Security Incidents mailing list archives
Re: Has anyone else seen/encountered the "VBS.Network" virus? Ijust did.
From: jcrooks () CDNX CA (James Crooks)
Date: Mon, 28 Feb 2000 16:41:18 -0800
messages to this list with subject: "Lame Windows Worm" from Chris Benton Saturday and a reply Monday from .sozmi contain the (harmless) ASCII text version of the worm Symantek/NAV call the VBS.Network virus. For some reason, the "harmless" text in the message body triggered the NAV5.0 (NT) virus response... It happend to me in my Netscape Inbox (filesize at the time was around 61megabytes - yeah I really do have to clean it up sometime) and it took a while to figure out what was triggering NAV and isolating the source. I consider the fact that NAV detected the harmless virus code in ASCII email body to be admirable, but still a bug... I even downloaded a fresher NAV virus definitions to see if they had put in a fix, but no joy... It's really quite an ingenious DOS attack! Answers to your other questions follow below... /jc Olaf Black wrote:
Hello all: Norton Antivirus just popped up an alert indicating that it had found a file: C:\Windows\TEMP\tmpB214.TMP That had been infected with the "VBS.Network" virus. Norton first asked me if I wanted to repair the file. Since this was the "recommended" procedure from Norton, I went ahead and let NAV attempt to repair the file. NAV then came back and told me that the file could not be repaired,
no doubt it couldn't be repaired, since it's normal home is as a "macro" in some kind of document file (MS Word, etc.)
and that the next "recommended" course of action would be to "quarantine" the file so I went ahead and NAV came back and said that it successfully quarantined the file. With that, I have some questions. What is the "VBS.Network" virus? What does it do exactly?
The message "Lame Windows Worm" analyzed the operation of the virus (you'll probably have to turn NAV off to look at it)
What does "quarantining" an infected file do? Does it mean a file is moved off into a "safe" directory and modified in some way?
Moved to solitary confinement, with the file name probably modified so it can't be run/read by normal programs.
Thanks, Olaf
Welcome - /jc -- James Crooks BScCS I.S.P. CISSP, Technical Consultant-Technology Canadian Venture Exchange 604-643-6568 FAX 604-643-6563 mailto:jcrooks () cdnx ca http://www.cdnx.ca ftp://ftp.cdnx.ca <HR NOSHADE> <UL> <LI>application/x-pkcs7-signature attachment: S/MIME Cryptographic Signature </UL>
Current thread:
- HackerWhacker Omachonu Ogali (Feb 25)
- Has anyone else seen/encountered the "VBS.Network" virus? I just did. Olaf Black (Feb 27)
- Re: Has anyone else seen/encountered the "VBS.Network" virus? I just did. Robert Graham (Feb 28)
- Re: Has anyone else seen/encountered the "VBS.Network" virus? Ijust did. James Crooks (Feb 28)
- Re: Has anyone else seen/encountered the "VBS.Network" virus? I just did. qui3tri0t (Feb 29)
- Re: HackerWhacker Network Operations (Feb 28)
- Has anyone else seen/encountered the "VBS.Network" virus? I just did. Olaf Black (Feb 27)