[Dixielandjazz] V-i-r-u-s-e-s and DJML.. Practical Implications

BudTuba@aol.com BudTuba@aol.com
Sat, 5 Oct 2002 11:42:52 EDT


--part1_16f.14f9ec92.2ad0627c_boundary
Content-Type: text/plain; charset="US-ASCII"
Content-Transfer-Encoding: 7bit

In a message dated 10/4/02 2:07:24 PM Eastern Daylight Time, 
david_haupt@agilent.com writes:


> When Bugbear sends an email, it uses a "from" address that does not belong 
> to the infected computer.  It randomly chooses an address from any message 
> in your inbox, outbox, sentbox, or maybe even hatbox.  It uses that as the 
> "from" address and randomly picks a victim the same way.  So, if Bill 
> Gunter seems to receive the bug from Bob Ringwald, the only thing we can 
> say for certain is that somebody's PC somewhere has the infection, and has 
> also received emails from both of those fine gentlemen, or has sent emails 
> to them.  That pretty much qualifies everybody on DJML.  Bugbear is 
> additionally deceptive, because it uses, as message text and title, a title 
> and text it finds in some message on your PC.  So it is very easy to fool 
> someone into thinking it's a legitimate email.
> 

This is very similar to the operation of the Worm "Klez" and its variants.  
As with Bugbear, Norton, and McAfee offer cleaning procedures.  The Klez worm 
finds executables on your computer and replaces the program with zeros or 
nonsense.  The size of the file and its date of creation does not change, so 
a simple directory check will not tell you anything.  This program also picks 
up your email address and sends intriguing messages to others in your email 
listings as if the message was sent from you.  If there is a message, it is 
usually very minimal and poor English, or non-existent.   A file is attached 
with a .ZIP extension.  You have to download the file to actuate the virus.  
If you do download the .ZIP file it will run but you not notice anything 
happening.  The Norton procedure creates a DOS program which operates with 
Windows in the Safe mode.  Any programs in your computer which have a 
footprint of having been infected are listed and erased.  That sometimes 
indicates that applications you have been using all along need to be 
reinstalled.  Our company started receiving messags of this sort from other 
companies we deal with.  However, they would be from "alex@XXX.com" and 
"alex" was not a person we recognized.  These companies were predominately in 
Taiwan and HongKong.  I even received a message from a virus screening 
service in Taiwan that said I had sent the message to them!  The message they 
said I sent was attached and it did not agree with anything I had sent.  We 
checked our computers attached to the server with the Norton screening 
program and found one had some infected files.  Probably ate up the better 
part of one day to do that....so is very costly.

Bottom line to DJML correspondents.  If you do send files to each other, you 
need to assure the recipient that you have and what name it has.  It would be 
best to do this in two stages.  Send a message announcing your intention to 
send a .ZIP file (or other) and wait a while to actually send the message 
with the attachment.  That way your recipient has the assurance that you are 
doing a legitimate file transfer.  Certainly a pain in the A--.  

Perhaps most insidious is the transfer of images and sound files since we 
have responded to the simplicity of doing exactly that.  Therefore, if you do 
not get a direct reference in the message from someone that the attachment is 
legitimate...don't open it until you have verified its authenticity.

Bud Taylor, Smugtown Stompers, Rochester, NY
                >>>Trad Jazz since 1958<<<

--part1_16f.14f9ec92.2ad0627c_boundary
Content-Type: text/html; charset="US-ASCII"
Content-Transfer-Encoding: 7bit

<HTML><FONT FACE=arial,helvetica><BODY BGCOLOR="#ffffff"><FONT  style="BACKGROUND-COLOR: #ffffff" SIZE=2 FAMILY="SERIF" FACE="Bookman Old Style" LANG="0">In a message dated 10/4/02 2:07:24 PM Eastern Daylight Time, david_haupt@agilent.com writes:<BR>
<BR>
</FONT><FONT  COLOR="#000000" style="BACKGROUND-COLOR: #ffffff" SIZE=2 FAMILY="SANSSERIF" FACE="Arial" LANG="0"><BR>
<BLOCKQUOTE TYPE=CITE style="BORDER-LEFT: #0000ff 2px solid; MARGIN-LEFT: 5px; MARGIN-RIGHT: 0px; PADDING-LEFT: 5px">When Bugbear sends an email, it uses a "from" address that does not belong to the infected computer.&nbsp; It randomly chooses an address from any message in your inbox, outbox, sentbox, or maybe even hatbox.&nbsp; It uses that as the "from" address and randomly picks a victim the same way.&nbsp; So, if Bill Gunter seems to receive the bug from Bob Ringwald, the only thing we can say for certain is that somebody's PC somewhere has the infection, and has also received emails from both of those fine gentlemen, or has sent emails to them.&nbsp; That pretty much qualifies everybody on DJML.&nbsp; Bugbear is additionally deceptive, because it uses, as message text and title, a title and text it finds in some message on your PC.&nbsp; So it is very easy to fool someone into thinking it's a legitimate email.<BR>
</BLOCKQUOTE><BR>
</FONT><FONT  COLOR="#000000" style="BACKGROUND-COLOR: #ffffff" SIZE=2 FAMILY="SERIF" FACE="Bookman Old Style" LANG="0"><BR>
This is very similar to the operation of the Worm "Klez" and its variants.&nbsp; As with Bugbear, Norton, and McAfee offer cleaning procedures.&nbsp; The Klez worm finds executables on your computer and replaces the program with zeros or nonsense.&nbsp; The size of the file and its date of creation does not change, so a simple directory check will not tell you anything.&nbsp; This program also picks up your email address and sends intriguing messages to others in your email listings as if the message was sent from you.&nbsp; If there is a message, it is usually very minimal and poor English, or non-existent.&nbsp;&nbsp; A file is attached with a .ZIP extension.&nbsp; You have to download the file to actuate the virus.&nbsp; If you do download the .ZIP file it will run but you not notice anything happening.&nbsp; The Norton procedure creates a DOS program which operates with Windows in the Safe mode.&nbsp; Any programs in your computer which have a footprint of having been infected are listed and erased.&nbsp; That sometimes indicates that applications you have been using all along need to be reinstalled.&nbsp; Our company started receiving messags of this sort from other companies we deal with.&nbsp; However, they would be from "alex@XXX.com" and "alex" was not a person we recognized.&nbsp; These companies were predominately in Taiwan and HongKong.&nbsp; I even received a message from a virus screening service in Taiwan that said I had sent the message to them!&nbsp; The message they said I sent was attached and it did not agree with anything I had sent.&nbsp; We checked our computers attached to the server with the Norton screening program and found one had some infected files.&nbsp; Probably ate up the better part of one day to do that....so is very costly.<BR>
<BR>
Bottom line to DJML correspondents.&nbsp; If you do send files to each other, you need to assure the recipient that you have and what name it has.&nbsp; It would be best to do this in two stages.&nbsp; Send a message announcing your intention to send a .ZIP file (or other) and wait a while to actually send the message with the attachment.&nbsp; That way your recipient has the assurance that you are doing a legitimate file transfer.&nbsp; Certainly a pain in the A--.&nbsp; <BR>
<BR>
Perhaps most insidious is the transfer of images and sound files since we have responded to the simplicity of doing exactly that.&nbsp; Therefore, if you do not get a direct reference in the message from someone that the attachment is legitimate...don't open it until you have verified its authenticity.<BR>
<BR>
</FONT><FONT  COLOR="#000000" style="BACKGROUND-COLOR: #ffffff" SIZE=2 FAMILY="SERIF" FACE="Benguiat Bk BT" LANG="0">Bud Taylor, Smugtown Stompers, Rochester, NY<BR>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &gt;&gt;&gt;Trad Jazz since 1958&lt;&lt;&lt;</FONT></HTML>

--part1_16f.14f9ec92.2ad0627c_boundary--