[iwar] Perception Management
From: Fred Cohen
From: fc@all.net
To: iwar@egroups.com
Mon, 8 May 2000 04:11:31 -0700 (PDT)
fc Mon May 8 04:12:14 2000
Received: from 207.222.214.225
by localhost with POP3 (fetchmail-5.1.0)
for fc@localhost (single-drop); Mon, 08 May 2000 04:12:14 -0700 (PDT)
Received: by multi33.netcomi.com for fc
(with Netcom Interactive pop3d (v1.21.1 1998/05/07) Mon May 8 11:12:06 2000)
X-From_: sentto-279987-332-fc=all.net@returns.onelist.com Mon May 8 06:11:32 2000
Received: from ho.egroups.com (ho.egroups.com [208.50.144.85]) by multi33.netcomi.com (8.8.5/8.7.4) with SMTP id GAA10779 for ; Mon, 8 May 2000 06:11:32 -0500
X-eGroups-Return: sentto-279987-332-fc=all.net@returns.onelist.com
Received: from [10.1.10.37] by ho.egroups.com with NNFMP; 08 May 2000 11:11:38 -0000
Received: (qmail 16913 invoked from network); 8 May 2000 11:11:35 -0000
Received: from unknown (10.1.10.142) by m3.onelist.org with QMQP; 8 May 2000 11:11:35 -0000
Received: from unknown (HELO all.net) (24.1.84.100) by mta3 with SMTP; 8 May 2000 11:11:35 -0000
Received: (from fc@localhost) by all.net (8.9.3/8.7.3) id EAA25724 for iwar@onelist.com; Mon, 8 May 2000 04:11:31 -0700
Message-Id: <200005081111.EAA25724@all.net>
To: iwar@egroups.com
Organization: I'm not allowed to say
X-Mailer: don't even ask
X-Mailer: ELM [version 2.5 PL1]
From: Fred Cohen
MIME-Version: 1.0
Mailing-List: list iwar@egroups.com; contact iwar-owner@egroups.com
Delivered-To: mailing list iwar@egroups.com
Precedence: bulk
List-Unsubscribe:
Date: Mon, 8 May 2000 04:11:31 -0700 (PDT)
Reply-To: iwar@egroups.com
Subject: [iwar] Perception Management
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Date: Sun, 07 May 2000 20:51:47 -0400
From: cybercrimes@theMezz.com
Subject: Virus posing as Symantec email could be worst
Saturday May 06 12:00 PM EDT
Virus posing as Symantec email could be worst
By Paul Festa, CNET News.com
A recent "Love" bug copycat masquerading as a Symantec cure for the
virus appears to be the most destructive variant yet.
Variations on a virus The "Love" bug and six of its variants spotted so
far.
Version Subject Attachment name Seen "in the wild"
a I Love You LOVE-LETTER-FOR-YOU.TXT.vbs yes
b Susitikim shi vakara kavos puodukui...* LOVE-LETTER-FOR-YOU.TXT.vbs yes
c FWD: JOKE VERYFUNNY.vbs yes
d** I Love You LOVE-LETTER-FOR-YOU.TXT.vbs yes
e Mother's Day Order Confirmation mothersday.vbs no
f*** Dangerous Virus Warning virus_warning.jpg.vbs yes
g**** VIRUS ALERT!!! protect.vbs yes
h***** A killer for VBS/LoveMail and VBS/Kak worm viruskiller.vbs yes
* Lithuanian for "Let's meet tonight for a cup of coffee."
** underlying code changed.
*** message body reads: "There is a dangerous virus circulating. Please
click attached picture to view it and learn to avoid it."
**** message body begins: "Dear Symantec customer," and includes
detailed explanation of the Love Letter virus. Variant targets some
system files.
***** message body begins: "Start the attachment to clean all you (sic)
files and hard discs (sic)."
Source: McAfee and Symantec
The mutation comes in an email with the subject header "VIRUS ALERT!!!"
The email begins, "Dear Symantec customer," and proceeds to describe the
virus in detail. Its attachment is called "protect.vbs."
This variant overwrites, in addition to the image and audio files
already overwritten or hidden by the original "Love" bug, system files
that lie at the heart of some crucial computing functions.
Victims of this variant would be "in trouble," warned Vincent Weafer,
director of Symantec's antivirus research center. "It's going to target
some system files."
Because its name is fraudulently attached to the latest, most virulent
strain, Symantec is taking extra measures to warn against it. The
company is posting an alert to its Web site, issuing a press release,
and emailing its corporate customers.
The files targeted by the new variant are batch files (.bat) and command
files (.com), Symantec said.
Batch files are used for utilities or upon start-up, a common example
being the "autoexec.bat" file for the computer's start-up configuration
file. Command files are DOS-executable files, used for simple commands
such as "edit," "format" or "disk copy."
Weafer said the use of Symantec's name in the virus email was not
surprising.
"It's fairly common to see both viruses and hoaxes that purport to come
from Microsoft or other organizations as fixes," he said. "This is all
about social engineering, about trying to get you to open up the file.
Whether it's a Mother's Day greeting or a virus alert, everything is
designed to get you to lower your guard."
Antivirus firms identified at least eight variations including the
original earlier today. Alterations in these variants are for the most
part in the packaging, with the virus coming attached to emails
variously labeled "I Love You," "FWD: JOKE," "Susitikim shi vakara kavos
puodukui..." (Lithuanian for "Let's get a cup of coffee") and "Mother's
Day Order Confirmation."
Another fraudulent fix packing the viral payload comes in an email
headed "Dangerous Virus Warning" and carries an attachment labeled
"virus_warning.jpg.vbs," said antivirus firm McAfee.
Symantec, which counted 10 variants in all so far, warned against still
a third of this type with the attachment "VirusKiller.vbs."
Source
http://dailynews.yahoo.com/h/cn/20000506/tc/virus_posing_as_symantec_email_could_be_worst_2.html
------------------------------------------------------------------------
*--- FREE VOICEMAIL FOR YOUR HOME PHONE! ---*
With eVoice Now you can keep in touch with clients, vendors, co-workers,
friends and family ANYTIME, ANYWHERE. Sign Up Today for FREE!
http://click.egroups.com/1/3426/11/_/595019/_/957784298/
------------------------------------------------------------------------
------------------
http://all.net/