VIRUS WARNING SUBJECT: [ltp] Administration

Andrew Lee linux-thinkpad@linux-thinkpad.org
Sun, 10 Nov 2002 21:42:43 +0000 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Saturday 09 Nov 2002 8:33 pm, Bill Mair wrote:
> Andrew Lee wrote:
> > The virus is designed in such a way as to exploit a vulnerability in =
MS
> > Lookout Express. It is one of the worst that I have seen for the way
> > that it
> > mungs the MIME headers of the mail. It's very unlikely that this is a
> > deliberately malicious attack, it's much more likely to be from a
> > genuinely
> > infected workstation.
>
> Very nasty. First time that I have heard the expression "MS Lookout
> Express" though :-)

It's pretty common in the AV community ;)

> > This specific type of malformed mail is generated by the virus. It
> > also has
> > the ability to forge the "from" header, making it very hard to tell
> > where it
> > came from. Usually you have to do a lookup on the originating IP.
>
> It was only indentifiable via the SMTP logs and finding the originating=
 IP.

Yep. That's usually the best way to tell. You can also look at the IP on =
the=20
first "received" IP - though if it's come via some routers <cough>AOL the=
n=20
it does wierd things sometimes, like stripping the received fields.

[snip]

> > You could try to make it so that only subscribed addresses can post -
> > if you
> > haven't already? That way, at least if this happened again (and it
> > will, it
> > happens a lot!) then the poster would be aware of it.
>
> This is a closed list. At least twice a day the list is spam, which I
> disgard. All mail
> coming from non-members is put on hold.

Then the high liklihood is that the infected user was a subscriber.=20

> > It happens all the time. If that user has ever subscribed to, had a
> > message
> > forwarded from, or been cc'd, then potentially, the virus can be sent
> > to the
> > list because the worm mails itself to EVERY contact in the WAB.
>
> Don't you mean WEB ? ;-) In the mono-culture of M$ systems, I think
> there are
> very, very few people not stored in someone's WAB. AFAIR that was why
> Melissa and
> "I Love You" were able to cripple so many mailing systems over night.

LOL, judging by the amount of viruses/worms I receive, I think you may be=
=20
right.

> BTW:
>
> If one were to describe a really nasty virus as:
>   a) Destorys valuable data
>   b) Wastes valuable system resources
>   c) Brings havoc into the normal computing day
>   d) Hard to contain
>   e) Widely spread
>   f) Most people don't realise that they are a victim
>
> Then shouldn't Windows be clssified as a virus, and as such be
> recognised by every anti-vir
> software product ?

Wouldn't be the first time it's been suggested, though, you're not really=
=20
describing a virus, but a Trojan Horse :)=20
A virus is a program which replicates by adding a (possibly modified) cop=
y of=20
itself to another program file, that file becoming a host for further=20
replications. Most of the stuff you see on the internet in mass mailed po=
sts,=20
like this latest W32/Braid@mm, are actually worms, they don't usually inf=
ect=20
files, rather they infest systems.=20
For most people though, they just know that they don't want them - and if=
=20
that's the definition, then Windows fits - I don't want it :-)

> Recommended cure for the Virus: Linux ;-)

Strictly speaking, not. There are several viruses, more than a few worms,=
 and=20
hundreds of trojans/root kits etc available for Linux. Just at the moment=
,=20
the average Linux user tends to be reasonably competent (by necessity), s=
o=20
they're less likely (though not much) to get stung. As a point of interes=
t,=20
the original research into computer viruses was all done on big iron Unix=
=20
systems, and the results were much the same, over time, viruses gained=20
elevated privelidges and permeated the systems. Mostly due to sloppy admi=
ns.=20

> These are my opinions, and I don't want this to end up in an advocacy
> discussion.

I think the planet's big enough for a few operating systems, after all, i=
f we=20
didn't have Windows, there be nothing to show up how good Linux is :)

> And for a bit of fun see here:
> http://www.stratfordenterprises.com/oldsplash/windowsrg.html

Sorry, no Flash players on this machine :)

regards

- --=20
Andrew Lee            | virusresearch@aomr.co.uk
AVIEN Founding Member | http://www.avien.org
Wildlist Reporter     | http://www.wildlist.org
TeamAnti-Virus        | http://www.teamanti-virus.org

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8

iQA/AwUBPc7S3a+tVCJD8UyBEQKJfACfc5z2dJwgRmEHvAyNFnzI2Ahzz0EAnRnM
wvdAAS/iO6cxwFnpKzSXyi9Q
=3DUsXd
-----END PGP SIGNATURE-----