«

This one looks pretty bad.

Details here:

http://www.kaspersky.com/news.html?id=3614506

It uses a polymorphic encrupted key so that each time it starts up it looks
different.

This makes it hard for AV programs to detect and remove. They effectively
need to de-crypt the virus each time.

On Tue, 27 Jan 2004 17:40:18 +1300, steve wrote:

> This one looks pretty bad.
>
> Details here:
>
> http://www.kaspersky.com/news.html?id=3614506
>
> It uses a polymorphic encrupted key so that each time it starts up it looks
> different.
>
> This makes it hard for AV programs to detect and remove. They effectively
> need to de-crypt the virus each time.

Before long they will have created a virus that really does live up to
it's name - no antidote just like a real virus, and one can only wait
until it's completed it's infection.

Perhaps they should invent Anti virus software which functions just like
the body's natural immune system - detecting, removing viruses and healing
automatically.

But wait - they'd be out of business - damn!


Lennier

--
Brian Valentine - Microsoft's SVP for Windows development: "We
really haven't done everything we could to protect our customers. Our
products just aren't engineered for security."

On Tue, 27 Jan 2004 17:40:18 +1300, steve <>
wrote:

>This one looks pretty bad.
>
>Details here:
>
>http://www.kaspersky.com/news.html?id=3614506
>
>It uses a polymorphic encrupted key so that each time it starts up it looks
>different.
>
>This makes it hard for AV programs to detect and remove. They effectively
>need to de-crypt the virus each time.
>
This illustrates why the existing setup that ISPs have of scanning
viruses/worms is fallible. It got thru Xtra for some time before
updated definitions were available, and since Xtra don't scan
*outgoing* email, or at least don't inform senders they've sent a
virus, all of those infected will be passing it on without knowing
they're doing so. IMO there is an urgent need for worms also to be
blocked at the source & the sender notified, rather than just blocked
at the destination as is the present custom. You'd nip most worms in
the bud pretty quick that way.....

This one spreads as an attachment rather than exploiting any
vulnerability in Windows. In theory everyone knows by now not to run
attachments they're not sure of..... in theory. It does get
frustrating when simple worms like this get around, users just seem to
have a block when it comes to understanding file extensions & what
they mean.

Gavin

On Tue, 27 Jan 2004 05:21:55 +0000, Gavin Tunney wrote:

> IMO there is an urgent need for worms also to be
> blocked at the source & the sender notified, rather than just blocked
> at the destination as is the present custom. You'd nip most worms in
> the bud pretty quick that way.....

No!

There is, however, an urgent need to develop software which simply is not
susceptible to those sorts of malicious tricks.


But wait - there are - and they're called Linux, Open Office, Mozilla and
Evolution.

Virus infection? What infection?

Not my problem! And my one remaining Windows box does not have OE
installed, and I do not read my email on it and I do not use IE for
connecting to the WWW.

Those dumb enough to use OE, IE, and Windows deserve the Virus/Worm
nightmare that they've given themselves for not having demanded better!


Lennier

--
Newsman - on CD piracy: "Entertainment meets Geekery meets Vengeance. It's
unstoppable. A match made in Heaven."

Lennier wrote:

> But wait - there are - and they're called Linux, Open Office, Mozilla and
> Evolution.
>
> Virus infection? What infection?
>
> Not my problem! And my one remaining Windows box does not have OE
> installed, and I do not read my email on it and I do not use IE for
> connecting to the WWW.
>
> Those dumb enough to use OE, IE, and Windows deserve the Virus/Worm
> nightmare that they've given themselves for not having demanded better!

I know how you feel. I just had a panicked call form a Windows-using friend
who received one of these...and opened the attachment in the belief that if
there was a virus there, the work e-mail server would have filtered it out.

Ooops.

Lennier wrote:

> Perhaps they should invent Anti virus software which functions just like
> the body's natural immune system - detecting, removing viruses and healing
> automatically.
>
> But wait - they'd be out of business - damn!

I've been using PCs daily since 1986.

I have never been infected by any virus. By the time the Windows "worms"
emerged, I had already dumped Windows and moved to Linux anyway.....

I've had 17 virus-free years.......and I don't even use an AV program.

On my work laptop - which has to be Windows sinced they started using the
Nortel Extranet client - I do use Norton AV....but have stayed on Win98SE
rather than move to the corproate standard of Win2k....again to avoid the
additional risk one is exposed to on the more recent versions of Windows.

In many ways, Win98SE was the last relatively secure Windows.

So far, have received two emails containing this virus.
Both sent to this email address and both from NZ.
One from xtra, had been 'cleaned'.
The other from gobal-gateway.net.nz had not.

Cath

Gavin Tunney wrote:
<snip>
> It does get frustrating when simple worms like this get around, users
> just seem to have a block when it comes to understanding file
> extensions & what they mean.

Yes, and it doesn't help that Windows hides extensions by default. The
people who don't know enough to keep themselves safe are usually the same
people who don't know to unhide extensions (or even that this is possible).


Peter

In article <pan.2004.01.27.05.45.59.715550@TRACKER>,
Lennier <> wrote:

>But wait - there are - and they're called Linux, Open Office, Mozilla and
>Evolution.
>
>Virus infection? What infection?

Remember Ramen? Or Slapper?

Yes, there have been viruses and worms that infected Linux systems. It
is possible to write them, I just think Linux hasn't been that tempting
a target up to now.

<> wrote in message
news:...
> So far, have received two emails containing this virus.
> Both sent to this email address and both from NZ.
> One from xtra, had been 'cleaned'.
> The other from gobal-gateway.net.nz had not.
>
Unitec's mail server is sending the things out like crazy - I've had 20 or
so from there. One of their staff (the only ones there that have my email
addy) must have opened an attachment!

EMB