderstood some of this.  SCO has been hard to reach but so has a lot of other sites.  That isn't DDOS attack that is simply overload cause of the increased mail traffic.I see we cross posted... B)
I think you are right ...folks may be trying to get info out there too fast and I have noticed at the onset many mistakes were made in reporting.B)
Bambi
AKA Fran

Posted Image
My Public Key for Email :: BambisMusings Blog :: Fran's Computer Services Blog :: MyPassionIsBooks Blog :: 5BuckReview :: CNIRadio
"The Net interprets censorship as damage and routes around it." ~John Gilmore (Time Magazine, Dec 6, 1993)

#52 OFFLINE   Corrine

Corrine

    The Mystical Rose

  • Forum Admins
  • 4,436 posts

Posted 27 January 2004 - 07:59 PM

I've heard where a number of businesses and local school districts have been crippled because of this virus.  One company is taking forceful action -- deleting each & every zip file in any incoming/outgoing mail.  The company where I work shut down all inbound/outbound mail yesterday evening until they received the updated virus signatures to push out to all the PC and servers.
Posted Image

Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

#53 OFFLINE   LilBambi

LilBambi

    Australisches Googler

  • Forum Admins
  • 22,553 posts

Posted 27 January 2004 - 08:11 PM

I hear ya Corrine ... it is a bad one ... I am sure we will continue to hear about this for some time to come ... more so than even Sobig.This is the worst computer virus to date.It also like Bugbear is targeting businesses. And with the way they have chosen to employ social engineering in this one ... many people were caught unawares on it.As many techs have been doing, I have been harping that OE is not an email client that should ever be used  on company computers, but OE is so easy they would not listen.I truly hope if nothing else, and before another of this type of worm/virus/trojan or whatever comes out, they finally listen.It is so angering to see some companies and organizations needing to shutting down operations because of some viral terrorist.  B)
Bambi
AKA Fran

Posted Image
My Public Key for Email :: BambisMusings Blog :: Fran's Computer Services Blog :: MyPassionIsBooks Blog :: 5BuckReview :: CNIRadio
"The Net interprets censorship as damage and routes around it." ~John Gilmore (Time Magazine, Dec 6, 1993)

#54 OFFLINE   Corrine

Corrine

    The Mystical Rose

  • Forum Admins
  • 4,436 posts

Posted 27 January 2004 - 10:00 PM

We use Lotus Notes (Domino) not OE.  However, it is really easy to right-click/launch attachments.  No matter how many times we tell people not to, they just can't seem to overcome their curiosity.  The spoofed sender with this worm doesn't help.  One person I was helping today said he thought it was an important document from a client he has been working with.  So he detached it to his hard drive.  Problem is, files from clients aren't named doc.zip but would have a case number or a file name and the text in the message wouldn't be gobble-de-gook!  When will they learn?Regarding OE, if I can't convince my friends to switch to Mozilla at home, I at least try to convince them to turn off the preview pane in OE.
Posted Image

Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

#55 OFFLINE   LilBambi

LilBambi

    Australisches Googler

  • Forum Admins
  • 22,553 posts

Posted 27 January 2004 - 10:15 PM

Yes, that social engineering part is the hardest to overcome.I have one client that allowed me to turn off the preview pane, but said it was too inconvenient to turn the Security Tab click box on and off as needed for blocking attachments from being downloaded that could potentially be a virus (and it is, he's right! Microsoft should have built in a button for the tool bar for that!), and he said, besides, the virus didn't come from his business email server and he can trust emails that come through the company's email server. :thumbsup:
Bambi
AKA Fran

Posted Image
My Public Key for Email :: BambisMusings Blog :: Fran's Computer Services Blog :: MyPassionIsBooks Blog :: 5BuckReview :: CNIRadio
"The Net interprets censorship as damage and routes around it." ~John Gilmore (Time Magazine, Dec 6, 1993)

#56 OFFLINE   nlinecomputers

nlinecomputers

    Discussion Deity

  • No Longer a Member
  • PipPipPipPipPipPipPipPipPipPipPipPip
  • 3,932 posts

Posted 27 January 2004 - 10:18 PM

Corrine, on Jan 27 2004, 07:55 PM, said:

We use Lotus Notes (Domino) not OE.  However, it is really easy to right-click/launch attachments.  No matter how many times we tell people not to, they just can't seem to overcome their curiosity.  The spoofed sender with this worm doesn't help.  One person I was helping today said he thought it was an important document from a client he has been working with.  So he detached it to his hard drive.  Problem is, files from clients aren't named doc.zip but would have a case number or a file name and the text in the message wouldn't be gobble-de-gook!  When will they learn?Regarding OE, if I can't convince my friends to switch to Mozilla at home, I at least try to convince them to turn off the preview pane in OE.
Honestly,  I don't belive people when they say stuff like that.   I bet ya that guy knew his procedures and knew it wasn't a client's file but curosity got the best of him.   They NEVER admit to doing wrong.  Who hasn't?  I admit I've opened up some attachments that better judgement should tell you not to do.  I've been lucky and I often check it with things like pocketknife peek before I do.
Nathan Williams, N-Line Computers

How to kill a programmer:  Give him a shampoo bottle.  Lather, Rinse, Repeat.

#57 OFFLINE   Corrine

Corrine

    The Mystical Rose

  • Forum Admins
  • 4,436 posts

Posted 27 January 2004 - 10:20 PM

LilBambi, on Jan 27 2004, 09:10 PM, said:

he can trust emails that come through the company's email server.
Sure he can trust those company emails!  :thumbsup:  I hope he remembers to hit the Security Tab click box now since reports are that businesses have been targeted particularly hard with this one.  (Sure, they're getting the most bang for their buck!)
Posted Image

Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

#58 OFFLINE   LilBambi

LilBambi

    Australisches Googler

  • Forum Admins
  • 22,553 posts

Posted 27 January 2004 - 10:22 PM

:thumbsup: Ain't it the truth! :D
Bambi
AKA Fran

Posted Image
My Public Key for Email :: BambisMusings Blog :: Fran's Computer Services Blog :: MyPassionIsBooks Blog :: 5BuckReview :: CNIRadio
"The Net interprets censorship as damage and routes around it." ~John Gilmore (Time Magazine, Dec 6, 1993)

#59 OFFLINE   nlinecomputers

nlinecomputers

    Discussion Deity

  • No Longer a Member
  • PipPipPipPipPipPipPipPipPipPipPipPip
  • 3,932 posts

Posted 27 January 2004 - 10:24 PM

LilBambi, on Jan 27 2004, 08:10 PM, said:

Yes, that social engineering part is the hardest to overcome.I have one client that allowed me to turn off the preview pane, but said it was too inconvenient to turn the Security Tab click box on and off as needed for blocking attachments from being downloaded that could potentially be a virus (and it is, he's right! Microsoft should have built in a button for the tool bar for that!), and he said, besides, the virus didn't come from his business email server and he can trust emails that come through the company's email server. :thumbsup:
You can't always trust the email server either.  My wife place of work, a small community college,  has McAfee based scanners on the servers but the dang virus got in during that 1.5 or so hours that the virus was raw in the wild an unknown.  They also run Groupwise which doesn't launch virueses on preview like OE does but they still got badly infected.
Nathan Williams, N-Line Computers

How to kill a programmer:  Give him a shampoo bottle.  Lather, Rinse, Repeat.

#60 OFFLINE   LilBambi

LilBambi

    Australisches Googler

  • Forum Admins
  • 22,553 posts

Posted 27 January 2004 - 10:27 PM

Exactly Nathan! That's what I tell all my clients ... but some of them 'know' best, if you know what I mean. LOL!
Bambi
AKA Fran

Posted Image
My Public Key for Email :: BambisMusings Blog :: Fran's Computer Services Blog :: MyPassionIsBooks Blog :: 5BuckReview :: CNIRadio
"The Net interprets censorship as damage and routes around it." ~John Gilmore (Time Magazine, Dec 6, 1993)

#61 OFFLINE   ibe98765

ibe98765

    Posting Prodigy

  • Members
  • PipPipPipPipPipPipPipPipPipPip
  • 2,467 posts

Posted 27 January 2004 - 11:16 PM

Corrine, on Jan 27 2004, 05:55 PM, said:

Regarding OE, if I can't convince my friends to switch to Mozilla at home, I at least try to convince them to turn off the preview pane in OE.
You don't have to turn off the preview pane.  All you have to do is run OE/Outlook in the RESTRICTED security zone.

#62 OFFLINE   ibe98765

ibe98765

    Posting Prodigy

  • Members
  • PipPipPipPipPipPipPipPipPipPip
  • 2,467 posts

Posted 27 January 2004 - 11:23 PM

From http://channels.lock.../20040127.phtml

Quote

ALERT: A Virus By Any Other Name...    Neven writes:I'm not sure if this one will be persistent as Sobig.F, but we detected a virus outbreak about three hours ago that is coming in at a rate of about 30 to 50 copies per hour which is just about Sobig.F's initial frequency... Each message is 31-34k (attachment alone is 23k). If we're correct, McAfee named this one W32/Mydoom@MM already and categorized it as "high outbreak risk."Since this one looks like a pain in the... (something) we created a filter for xTerminator users to delete this pest from POP3 server and save bandwidth (time). The filter can be downloaded here - http://www.artplus.hr/xterminator.htm.If it turns out to be a big one again, I'm sure you'll know what to do with this announcement!Still, maybe it's just a small "puff" like that "hi" outbreak few days ago...We'll see.---------------------------------------------------------------------And Mike Healen from Spyware Info <http://www.spywareinfo.com> writes:There is a widespread outbreak of the WORM_MIMAIL.R e-mail worm. This worm is spoofing the sender's e-mail address. If you receive one of these e-mails, the person in the FROM: address is NOT the person who sent it to you.If you are running an e-mail server with anti-virus software that bounces virus infected e-mails, FOR GOD'S SAKE STOP BOUNCING THEM! You are participating in a denial of service attack by bouncing viruses at people who are not infected. You could even infect them yourself! STOP BOUNCING THEM!If you receive an e-mail like the one described below, DON'T OPEN IT! Delete it immediately, update your anti-virus program and scan. If you don't have an anti-virus, get one.Nod32 $39.00 (The best AV available [according to SWI])AVG Free (Good enough for the price)Description From Trendmicro:A new variant of the MIMAIL worm has been found in the wild. As of January 26, 2004 1:47 PM (US Pacific Time), TrendLabs has declared a yellow alert to control the spread of WORM_MIMAIL.R.Also known as W32/Mydoom@MM, Mydoom, Win32.Mydoom.A, W32.Novarg.A@mmThis mass-mailing worm selects from a list of e-mail subjects, message bodies, and attachment file names. It can also propagate using the Kazaa peer-to-peer file sharing network.It performs a denial of service (DoS) attack against the software business site www.sco.com. It attacks the site if the system date is February 1, 2004 or later. It ceases attacking the site and running most of its routines on February 12, 2004.It runs on Windows 98, ME, NT, 2000 and XP.It sends e-mail with the following details:Subject: (any of the following)Error Status Server Report Mail Transaction Failed Mail Delivery System hello hi Message Body: (any of the following)The message contains Unicode characters and has been sent as a binary attachment. The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment. Mail transaction failed. Partial message is available. test Attachment: <Random name>.zipPost this on every message board you can find. Get the word out. If you have a friend or family member who does not understand how to operate an anti-virus, please check that they are updated and protected. If you know someone running anti-virus on an e-mail server, please tell them to turn off the bounce feature.


#63 OFFLINE   Guitar Man

Guitar Man

    Thread Head

  • Members
  • PipPipPipPipPipPip
  • 745 posts

Posted 28 January 2004 - 12:32 AM

Quote

Corrine Posted on Jan 27 2004, 09:15 PM--------------------------------------------------------------------------------QUOTE (LilBambi @ Jan 27 2004, 09:10 PM) he can trust emails that come through the company's email server.  Sure he can trust those company emails!
Somebody obviously trusted our office LAN email client, and infected some terminals yesterday..."Oh! I got an email from Mr. Smith in the office across town! He says HI ! I'll open it..." BOOM! :whistling:Ignorance will kill you every time...

#64 OFFLINE   Jeber

Jeber

    Still Version 1.0 beta

  • Forum Moderators
  • 4,639 posts

Posted 28 January 2004 - 12:47 PM

Just to add to the above notice from Lockergnome...yesterday I received an email with a blank subject line, but had the notice "The message contains Unicode characters and has been sent as a binary attachment."  The sender was unknown to me, so it got deleted promptly, and was never opened.  So evidently the subject line is still changing.  But this one has all the signs of becoming a major problem.
He was a dreamer, a thinker, a speculative philosopher, an idiotĚ
(Douglas Adams)

#65 OFFLINE   LilBambi

LilBambi

    Australisches Googler

  • Forum Admins
  • 22,553 posts

Posted 28 January 2004 - 01:06 PM

Yes, it continues to select new random items for the subject and the attachment name as well as some of the body text too.Diligence is definitely the order of the day in Windows these days ... and keeping those AV definititons up to date! :'(
Bambi
AKA Fran

Posted Image
My Public Key for Email :: BambisMusings Blog :: Fran's Computer Services Blog :: MyPassionIsBooks Blog :: 5BuckReview :: CNIRadio
"The Net interprets censorship as damage and routes around it." ~John Gilmore (Time Magazine, Dec 6, 1993)

#66 OFFLINE   pc-tecky

pc-tecky

    Thread Head

  • Members
  • PipPipPipPipPipPip
  • 669 posts

Posted 28 January 2004 - 01:32 PM

Well, I know I didn't send them out, but I have two emails that have come back to me. :P Should I click on them? (:o NO!!!!!!! Well, ok, I wasn't going to. :o :o) Now, how can I tell if this nuisance is even on my system (because I have so many things open)? What's SMTP again, well it's part of IIS? :whistling:Strange how it all works. Now I want to know what let their computer get compromised??? A nice little email will be going out shortly to everybody. Oh wait, that'll exacerbate the problem. :'( Is this a lose-lose situation? What should I do?

#67 OFFLINE   Jeber

Jeber

    Still Version 1.0 beta

  • Forum Moderators
  • 4,639 posts

Posted 28 January 2004 - 01:49 PM

As long as your warning emails don't have attachments,  I wouldn't think they'd be confused with the bogus ones.  And you are sending them to people who know you.
He was a dreamer, a thinker, a speculative philosopher, an idiotĚ
(Douglas Adams)

#68 OFFLINE   LilBambi

LilBambi

    Australisches Googler

  • Forum Admins
  • 22,553 posts

Posted 28 January 2004 - 02:05 PM

I would suggest just deleting them pc-tecky ... the worm spoofs the email sender, so your server would receive messages about these messages, even though you didn't send them.If you have the latest updates on AV defs and have done a full system scan and the system came up clean, then you are fine.No point in adding to the problem at this point. Everyone is getting these.  ;)
Bambi
AKA Fran

Posted Image
My Public Key for Email :: BambisMusings Blog :: Fran's Computer Services Blog :: MyPassionIsBooks Blog :: 5BuckReview :: CNIRadio
"The Net interprets censorship as damage and routes around it." ~John Gilmore (Time Magazine, Dec 6, 1993)

#69 OFFLINE   LilBambi

LilBambi

    Australisches Googler

  • Forum Admins
  • 22,553 posts

Posted 28 January 2004 - 02:06 PM

Jeber, on Jan 28 2004, 12:44 PM, said:

As long as your warning emails don't have attachments,  I wouldn't think they'd be confused with the bogus ones.  And you are sending them to people who know you.
However, Jeber's right...it wouldn't hurt anything to send it out ... as long as you don't send any attachments as Jeber was saying.
Bambi
AKA Fran

Posted Image
My Public Key for Email :: BambisMusings Blog :: Fran's Computer Services Blog :: MyPassionIsBooks Blog :: 5BuckReview :: CNIRadio
"The Net interprets censorship as damage and routes around it." ~John Gilmore (Time Magazine, Dec 6, 1993)

#70 OFFLINE   pc-tecky

pc-tecky

    Thread Head

  • Members
  • PipPipPipPipPipPip
  • 669 posts

Posted 28 January 2004 - 03:21 PM

They'll be getting a direct link to AVG if they haven't updated their viri defs for their current version. ;)

#71 OFFLINE   nlinecomputers

nlinecomputers

    Discussion Deity

  • No Longer a Member
  • PipPipPipPipPipPipPipPipPipPipPipPip
  • 3,932 posts

Posted 28 January 2004 - 04:02 PM

It mutating guys.  Introducing MyDoom B.http://securityrespo...ydoom.b@mm.htmlMan this gets confusing.  This is a variant of what Symantec called Novarg but the mutant they call MyDoomB.  Can't we get standardized names.
Nathan Williams, N-Line Computers

How to kill a programmer:  Give him a shampoo bottle.  Lather, Rinse, Repeat.

#72 OFFLINE   ibe98765

ibe98765

    Posting Prodigy

  • Members
  • PipPipPipPipPipPipPipPipPipPip
  • 2,467 posts

Posted 28 January 2004 - 05:59 PM

I saw a report today saying that when a virus laden email is received by a user, some (all?) AV programs have a setting to notify the sender that they are sending a virus email.  This is making the problem much worse.  The suggestion was to turn off this auto-notification setting.

#73 OFFLINE   nlinecomputers

nlinecomputers

    Discussion Deity

  • No Longer a Member
  • PipPipPipPipPipPipPipPipPipPipPipPip
  • 3,932 posts

Posted 28 January 2004 - 06:10 PM

I don't know of any client based virus software that does that but most server based ones do.  This is one more reason we need updated SMTP protocals. SPF, encryption, authenticated SMTP, something....  As it is now any virus can have its own built in SMTP server and just fire away.  Some kind of restricted SMTP would stop the spoofing and 95% of the current viruses would be stopped.  And even if a virus could hook into your email program and logon legally as least that would provide tracking so that you could contact Joe Six Pack and get him either cleaned up or off the net.
Nathan Williams, N-Line Computers

How to kill a programmer:  Give him a shampoo bottle.  Lather, Rinse, Repeat.

#74 OFFLINE   Guitar Man

Guitar Man

    Thread Head

  • Members
  • PipPipPipPipPipPip
  • 745 posts

Posted 28 January 2004 - 11:00 PM

Quote

LilBambi Posted on Jan 28 2004, 01:00 PM-------------------------------------------------------------------------------- I would suggest just deleting them pc-tecky ... the worm spoofs the email sender, so your server would receive messages about these messages, even though you didn't send them.If you have the latest updates on AV defs and have done a full system scan and the system came up clean, then you are fine.No point in adding to the problem at this point. Everyone is getting these.
That's it, right there. At least for those "in the know"... :whistling: As for the rest, well...It will be a never ending education.

Quote

nlinecomputers Posted on Jan 28 2004, 05:05 PM-------------------------------------------------------------------------------- Some kind of restricted SMTP would stop the spoofing and 95% of the current viruses would be stopped. And even if a virus could hook into your email program and logon legally as least that would provide tracking so that you could contact Joe Six Pack and get him either cleaned up or off the net.
In a perfect world, Nathan... :blink: But as we know all too well...

#75 OFFLINE   nlinecomputers

nlinecomputers

    Discussion Deity

  • No Longer a Member
  • PipPipPipPipPipPipPipPipPipPipPipPip
  • 3,932 posts

Posted 29 January 2004 - 12:38 AM

Quote

In a perfect world, Nathan...  But as we know all too well...
Well some kind of change WILL occur.  SMTP is just to badly mishandled and the contiuned problems are leading everyone to find a solution.  Three of them are being worked on and somekind of combination of all three is going to be put into place within two years, if not sooner, and I would expect within 5 years SMTP as we know it will be totally dead.
Nathan Williams, N-Line Computers

How to kill a programmer:  Give him a shampoo bottle.  Lather, Rinse, Repeat.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users