Slashdot Mirror

That's Beagle.K (or Beagle.J, it's linked from the story, though), I've only recieved one, but it's annoying as all hell to block.
I'm now blocking all encrypted zip attachments via my trusty MailScanner
(there's a beta version which adds this, I couldn't trust the filename rules, and wouldn't block all zip attachments)

That's Beagle.K (or Beagle.J, it's linked from the story, though), I've only recieved one, but it's annoying as all hell to block.
I'm now blocking all encrypted zip attachments via my trusty MailScanner
(there's a beta version which adds this, I couldn't trust the filename rules, and wouldn't block all zip attachments)

I've experienced good results using ClamAV. My setup is as follows:

Sendmail 8.12 -> MS Exchange 2000 -> Outlook clients

My outfit was already married to Microsoft, and the Exchange server was buckling due to being inundatad with spam. I'm also running Symantec AVF on my Exchange server (Dell PE6650, Quad 1.4Ghz Xeon, 3Gb ram).

I originally installed Linux on a Dell Dimension desktop (450Mhz PIII, 768Mb ram) using Sendmail + Spamassassin + spamass-milter + RAV. Spamass-milter isn't very stable, and I had a request to append a legal disclaimer to all outbound email (I work at a law firm). I swapped spamass-milter in favor of MIMEDefang to interface Spamassassin with Sendmail while also appending those legal disclaimers. Microsoft had bought RAV by this point, so I dumped RAV for ClamAV. The Linux box has also moved to a retired Dell PE6450 (Dual 700Mhz Xeon, 3Gb ram).

So now MIMEDefang is performing several functions, plus I only have one milter running instead of three.

ClamAV catches 90% of my incoming viruses and Symantec AVF catches the rest.

Important information about changes to Intelligent Updater.

For retail editions of Norton AntiVirus, Intelligent Updater now searches for a valid subscription to virus definitions before it applies updates. Corporate versions of Norton AntiVirus are not affected by this change.

Home and small business customers:

Virus definitions are available from Symantec with a paid subscription. If you purchased a retail version of Norton AntiVirus, Intelligent Updater detects whether your subscription is up-to-date. If your subscription has expired, you must renew it before using Intelligent Updater. Please run LiveUpdate from Norton AntiVirus to renew your subscription or access our online subscription renewal form.

Right, I mean, all you really have to do to get new defs/engine is to look for them. For example:

Today's McAfee Definitions
Today's Symantec (Norton) Definitions
Today's TrendMicro Antivirus Definitions

All these are available free from the vendor along with engine updates (and I found them all in five minutes using just a search engine). The suckers paying $20 a year are actually just paying for their app's "LiveUpdate" or similar feature to work, when they could either use a non-broken, older version, or grab the definitions every week or so off the vendor's website.

All revenue brought in by the subscriptions is simply a tax on laziness. Well, except it's paid to those companies instead of the government. You know what I mean.

this next service pack is going to seriously fuck up some software industries... a better personal firewall, a popup killer, and now antivirus, all now bundled with the OS? and free?!

So the other free AV tool screwed up the expensive paid ones?

You're probably right. I'm mistaking virii with their own SMTP engine, for virii with SMTP Relays.

That said, a search for "SMTP Relay" on Symantec gives:

Backdoor.Hoogle

and

Trojan.Naldem

for instance. So maybe.

You're probably right. I'm mistaking virii with their own SMTP engine, for virii with SMTP Relays.

That said, a search for "SMTP Relay" on Symantec gives:

Backdoor.Hoogle

and

Trojan.Naldem

for instance. So maybe.

Umm. Slight absence of any mention of virus writing for profit: there's enough evidence that a number of recent virii were mainly about installing SMTP Relays on infected machines to propogate spam, or leaving a backdoor open so that this could later be done.

Or else installing DDOS software aimed at Spamhaus servers, or leaving backdoors open for same.

So. Art: Check. Vandalism: Check. Profit Motive: Check. Insubstantial "infiltration" by journalist: Check.

Ferinstance

http://yro.slashdot.org/article.pl?sid=03/12/03/14 23258&mode=nested

- Oops. There goes Spamhaus

http://securityresponse.symantec.com/

- most of this week's crop install backdoors.

http://www.groklaw.net/article.php?story=200402210 51056136

- Your IP Addy for sale to a spam-merchant near you...

I hope the people that own Norton dont try to pursue any legal action about this due to the name similarities ;)

At least not at first. Most respectable programs will have a trial version out. And there are plenty of freeware/open source alternatives.
Good programs, I've encountered have been RegSupreme, Norton SystemWorks, AdAware, SpyBot, and numerous others.

Uh, yeah.. No, about half our customers' problems at our Support firm are over Norton Utilities or SystemWorks, or some other Symantec product breaking and screwing up the OS. Happens daily. They don't learn anything, but how to manually uninstall a Norton Product.

Here's a whole page of dialers that do stuff like that. A bigger problem in Europe I've heard.

Ah, this stuff has been around for like 4 years, at least. We were using this kind of technology at the University of Chicago back in 1999 with WindowsNT images. (The department I worked in was responsible for supporting all of the public-use workstations throughout campus, and we naturally relied on disk imaging technologies.)

If you buy a product like Altiris LabExpert or Norton Ghost and are very clever, you can jury rig an entire operating system environment onto a CD.

Oddly enough, we stumbled on how to do this kind of thing while researching Wake-Over-LAN and PXE technologies. Apparently, the system BIOS just needs to be smart enough that it can look at something other than a PCI/IDE/SCSI hard drive for information with which to load a kernel into memory. If your BIOS is PXE enabled, it's smart enough to tell the system bus to look for a kernel on the network card (in the case of a Wake-On-LAN network boot) or on a CD drive (in the case of a CD boot).

FYI, PXE is Intel's Preboot Execution Environment specification, and is therefore working at the hardware level underneath Microsoft PE (Preinstallation Environment).

Nonetheless, the hardware capabilities which have allowed Windows to be booted from a CD have been around since 1999, at least, as they are part of Intel's PXE specification.

Just my two cents...

Actually, according to many sources Deadhat/Vesser came before DoomJuice. So technically DoomJuice is the copycat. There's also a new variant of Welchia that makes use of MyDoom backdoor and then tries to remove it.

Actually, according to many sources Deadhat/Vesser came before DoomJuice. So technically DoomJuice is the copycat. There's also a new variant of Welchia that makes use of MyDoom backdoor and then tries to remove it.

from doomjuice:

Creates the file Sync-src-1.00.tbz (28,569 bytes) and copies this file to the %Windir%, %System%, %Temp%, and %UserProfile% folders, as well as to the root folder of all the fixed and remote drives. This file is a tar archive, which contains the source code of W32.Mydoom.A@mm

there're chances that this lil' cutie of oss will get "ported", since everyone got the source already ;)

Whereas the new Welchia/Nachi worm cleans the MyDoom viruses, sets the hosts file back to just 127.0.0.1 localhost, installs a few Microsoft patches, reboots and scans for other MyDoom, MSBlast and Welchia infected machines to clean. It also sets up a web server on the machine serving a webpage with a cryptic message about various Japanese and Korean massacres. It then disables itself on June 1, 2004, or after running 180 days, whichever comes first.

I don't normally like any Windows virus, but I have a tough time not liking this one.

Here you are, HTH.

A data point on the quality of outsourced tech support:

My neighbor's HP Pavilion kept putting a window on her screen last week, saying her Windows license had expired, and that she needed to enter her credit card number and expiration to validate her copy of Windows, but not to worry because her credit card would not be charged.

My neighbor is in her 80s, but her memory is good and she didn't remember anything about an expiration date for Windows. So she called HP support and got a man with an Indian accent. She told him the problem, and he asked, "How old is your computer?" She told him it was a couple years old, and he said, "If it's that old, Windows could be expired. Try entering the information as requested and see what happens."

Fortunately, my neighbor is much smarter than HP's outsourced call center, and didn't take their advice. She called me and we cleaned mimail.s off her computer. She promises she won't buy from HP again.

What the submission missed, but is worth noting, is that port 3127 is one of the ports that MyDoom.A opens when it infects a machine. In other words, MyDoom.C is exploiting the hole that MyDoom.A opened.

The writeup from Symantec is here.

There are zero known viruses for Mac OS X, none, nada, zippity-do-da. There are about 60 viruses for OS 9, as well as a few that macro viruses that infect MS Office (which runs on both Windows and Mac)

OK, let's get real here:

If there are macro viruses that affect MS Office on the Mac, then Mac OS X has known viruses.

If there are viruses affecting OS 9, and you use Classic compatibility in OS X without shutting it down after you're done, then those viruses affect Mac OS X since they share a common filesystem.

Here is an example of a virus that appears to use AppleScript and would directly affect Mac OS X similar to the MyDoom virus -- do you know that it doesn't?

Don't get me wrong, I'm no Mac-hater (I used the Mac for 9 years, left for Windows and Linux for 3-4 years, then came back last year), but you can't say silly things like "there are zero known viruses for Mac OS X" when Symantec lists some including the one above -- that's fairly public information.

Also, remember that viruses aren't necessarily limited to the traditional ones in e-mails or on the Mac's local storage, they include the ones that remotely exploit vulnerabilities, some of which Mac OS X has in common with many other *NIXes.

The Nachi worm and Code Green were attempts to fix Blaster and Code Red. They caused more damage than they fixed - especially Nachi which is still flooding everyone with ICMP echo requests. I am also surprised that you have never seen it suggested before - hint use Google

Closing open relays is a great first step and I hope this program has some effect.

If spammers are driven to using trojaned home computers to send their junk then there will be much more pressure bought to bear on ISPs to do port 25 egress filtering which will stop the trojans dead in their tracks

Lets face it, the average user doesn't know what an MD5 checksum or PGP even are. It's a sad thing, because most security tools are easy to use, and would make the internet a safer place, but the fact of the matter is that you still have people opening up e-mail viruses that are an attachment with a notepad icon. Although if you know how you should, we need to find a safe delivery system that's a bit easier for the average joe, who seems to enjoy living on the edge, downloading lots of shareware, and clicking on every e-mail attachment they get.

Due to the logic used to verify the date, the DoS only occurs 25% of the time.

That would explain this guy's report.

From Symantec:

"Due to the logic used to verify the date, the DoS only occurs 25% of the time."

• The idea that the payload is inert comes from a single post on the internet by some random guy, and is now being quoted all over slashdot without anyone checking or verifying. It may turn out to be true, but either you should personally verify it, or at least wait for ONE other person to verify it before you start conspiracy theories.
  
  
• Norton Antivirus believes the payload to be an active DDOS against www.sco.com. So does F-Secure. So does McAfee.
  
  
• You can look at the worm yourself and verify that it contains references to www.sco.com. Combine this with the fact that the worm is fairly small and is UPX compressed, you can conclude that the worm author took up space with the reference for a reason, either to create conspiracy theories (which would be unprecedented for a worm/virus I believe) or it's actually to DDOS a website (happens all the time with worms/viruses).
  
  
• The partial dissassembly that people have posted so far indicates that the worm does use the www.sco.com address while creating a thread, opening a socket, and send some data.

According to Symantec, this version now modifies your HOSTS file to try and disable the user from being able to reach antivirus websites.

Among other entries in the HOSTS file are Doubleclick, FastClick, and some other advertising-related companies. Should I be concerned or happy that the virus may make surfing the web a little bit better by doing this?

http://securityresponse.symantec.com/avcenter/venc /data/w32.novarg.a@mm.html Scroll down near the bottom, under Additional Information, it appears that it avoids sending itself to the hotmail.com domain.

But as Perens said... it's not a good thing that the worm still has a good chance of knocking SCO.com down for a while.

• berkeley
  
• mit.e
  
• isi.e
  
• tanford.e
  
• utgers.ed
  

Check out what the virus targets and doesn't target. It ignores .EDU addresses, as well as a host of other *nix places, including .gov and what not. While we may complain about how this virus makes us look at a whole, at least give the writer a nod for being courteous about the sites he/she targeted. Go on, read it

Symantec say that the DDOS will begin on February 1st.
Looks like SCO have taken their site down too early.

the DOS isn't supposed to start until Feb 1. Maybe this is related to some sort of network "hardening" in preparation. More info

Not true. According to symantec,
"The DoS is active between February 1, 2004 and February 12, 2004."
So I guess that www.sco.com will be back up by Feb. 13th...

Windows XP handles zip files nativly, unlike earlier versions that required using a third-party application like winzip. This virus and the many incantations of mimail prey on this. If you are running an older version of window you might pause when winzip comes up when you click on the attachment, but if you are running XP and don't look at it, a simple click will open it.

Hmmm guess its a good idea to keep an eye on it.

I was making a mild and flamish reference to the ESA's beagle2 lander...not bagles.

http://securityresponse.symantec.com/avcenter/venc /data/w32.beagle.a@mm.html

What we know:

1. A new virus is "discovered on: January 18, 2004" by Symantec. This is the day before the Iowa Caucuses.
2. By 10:00 EST The virus has only started to affect a few sites. (at 10:00 look at "wild score" was low 0-2 sites)
3. This virus of limited distribution at that time blasts out via PoliticsOnline.
4. The virus is a W32.Beagle.A@mm is a mass-mailing worm that will only work until 28th of January. This is the day after the New Hampshire primary.
5. Virus is disruptive in that it overwhelms communities. The virus grabs a local address book and sends emails to a certain number of people within that particular address book.
6. The virus does little relative damage so that it is not a high priority to fix for individual users.

Context.
While this virus may seem like a low grade kiddy spammer nuisance. Some spammer trying to get names to sell for a few grand or it is targeted to disrupt computer administrators during a key period of the Democratic primary season offsetting hundreds of thousands of dollars in organizing strength. If campaigns had plans to use email as a way to organize GOTV (Get Out the Vote) activities, rapid response to events, deployments of volunteers, rides to the polls, etc. the virus could influence thousands of votes in a dead heat race.

While it is likely that it is a prank by a teenager. There is an outside potential that the virus was released by a campaign that was not dependent on email as a communication tool to gain organizing advantage and disrupt the capacity of an opponents organization.

Network-centric struggle would suggest that knocking out communications capacity and reliability of chain of command of a decentralized leadership would create a huge advantage. It seems to be a little tightly coordinated and professionally executed (insider game targeting PoliticsOnline rather then campaign email lists) for a teen hack.

Lesson:
This could be a serious attack (only next 12 hours will tell) At a minimum it is a good lesson to prepare campaigns to avoid dependency that can create a single point of failure.

So far, I've submitted copies of this to Symantec, and ClamAV, both of which did not detect it in the latest definitions.

Either you're lying or you don't have the latest definitions.
From the Symantec page: Virus Definitions (LiveUpdate(TM)) ** January 18, 2004

1, It's 20th today, and this thing has been in the defs since 18.
2, I use NAV and it detected the worm fine for me...

To me it's unbelievable that people get infected with this thing. There's no good social engineering applied to the worm or the email message, the attachment is a .exe, which is something companies should be filtering (people wanting to send execuables can zip them) and it doesn't use any exploits. It's just unbelievable that this can happen... AGAIN!

According to Symantic
The worm will only work until January 28th, 2004 (see note at step 1 below).
So hopefully it won't go to far before then

Information on the worm can be found here and here, and removal tools can be found here and here

Information on the worm can be found here and here, and removal tools can be found here and here

... according to Symantec's Security Response (since 1/18/2004).

... according to Symantec's Security Response (since 1/18/2004).

So far, I've submitted copies of this to Symantec, and ClamAV, both of which did not detect it in the latest definitions. If anyone else has submitted this to an A/V manufacturer, or knows of an A/V that currently detects this, please post.

• For those of us using MSIE for one reason or another I can't recommend strongly enough MyIE2. A free shell for MSIE it adds another 2MB but in that include features like tabs, mouse gestures, various sorts of filtering including by string and by domain, and yes, trivially enabling & disabling Flash. There are other similar products but IMHO this is the smoothest.

• Next I'm betting the the Google Toolbar will be revved pretty quickly to counter this, they'd be fools not to. Indeed I'm betting nearly every pop-up blocker will be jumping on these. FWIW I use Norton Internet Security Pro and it's ad-filtering is pretty good once one undoes it's favored-partners exceptions.

• Finally there will indeed be a rush to block the offending IP's, unless the advertisers get crafty and start making their adverts appear to come from the content IP's, then it'll be ugly everywhere. Hopefully things won't come to that and over the next few days we'll start seeing handy "filter these" notices.

• And yes, there will be the flood of "Switch to Mozilla", "Use Linux" & "Use MacOS X & Safari" etc. postings. Thanks folks but most of us are well aware of those options and for one reason or another aren't taking advantage of 'em, or are but also using MSWin & MSIE too. Just deal with the fact that there are unenlightened or dissenting or locked-in folks and not be annoying proselytizers please. Oh, and MyIE2 is beta-ing Mozilla support for those wanting/needing to keep a foot in each camp.

Many of those misdirect/mistype sites do a lot more than deliver popups. They also use IE flaws to reset the home page, install spyware, install additional popups, ect.

Plus then you have fun viruses like Trojan.sinkin that spread through AIM using IE holes and deliver popups.

In Windows 95 and 98 (and probably ME and DOS) con (and others) are reserved words. You can't create a directory named c:/con/con. Attempting to do so will lock up explorer.exe and then promptly halt your machine. (Gotta love fault tolerance!)

Read about it more.

I suppose I should have linked. Here is a link:

http://securityresponse.symantec.com/avcenter/down load/pages/US-N95.html

falcontx