Return-Path: <sentto-279987-3081-1003379576-fc=all.net@returns.onelist.com> Delivered-To: fc@all.net Received: from 204.181.12.215 by localhost with POP3 (fetchmail-5.1.0) for fc@localhost (single-drop); Wed, 17 Oct 2001 21:34:12 -0700 (PDT) Received: (qmail 26442 invoked by uid 510); 18 Oct 2001 04:32:36 -0000 Received: from n5.groups.yahoo.com (216.115.96.55) by 204.181.12.215 with SMTP; 18 Oct 2001 04:32:36 -0000 X-eGroups-Return: sentto-279987-3081-1003379576-fc=all.net@returns.onelist.com Received: from [10.1.4.55] by n5.groups.yahoo.com with NNFMP; 18 Oct 2001 04:32:57 -0000 X-Sender: fc@big.all.net X-Apparently-To: iwar@onelist.com Received: (EGP: mail-8_0_0_1); 18 Oct 2001 04:32:56 -0000 Received: (qmail 69922 invoked from network); 18 Oct 2001 04:32:56 -0000 Received: from unknown (10.1.10.27) by l9.egroups.com with QMQP; 18 Oct 2001 04:32:56 -0000 Received: from unknown (HELO big.all.net) (65.0.156.78) by mta2 with SMTP; 18 Oct 2001 04:32:56 -0000 Received: (from fc@localhost) by big.all.net (8.9.3/8.7.3) id VAA07193 for iwar@onelist.com; Wed, 17 Oct 2001 21:32:56 -0700 Message-Id: <200110180432.VAA07193@big.all.net> To: iwar@onelist.com (Information Warfare Mailing List) Organization: I'm not allowed to say X-Mailer: don't even ask X-Mailer: ELM [version 2.5 PL1] From: Fred Cohen <fc@all.net> X-Yahoo-Profile: fcallnet Mailing-List: list iwar@yahoogroups.com; contact iwar-owner@yahoogroups.com Delivered-To: mailing list iwar@yahoogroups.com Precedence: bulk List-Unsubscribe: <mailto:iwar-unsubscribe@yahoogroups.com> Date: Wed, 17 Oct 2001 21:32:56 -0700 (PDT) Reply-To: iwar@yahoogroups.com Subject: [iwar] [fc:New.'anthrax'.email.worm.is.a.dud] Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit New 'anthrax' email worm is a dud Robert Lemos, ZDNet News, 10/17/2001 http://news.zdnet.co.uk/story/0,,t269-s2097422,00.html A new computer worm that attempts to ride on the coattails of the anthrax scare emerged Tuesday, but numerous errors on the part of the program's author seem to have scuttled any chance the worm has to spread. The worm is technically known as VBS.VBSWG.AF, or more colloquially as "Antrax." It was discovered in an email with a subject line that misspelled the name of the deadly anthrax disease as "Antrax." The email body also contains a message written in Spanish. An English translation of the message provided by antivirus firm Symantec read: "If you don't know what antrax is or what the results of it are, please see the attached picture so that you can see the results that it has. Note: the picture might be too strong." The worm is attached to the message as a Visual Basic Script (VBS) file, and had been created with the VBS Worm Generator -- the same point-and-click application that created the Anna Kournikova virus early this year. However, this worm doesn't seem to be destined to become an Internet epidemic as was the Anna virus. First, most antivirus software can already detect worms created with the VBS Worm Generator program. Both Symantec's and NAI's antivirus software recognises the Antrax worm as a creation of that toolkit. The backbreaker for this particular program: The script that emails the worm to every entry in a user's Microsoft Outlook address book has a flaw which prevents Antrax from spreading, the Symantec advisory said. Anthrax -- a disease caused by bacteria that can often be fatal, especially if the spores are inhaled -- came to the public's attention as a potential bioweapon soon after the 11 September terrorist attacks on the World Trade Center and Pentagon. A photo editor at a newspaper in Boca Raton, Florida, died earlier this month after inhaling a form of anthrax, sparking concerns among many people that the sudden spread of the disease was part of a terrorist plot. In the past two weeks, numerous envelopes containing anthrax spores have been delivered to NBC Nightly News and ABC News in New York, a Microsoft office in Nevada and Senator Tom Daschle's office in Washington D.C. As the disease has captured the public's attention and has raised safety concerns, the author of the Antrax worm seems to have attempted to piggyback on those fears. At least one antivirus company has publicised the worm as a threat. Central Command on Tuesday published incomplete details of the worm, indicating that it could spread by both email and the Internet relay chat (IRC) system used by people to send messages in real time. Yet, while rival Symantec confirmed the worm could potentially spread through IRC, the company's analysis of the broken email script led it to assign the worm a threat of "1" -- the lowest rating. Supporting the analysis, mail service provider MessageLabs, which publishes data on the email attachments captured by its security software, did not include the Antrax worm in its list of top 10 captured files for the day, indicating that it had not spread. In addition, antivirus firm Trend Micro, which also publishes data on the most prevalent viruses cleaned from computer systems by its HouseCall program, did not list the worm. ------------------------ Yahoo! Groups Sponsor ---------------------~--> Get your FREE VeriSign guide to security solutions for your web site: encrypting transactions, securing intranets, and more! http://us.click.yahoo.com/UnN2wB/m5_CAA/yigFAA/kgFolB/TM ---------------------------------------------------------------------~-> ------------------ http://all.net/ Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
This archive was generated by hypermail 2.1.2 : 2001-12-31 20:59:55 PST