nanog mailing list archives
Re: Possibly yet another MS mail worm
From: "Sam Stickland" <sam_ml () spacething org>
Date: Mon, 1 Mar 2004 16:06:23 -0000
Curtis Maurand wrote:
On Mon, 1 Mar 2004, Todd Vierling wrote:On Mon, 1 Mar 2004, Curtis Maurand wrote:Sure they do....its called COM/DCOM/OLE/ActiveX or whatever they want to call it this week. Its on every windows system.No, my point was that the majority of newer trojan mail viruses don't depend on ActiveX exploits -- they simply wait, dormant, for a n00b to click on this mysterious-looking Zip Folder, and the mysterious-looking EXE inside. It's as if the modern e-mail viruses are closer to human infections. Only the clueful are immune. 8-)The latter is very true. My point is that the COM/DCOM/OLE/ActiveX is what allows for a script in an email message that gets executed to have access to the rest of the system, rather than executing within a protected sandbox. Of course scripts within email messages shouldn't execute at all. Once they do execute, they have access to the OLE objects on the machine. Its a security hole big enough to drive a tank through.
I don't think that defines the problem very well. The current Bagle.C virus does the following: "W32/Bagle-C opens up a backdoor on port 2745 and listens for connections. If it receives the appropriate command it attempts to download and execute a file. W32/Bagle-C also makes a web connection to a remote URL, thus reporting the location and open port of infected computers. Adds the value: gouday.exe = <SYSTEM>\readme.exe to the registry key: HKCU\Software\Microsoft\Windows\CurrentVersion\Run This means that W32/Bagle-C runs every time you logon to your computer" It also uses it's own SMTP engine to replicate itself. So effectively it's opening a connection to port 80 (from an unprivileged port), listening on port 2745 (an unprivileged port), and opening connections to port 25 (from an unprivileged port). Maybe I'm missing something here, but where does access to OLE objects come into play? Also this virus would appear to function just as well even if a non-adminstrator user opened it. Sam
Current thread:
- Re: Possibly yet another MS mail worm, (continued)
- Re: Possibly yet another MS mail worm Michael Wiacek (Feb 29)
- RE: Possibly yet another MS mail worm Steve Birnbaum (Mar 01)
- Possibly even yet another MS mail worm Mike Nice (Mar 01)
- Re: Possibly even yet another MS mail worm Stephen J. Wilcox (Mar 01)
- Re: Possibly even yet another MS mail worm Jeff Shultz (Mar 01)
- Re: Possibly even yet another MS mail worm Laurence F. Sheldon, Jr. (Mar 01)
- Re: Possibly yet another MS mail worm Todd Vierling (Mar 01)
- Re: Possibly yet another MS mail worm Laurence F. Sheldon, Jr. (Mar 01)
- Re: Possibly yet another MS mail worm Curtis Maurand (Mar 01)
- Re: Possibly yet another MS mail worm Sam Stickland (Mar 01)
- Re: Possibly yet another MS mail worm John Palmer (Mar 01)
- Re: Possibly yet another MS mail worm David A. Ulevitch (Mar 01)
- Re: Possibly yet another MS mail worm Valdis . Kletnieks (Mar 01)
- Re: Possibly yet another MS mail worm Leo Vegoda (Mar 01)
- Re: Possibly yet another MS mail worm Randy Bush (Mar 01)
- Re: Possibly yet another MS mail worm Henry Linneweh (Mar 01)
- Re: Possibly yet another MS mail worm Valdis . Kletnieks (Mar 01)
- Re: Possibly yet another MS mail worm John Palmer (Mar 01)