[Dixielandjazz] V-i-r-u-s-e-s and DJML.. Practical Implications
BudTuba@aol.com
BudTuba@aol.com
Sat, 5 Oct 2002 11:42:52 EDT
--part1_16f.14f9ec92.2ad0627c_boundary
Content-Type: text/plain; charset="US-ASCII"
Content-Transfer-Encoding: 7bit
In a message dated 10/4/02 2:07:24 PM Eastern Daylight Time,
david_haupt@agilent.com writes:
> When Bugbear sends an email, it uses a "from" address that does not belong
> to the infected computer. It randomly chooses an address from any message
> in your inbox, outbox, sentbox, or maybe even hatbox. It uses that as the
> "from" address and randomly picks a victim the same way. So, if Bill
> Gunter seems to receive the bug from Bob Ringwald, the only thing we can
> say for certain is that somebody's PC somewhere has the infection, and has
> also received emails from both of those fine gentlemen, or has sent emails
> to them. That pretty much qualifies everybody on DJML. Bugbear is
> additionally deceptive, because it uses, as message text and title, a title
> and text it finds in some message on your PC. So it is very easy to fool
> someone into thinking it's a legitimate email.
>
This is very similar to the operation of the Worm "Klez" and its variants.
As with Bugbear, Norton, and McAfee offer cleaning procedures. The Klez worm
finds executables on your computer and replaces the program with zeros or
nonsense. The size of the file and its date of creation does not change, so
a simple directory check will not tell you anything. This program also picks
up your email address and sends intriguing messages to others in your email
listings as if the message was sent from you. If there is a message, it is
usually very minimal and poor English, or non-existent. A file is attached
with a .ZIP extension. You have to download the file to actuate the virus.
If you do download the .ZIP file it will run but you not notice anything
happening. The Norton procedure creates a DOS program which operates with
Windows in the Safe mode. Any programs in your computer which have a
footprint of having been infected are listed and erased. That sometimes
indicates that applications you have been using all along need to be
reinstalled. Our company started receiving messags of this sort from other
companies we deal with. However, they would be from "alex@XXX.com" and
"alex" was not a person we recognized. These companies were predominately in
Taiwan and HongKong. I even received a message from a virus screening
service in Taiwan that said I had sent the message to them! The message they
said I sent was attached and it did not agree with anything I had sent. We
checked our computers attached to the server with the Norton screening
program and found one had some infected files. Probably ate up the better
part of one day to do that....so is very costly.
Bottom line to DJML correspondents. If you do send files to each other, you
need to assure the recipient that you have and what name it has. It would be
best to do this in two stages. Send a message announcing your intention to
send a .ZIP file (or other) and wait a while to actually send the message
with the attachment. That way your recipient has the assurance that you are
doing a legitimate file transfer. Certainly a pain in the A--.
Perhaps most insidious is the transfer of images and sound files since we
have responded to the simplicity of doing exactly that. Therefore, if you do
not get a direct reference in the message from someone that the attachment is
legitimate...don't open it until you have verified its authenticity.
Bud Taylor, Smugtown Stompers, Rochester, NY
>>>Trad Jazz since 1958<<<
--part1_16f.14f9ec92.2ad0627c_boundary
Content-Type: text/html; charset="US-ASCII"
Content-Transfer-Encoding: 7bit
<HTML><FONT FACE=arial,helvetica><BODY BGCOLOR="#ffffff"><FONT style="BACKGROUND-COLOR: #ffffff" SIZE=2 FAMILY="SERIF" FACE="Bookman Old Style" LANG="0">In a message dated 10/4/02 2:07:24 PM Eastern Daylight Time, david_haupt@agilent.com writes:<BR>
<BR>
</FONT><FONT COLOR="#000000" style="BACKGROUND-COLOR: #ffffff" SIZE=2 FAMILY="SANSSERIF" FACE="Arial" LANG="0"><BR>
<BLOCKQUOTE TYPE=CITE style="BORDER-LEFT: #0000ff 2px solid; MARGIN-LEFT: 5px; MARGIN-RIGHT: 0px; PADDING-LEFT: 5px">When Bugbear sends an email, it uses a "from" address that does not belong to the infected computer. It randomly chooses an address from any message in your inbox, outbox, sentbox, or maybe even hatbox. It uses that as the "from" address and randomly picks a victim the same way. So, if Bill Gunter seems to receive the bug from Bob Ringwald, the only thing we can say for certain is that somebody's PC somewhere has the infection, and has also received emails from both of those fine gentlemen, or has sent emails to them. That pretty much qualifies everybody on DJML. Bugbear is additionally deceptive, because it uses, as message text and title, a title and text it finds in some message on your PC. So it is very easy to fool someone into thinking it's a legitimate email.<BR>
</BLOCKQUOTE><BR>
</FONT><FONT COLOR="#000000" style="BACKGROUND-COLOR: #ffffff" SIZE=2 FAMILY="SERIF" FACE="Bookman Old Style" LANG="0"><BR>
This is very similar to the operation of the Worm "Klez" and its variants. As with Bugbear, Norton, and McAfee offer cleaning procedures. The Klez worm finds executables on your computer and replaces the program with zeros or nonsense. The size of the file and its date of creation does not change, so a simple directory check will not tell you anything. This program also picks up your email address and sends intriguing messages to others in your email listings as if the message was sent from you. If there is a message, it is usually very minimal and poor English, or non-existent. A file is attached with a .ZIP extension. You have to download the file to actuate the virus. If you do download the .ZIP file it will run but you not notice anything happening. The Norton procedure creates a DOS program which operates with Windows in the Safe mode. Any programs in your computer which have a footprint of having been infected are listed and erased. That sometimes indicates that applications you have been using all along need to be reinstalled. Our company started receiving messags of this sort from other companies we deal with. However, they would be from "alex@XXX.com" and "alex" was not a person we recognized. These companies were predominately in Taiwan and HongKong. I even received a message from a virus screening service in Taiwan that said I had sent the message to them! The message they said I sent was attached and it did not agree with anything I had sent. We checked our computers attached to the server with the Norton screening program and found one had some infected files. Probably ate up the better part of one day to do that....so is very costly.<BR>
<BR>
Bottom line to DJML correspondents. If you do send files to each other, you need to assure the recipient that you have and what name it has. It would be best to do this in two stages. Send a message announcing your intention to send a .ZIP file (or other) and wait a while to actually send the message with the attachment. That way your recipient has the assurance that you are doing a legitimate file transfer. Certainly a pain in the A--. <BR>
<BR>
Perhaps most insidious is the transfer of images and sound files since we have responded to the simplicity of doing exactly that. Therefore, if you do not get a direct reference in the message from someone that the attachment is legitimate...don't open it until you have verified its authenticity.<BR>
<BR>
</FONT><FONT COLOR="#000000" style="BACKGROUND-COLOR: #ffffff" SIZE=2 FAMILY="SERIF" FACE="Benguiat Bk BT" LANG="0">Bud Taylor, Smugtown Stompers, Rochester, NY<BR>
>>>Trad Jazz since 1958<<<</FONT></HTML>
--part1_16f.14f9ec92.2ad0627c_boundary--