Interesting People mailing list archives
IP: Re New virus information
From: Dave Farber <farber () cis upenn edu>
Date: Tue, 20 Jun 2000 05:18:26 -0400
X-Sender: >X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Mon, 19 Jun 2000 18:56:08 -0600 To: farber () cis upenn edu, ip-sub-1 () majordomo pobox com From: Brett Glass <brett () lariat org> Subject: Re: IP: New virus information Dave: Here is the notice we're sending to all of our community network's members about the "Life Stages" Trojan horse. It has a lot of useful info that others can use. --Brett ---------- LARIAT Members and Friends: The LARIAT server has intercepted several copies of the "Life Stages" Trojan horse. What It Is The "Life Stages" Trojan horse program spreads itself via e-mail, via Internet Relay Chat (IRC), via the ICQ instant messaging program, and by copying itself to the hard drives of machines which share their files in a peer-to-peer network. (Microsoft Windows' file sharing is particularly susceptible to this method of propagation.) This Trojan horse only affects computers running Windows 95, Windows 98, Windows 2000, or Windows NT. (If you have a Mac or are running OS/2 or UNIX, your computer won't be infected.) It's a nasty bug which mails MANY copies of itself from your machine (all under your name!) to everyone in your Outlook or Outlook Express address book. It's also difficult to remove, because it modifies a database called the Windows Registry extensively and tosses Regedit, a Windows utility that lets you undo these modifications, into the "Recycle Bin.". (Until someone develops an automatic removal utility, you'll need to recover Regedit before you can get the bug out of your system.) If you do not use Microsoft Outlook or Outlook Express, you won't spread the bug via e-mail but your computer can still be infected by it. If you use mIRC or PIRCH, two programs that do Internet Relay Chat, you can both get and spread the bug through them. The bug can also spread itself via ICQ, an instant messaging program. And if you're using Microsoft's peer-to-peer networking (that is, if you're sharing disks via the "Network Neighborhood" icon in Windows), you may be able to get and spread the bug that way too. LARIAT's Filter: A Partial Defense LARIAT's server has already been set up with a special, customized filter which catches suspicious attachments. (This is the same filter which sometimes puts the word "DEFANGED" into the names of e-mail attachments to protect you.) Our filter recognized the "Life Stages" Trojan horse as hostile and caught it before it reached a single one of our members. However, if you receive mail by any other means -- say, via Juno, or Hotmail, or an account at the University -- the LARIAT server won't get a chance to filter that mail. So, watch out for e-mail with an attachment whose name begins with "LIFE_STAGES". (The booby-trapped mail can have many possible subject lines -- they're generated at random from a list of words programmed into the Trojan -- so don't rely on the subject to determine if the mail is safe.) If you see such a message, for Heaven's sake do not open the attachment. We also cannot prevent you from receiving the Trojan horse program via IRC or an instant message, so if you receive it that way make sure not to run it. If you inadvertently run the Trojan horse program, your computer will display a file containing a rather bad joke about dating at different ages. While the file is being displayed, your computer will be infected and will begin to send a barrage of e-mail containing copies of the Trojan horse. Every copy will have your return address on it and will look as if it is a message from you. If You're Infected If it's too late and you've already been bitten by this bug, take your system offline IMMEDIATELY. Go to an UNINFECTED computer and print out the removal instructions at http://www.symantec.com/avcenter/venc/data/vbs.stages.a.html Be warned that this Trojan horse was designed to be tricky to remove. It makes three copies of itself on the system, and if any one of them is not removed it re-creates the others. If you're not sure how to follow the removal instructions (they're a bit technical), get someone who understands how to edit the Windows Registry to help you. Finally, as always, be wary of attachments to e-mail and keep your virus scanner up to date. Thank you! Brett Glass, Chairman and System Administrator P.S. -- Special Instructions for McAfee ViruScan users McAfee's virus scanner has special difficulty with this bug because ViruScan doesn't normally scan files in your "Recycle Bin" (the \RECYCLED\ directory). The author of the Trojan, knowing this, wrote it to store its files in that directory. So, if you use McAfee, you will need to remove this directory from the scanner's "Exclude" list as well as updating your pattern files. I recommend selecting the "SuperDAT update" from their update page rather than clicking the "Update" button on the software's control panel, because this provides a more complete upgrade. To get the "SuperDAT update," go to http://www.nai.com/asp_set/download/dats/find.asp on the McAfee Web site. After you've downloaded and run the update program, be sure to double-click on the tiny "shield icon" in the system tray, press the button marked Properties, select the tab marked Exclusion, and remove \RECYCLED\ from the list of excluded directories. (McAfee should have made this happen automatically, but they didn't.) Finally, if you've set McAfee's scanner to scan only executable files (this speeds up the system immensely if you're doing on-the-fly scanning), add the extension SHS to the list of executable extensions. For some reason, updating McAfee's virus scanning engine does not update this list automatically, and so a lot of extensions (not just SHS) are missing from many users' machines. McAfee should really provide a comprehensive list of what needs to be here (based on their pattern files) and update it when they update their scanner; it's rather scary that they don't.
Current thread:
- IP: Re New virus information Dave Farber (Jun 20)