VIRUS WARNING SUBJECT: [ltp] Administration

Andrew Lee linux-thinkpad@linux-thinkpad.org
Sat, 9 Nov 2002 19:37:37 +0000 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi All,=20

Just FYI,

> http://securityresponse.symantec.com/avcenter/venc/data/w32.brid.a@mm.h=
tml
>
>
> And someone in the University of Puertorico is responsible for
> maliciously sending this mail to the list ! Not from an infected
> computer, but with the intent of infecting as many computers as
> possible.

The virus is designed in such a way as to exploit  a vulnerability in MS=20
Lookout Express. It is one of the worst that I have seen for the way that=
 it=20
mungs the MIME headers of the mail. It's very unlikely that this is a=20
deliberately malicious attack, it's much more likely to be from a genuine=
ly=20
infected workstation.
This specific type of malformed mail is generated by the virus. It also h=
as=20
the ability to forge the "from" header, making it very hard to tell where=
 it=20
came from. Usually you have to do a lookup on the originating IP.

> Thank god, I use Linux.

Indeed :-)

> To counter this behaviour in the future, I have set the mail size limit
> to 20k for all future postings.

Seems a good idea, I doubt that there's ever much reason to post binaries=
 to=20
this list, and if it is needed, better to post a link to an ftp or web si=
te.

> If you have windows, and have double clicked on the readme.exe then you
> are most probably infected.

If you were unpatched, you wouldn't need to double click, just viewing in=
 the=20
preview pane would be enough. And you wouldn't even necessarily know you'=
re=20
infected as NO warnings are given

> I am not sure about the M$ Outlook thing, maybe it executes attachments
> that are audio/x-wav auto-magically ?

Yes, it does, there is a patch available, and has been for many months, b=
ut it
seems there are many, many unpatched systems still out there, a large num=
ber=20
of recent (and not so recent) worms have used the same exploit.
Patch is here:
 http://www.microsoft.com/technet/security/bulletin/MS01-027.asp

> I am currently in discussion with the sysadmin for the mail list server=
,
> we will figure something out..

You could try to make it so that only subscribed addresses can post - if =
you=20
haven't already? That way, at least if this happened again (and it will, =
it=20
happens a lot!) then the poster would be aware of it.

> Sorry for any inconvieniance that this may cause, but nobody has a
> perfect protection against hackers, and sending a virus infected to a
> mailing list is really the lowest of the low.

It happens all the time. If that user has ever subscribed to, had a messa=
ge=20
forwarded from, or been cc'd, then potentially, the virus can be sent to =
the=20
list because the worm mails itself to EVERY contact in the WAB.

regards

- --=20
Andrew Lee            | virusresearch@aomr.co.uk
AVIEN Founding Member | http://www.avien.org
Wildlist Reporter     | http://www.wildlist.org
TeamAnti-Virus        | http://www.teamanti-virus.org

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8

iQA/AwUBPc1kEK+tVCJD8UyBEQLiFQCfUaWkjXW29cgL9WdEe3/BxORBRO0AoJir
/onA+36PgSBx9/AZ3+JV+0cz
=3DTvmL
-----END PGP SIGNATURE-----