Cobol - Windows Virus using group posters

Author

Windows Virus using group posters

Richard

2004-08-09, 8:55 pm

I have received a number of EMails purportedly sent from names found
in this group. It is quite possible that others may receive some
aledgedly from me. These contain a 'newprice.zip' or 'price-2.zip' or
similar but appears to be a Windows Virus (R)tm.

Do not open these, or if you do then don't do it using a Windows
machine.

JerryMouse

2004-08-10, 3:55 am

Richard wrote:
> I have received a number of EMails purportedly sent from names found
> in this group. It is quite possible that others may receive some
> aledgedly from me. These contain a 'newprice.zip' or 'price-2.zip' or
> similar but appears to be a Windows Virus (R)tm.
>
> Do not open these, or if you do then don't do it using a Windows
> machine.

VERY common for the do-bads to harvest names from newsgroups. Anyone using a
vailed email address not only puts themselves and others at risk.

Hugh Candlin

2004-08-10, 3:55 am

Richard <riplin@Azonic.co.nz> wrote in message news:217e491a.0408091346.26a5c518@posting.google.com...
> I have received a number of EMails purportedly sent from names found
> in this group. It is quite possible that others may receive some
> aledgedly from me. These contain a 'newprice.zip' or 'price-2.zip' or
> similar but appears to be a Windows Virus (R)tm.
>
> Do not open these, or if you do then don't do it using a Windows
> machine.

Latest Bagle variant gets an e-mail head start

http://www.msnbc.msn.com/id/5652313/

"The new variant, dubbed Bagle.al,
generated a glut of e-mails with the simple message "price" or "new price."
Attachments to the e-mail were named with some variation of the word price,
such as new_price.zip, price_new.zip, or price_08.zip."

"The virus is also clever enough to spoof, or replace,
the "from:" line in the e-mails with the name of a sender
that may be familiar to the recipient.
That increases the likelihood that an unwitting Internet user
might open the e-mail. Antivirus experts urged caution."

Michael Wojcik

2004-08-10, 3:55 pm

In article <PMidndlOI9PCs4XcRVn-rw@giganews.com>, "JerryMouse" <nospam@bisusa.com> writes:
>
> VERY common for the do-bads to harvest names from newsgroups. Anyone using a
> vailed email address not only puts themselves and others at risk.

Nonsense. People who can't distinguish malware from legitimate
email, and who open email attachments, and who run vulnerable
email clients put themselves at risk. It's not my job to "protect"
them by using a bogus email address on Usenet.

--
Michael Wojcik michael.wojcik@microfocus.com

Only the obscene machine has persisted
jerky and jockeying and not knowing why
I have never existed. Nor should. -- George Barker

SkippyPB

2004-08-10, 3:55 pm

On 9 Aug 2004 14:46:01 -0700, riplin@Azonic.co.nz (Richard)
enlightened us:

>I have received a number of EMails purportedly sent from names found
>in this group. It is quite possible that others may receive some
>aledgedly from me. These contain a 'newprice.zip' or 'price-2.zip' or
>similar but appears to be a Windows Virus (R)tm.
>
>Do not open these, or if you do then don't do it using a Windows
>machine.

I haven't seen it yet but there is a new variant of an old worm going
around the internet right now. W32/Bagle.aq@MM is a medium risk
mass-mailing worm that tries to open a hacker backdoor on your PC.
Launched by code hidden inside a ZIP attachment, the virus spreads by
emailing itself to stolen contacts and via popular file-sharing
programs such as KaZaa, Bearshare and Limewire. It also tries to
terminate anti-virus and other security software operation.

You can spot one of those by looking at the following email headings:

FROM: Varies (spoofed)
SUBJECT: Blank
BODY: Examples: new price, The password is, Password:
ATTACHMENT: Examples: price.zip, price2.zip, price_new.zip

Do not open the zip file and delete the email and you'll be safe.

Regards,

////
(o o)
-oOO--(_)--OOo-

"The most important thing is for us to find Osama Bin Laden.
It is our number one priority and we will not rest until we
find him." - George W. Bush, Sept. 13, 2001

"I don't know where he is. I have no idea, and I really don't
care. It's not that important. It's not our priority."
- George W. Bush, March 13, 2002
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Remove nospam to email me.

Steve

JerryMouse

2004-08-10, 8:55 pm

Michael Wojcik wrote:
> In article <PMidndlOI9PCs4XcRVn-rw@giganews.com>, "JerryMouse"
> <nospam@bisusa.com> writes:
>
> Nonsense. People who can't distinguish malware from legitimate
> email, and who open email attachments, and who run vulnerable
> email clients put themselves at risk. It's not my job to "protect"
> them by using a bogus email address on Usenet.

1. It protects you from, at least, an avalanche of spam. One address I used
on newsgroups three years ago STILL generates over 200 spams PER DAY to our
domain.

2. The net is a cooperative - or uncooperative - venture. You run the risk
of having your email address or domain blocked by these same inexperienced
users or ISP sy

mins (who THINK the virus came from you). With sufficient
blocking, you will end up on an intranet.

You may rant that: "I should not be blocked! That crap didn't come from me!"
To which many sy

mins will respond: "FOAD spammer. I don't care. Your
address is dropped so far down in my deny tables it'll never get out."

3. It's for the children.

Donald Tees

2004-08-11, 3:55 pm

Michael Wojcik wrote:
>
> I'm not concerned about having my address blocked by idiots. The less
> I communicate with idiots, the better.
>
> I've been posting on Usenet since 1991. I've always used a valid email
> address; for the past few years, each of my messages has included two,
> in fact, since I use my personal address for the reply-to header and my
> corporate one appears in my signature. I've yet to have a message I
> sent bounced because some sy

min blocked it, or to hear that some
> message I sent was black-holed for similar reasons.
>
> The Internet is indeed to some extent a cooperative venture, and I
> cooperate by following the intent of the RFCs, one of which is that
> Usenet posters will provide a return address for emailed replies.
> Many posters can't deal with the "avalanche of spam", as it is
> popularly known, that results from posting with a valid address, and
> so omit it. I'm willing to tolerate that, but I will not entertain
> the idea that I have some ethical obligation to do the same.
>
> In any event, it's moot in my case, and in the case of anyone else
> who's posted on Usenet since 1997 with a valid address, since
> spammers can easily harvest those addresses from Google and the like
> regardless of how we post in the future.
>
> We've had the solution to forged email for years: signed email, whether
> that's S/MIME or a PGP derivative or what have you. When people care
> enough to start using signed email in significant numbers, I'll get a
> personal certificate (or, more likely, Micro Focus will get me one)
> and the problem will be resolved - except for idiots, and again that's
> not my problem.
>
> I believe I've more than done my share to assist in improving Internet
> security. My systems are firewalled and regularly scanned for a
> variety of malware. They're up to date on patches. The OSes and
> applications are hardened insofar as they can be configured to be. I
> avoid known-insecure software where possible. I follow a number of
> computer security discussions. I think I've got a nice karmic head-
> start over J. Random Usenet Poster With A Munged Address, thank you
> very much.
>

Well said.

I have also used my real address for years, and cannot see a downside
for an educated user. Granted, people that open everything that arrives
in the mail may have problems, but then people that have sex with
strangers have the same problem. I also do not use a virus checker ...
I use Linux for mail. IMO, the Linux system and my own brain are better
than any virus checker on the market.

Donald

Richard

2004-08-12, 3:55 am

"JerryMouse" <nospam@bisusa.com> wrote

> VERY common for the do-bads to harvest names from newsgroups. Anyone using a
> vailed email address not only puts themselves and others at risk.

Your use of 'vailed' is confusing - do you mean 'veiled' or 'valid' -
these are opposites.

I will assume you meant 'valid'.

I use valid email addresses for many things, the group is just one,
and have done for many years. While these can be harvested I cannot
change any past usage and refuse to disguise my current usage.

The email address does _not_ put me 'at risk'. I can deal with spam
attacks. What does annoy me is the ignorant admins who bounce spam to
me, but again I deal with it before it even gets into my network.

Others are only 'at risk' if they are using crap software that
'enriches the user experience' by making decisions for them and
allowing malicious software to run. A survey came to the conclusion
that currently 60% of spam comes from MS Windows machines that have
been 'owned' by spammers and these are pumping out the messages while
the user is completely unaware of that happening.

It is the MS Windows machines that are putting the rest of us 'at
risk' of spam attacks.

JerryMouse

2004-08-13, 3:55 pm

mins (who THINK the virus came from you). With sufficient
blocking, you will end up on an intranet.

You may rant that: "I should not be blocked! That crap didn't come from me!"
To which many sy

mins will respond: "FOAD spammer. I don't care. Your
address is dropped so far down in my deny tables it'll never get out."

3. It's for the children.

Michael Wojcik

2004-08-14, 8:55 am

In article <qpydnZ5hcfSFwITcRVn-tQ@giganews.com>, "JerryMouse" <nospam@bisusa.com> writes:
> Michael Wojcik wrote:
>
> 1. It protects you from, at least, an avalanche of spam.

Shrug. My corporate email account is protected by MessageLabs, and
gets only a few spam messages a day. My personal account is not, and
gets sometimes hundreds of spam messages a day, which take me a few
seconds to delete. If they ever start to annoy me, I'll enable
Baysian filtering and train the filter to do the job for me.

> 2. The net is a cooperative - or uncooperative - venture. You run the risk
> of having your email address or domain blocked by these same inexperienced
> users or ISP sy

mins (who THINK the virus came from you). With sufficient
> blocking, you will end up on an intranet.

I'm not concerned about having my address blocked by idiots. The less
I communicate with idiots, the better.

I've been posting on Usenet since 1991. I've always used a valid email
address; for the past few years, each of my messages has included two,
in fact, since I use my personal address for the reply-to header and my
corporate one appears in my signature. I've yet to have a message I
sent bounced because some sy

min blocked it, or to hear that some
message I sent was black-holed for similar reasons.

The Internet is indeed to some extent a cooperative venture, and I
cooperate by following the intent of the RFCs, one of which is that
Usenet posters will provide a return address for emailed replies.
Many posters can't deal with the "avalanche of spam", as it is
popularly known, that results from posting with a valid address, and
so omit it. I'm willing to tolerate that, but I will not entertain
the idea that I have some ethical obligation to do the same.

In any event, it's moot in my case, and in the case of anyone else
who's posted on Usenet since 1997 with a valid address, since
spammers can easily harvest those addresses from Google and the like
regardless of how we post in the future.

We've had the solution to forged email for years: signed email, whether
that's S/MIME or a PGP derivative or what have you. When people care
enough to start using signed email in significant numbers, I'll get a
personal certificate (or, more likely, Micro Focus will get me one)
and the problem will be resolved - except for idiots, and again that's
not my problem.

I believe I've more than done my share to assist in improving Internet
security. My systems are firewalled and regularly scanned for a
variety of malware. They're up to date on patches. The OSes and
applications are hardened insofar as they can be configured to be. I
avoid known-insecure software where possible. I follow a number of
computer security discussions. I think I've got a nice karmic head-
start over J. Random Usenet Poster With A Munged Address, thank you
very much.

--
Michael Wojcik michael.wojcik@microfocus.com

Only the obscene machine has persisted
jerky and jockeying and not knowing why
I have never existed. Nor should. -- George Barker

Michael Wojcik

2004-08-15, 3:55 am

In article <EcSdnTCpws2NHIbcRVn-hQ@giganews.com>, "JerryMouse" <nospam@bisusa.com> writes:
>
> All operating systems allow malware to run. The most catastrophic attack in
> the history of the internet was propagated on Unix boxes. With the impending
> lock-down of XP boxes (SP2), the degenerates will have to concentrate on
> Linux, OS10, BSD, and Unix systems to get their kicks.

While SP2 will improve the XP situation considerably, it's hardly going
to exclude Windows as a malware target:

- SP2 will not plug all the holes in Windows and other MS software
running on Windows. (Do you really think Microsoft has found every
ActiveX control that's incorrectly marked "safe for scripting", for
example? History certainly suggests otherwise.)

- SP2 will not plug all the holes in third-party software running on
Windows.

- SP2 doesn't apply to earlier versions of Windows, which are still
widely in use.

- SP2 can't be installed on pirate copies of XP, which are no doubt
widely in use.

And as for the Morris Worm being the "most catastrophic attack in the
history of the Internet" - that rather depends on the metric you use.
Certainly the published estimates for the "damage" caused by Code Red,
SirCam, or Slammer far exceed anything I've ever seen claimed for the
Morris Worm. (Whether those estimates are at all meaningful is
another question.) In terms of immediate infrastructure impact - how
much of the Internet was unavailable at any point in time - the Morris
Worm wins, I think. If your metric is financial, though, the Windows
worms have been a lot worse.

That's not to say that various other desktop OSes are necessarily
more secure than Windows. I believe they are, because of
Microsoft's excessive promotion of functionality and ease-of-use over
security, but the difference is by no means great enough to proclaim
them "secure". It is easier for a knowledgeable user to harden an
open-source Unix-variant desktop system than a Windows system, but
it's an open question how many users have that knowledge and make
that effort.

And, of course, vulnerabilities in Unix-variant OSes are reported
daily in the SecurityFocus mailing lists and the like. Attackers with
the requisite skills are already writing malware for those systems. I
don't see SP2 making a huge difference in how many of them choose to
target Unix over Windows, but I could be surprised.

--
Michael Wojcik michael.wojcik@microfocus.com

See who I'm! -- Jackie Chan and unknown subtitler, _Dragons Forever_

Michael Wojcik

2004-08-15, 3:55 am

Joe Zitzelberger

2004-08-15, 8:55 am

In article <EcSdnTCpws2NHIbcRVn-hQ@giganews.com>,
"JerryMouse" <nospam@bisusa.com> wrote:

>
> Your email address absolutely does put you at risk - a mope can't send you
> malicious mail if he doesn't know, or can't guess, your email address.

Only nasty if the reciever executes it...

>
> All operating systems allow malware to run. The most catastrophic attack in
> the history of the internet was propagated on Unix boxes. With the impending
> lock-down of XP boxes (SP2), the degenerates will have to concentrate on
> Linux, OS10, BSD, and Unix systems to get their kicks.

In rare cases, all operating systems have been compromised. Only one OS
family allows malware to execute, by default, without user input, and
calls it a feature.

What is this most catastrophic attack? The 1988 worm? Get real. It
messed up a few thousand hosts and inconvienced some g

s. It is
nothing compared to the dozens of Code Red, Melissa and I-Love-You
clones that each caused days long denial of service to large parts of
the world.

>
> Yep. That's millions of boxes trying to get into your machine. And they only
> have to be successful once.
>
>
> Whatever. All the more reason for you to take what steps you can to protect
> yourself. You can't do anything about the millions of MS machines attacking
> you; you can obfuscate your email address.

I can and I do do something -- I run a more secure OS, and keep an eye
on what occurs on my home network.

> You can curse the darkness or blow out your candle. (...that doesn't sound
> right... but you get the idea)

Reminds me of the old joke:

Q: How does Bill Gates change a light bulb?

A: He doesn't. He just redefines darkness as the industry standard.

JerryMouse

2004-08-15, 8:55 am

Richard wrote:
> "JerryMouse" <nospam@bisusa.com> wrote
>
>
> Your use of 'vailed' is confusing - do you mean 'veiled' or 'valid' -
> these are opposites.
>
> I will assume you meant 'valid'.

Yes. Sorry about the confusion. My spell checkeur sometimes doesn't work.

>
> I use valid email addresses for many things, the group is just one,
> and have done for many years. While these can be harvested I cannot
> change any past usage and refuse to disguise my current usage.

Okay with me. Your choice. This group is probably well below the squint's
radar.

>
> The email address does _not_ put me 'at risk'. I can deal with spam
> attacks. What does annoy me is the ignorant admins who bounce spam to
> me, but again I deal with it before it even gets into my network.

Your email address absolutely does put you at risk - a mope can't send you
malicious mail if he doesn't know, or can't guess, your email address.

>
> Others are only 'at risk' if they are using crap software that
> 'enriches the user experience' by making decisions for them and
> allowing malicious software to run.

All operating systems allow malware to run. The most catastrophic attack in
the history of the internet was propagated on Unix boxes. With the impending
lock-down of XP boxes (SP2), the degenerates will have to concentrate on
Linux, OS10, BSD, and Unix systems to get their kicks.

> A survey came to the conclusion
> that currently 60% of spam comes from MS Windows machines that have
> been 'owned' by spammers and these are pumping out the messages while
> the user is completely unaware of that happening.

Yep. That's millions of boxes trying to get into your machine. And they only
have to be successful once.

>
> It is the MS Windows machines that are putting the rest of us 'at
> risk' of spam attacks.

Whatever. All the more reason for you to take what steps you can to protect
yourself. You can't do anything about the millions of MS machines attacking
you; you can obfuscate your email address.

You can curse the darkness or blow out your candle. (...that doesn't sound
right... but you get the idea)

Donald Tees

2004-08-15, 8:55 am

JerryMouse wrote:
>
> Your email address absolutely does put you at risk - a mope can't send you
> malicious mail if he doesn't know, or can't guess, your email address.
>

Jerry, this actually made me laugh. Sure, it is absolutely true.

However, every single person in here is in the software business. It is
really hard to do business with people if you keep your contact
information secret. Tell me what the point of a secret mail address that
nobody knows is, and I may start using one, though god knows what I
would use it for.

Donald
;< )

JerryMouse

2004-08-15, 8:55 am

Donald Tees wrote:
> JerryMouse wrote:
>
> Jerry, this actually made me laugh. Sure, it is absolutely true.
>
> However, every single person in here is in the software business. It
> is really hard to do business with people if you keep your contact
> information secret. Tell me what the point of a secret mail address
> that nobody knows is, and I may start using one, though god knows
> what I
> would use it for.

Not secret - confidential.

1. For public postings, use obfuscated - but human-correctable - addresses
such as:
me-at-mydoman-dot-com.
2. For websites, use a graphic for your email address (or a form) rather
than text.
3. For sign-ups, use a name that you can deflect if the vendor ever shares,
such as citybank@mydomain.com (of course this means you have to activate a
catch-all account on your mail server). (I often use abuse@aol.com when some
service demands an address.)

Hugh Candlin

2004-08-15, 8:55 am

Donald Tees

2004-08-16, 8:55 am

Joe Zitzelberger

2004-08-17, 3:55 pm

Donald Tees

2004-08-18, 3:55 am

JerryMouse

2004-08-18, 8:55 am

Sponsored Links