Re: New gnutella worm found in the wild.

[Jeff Palmer <jeff () ISNI NET>]

System administrators who want to nip these types of viruses in the
bud,  can install procmail as the systems MDA.

I use procmail,  and then I added a very smart "html-trap" filter to filter
out certain file types..

such as .vbs .hta .exe .com .bat   and the like.
also filters out double extensions.


This really eliminates the "hmmm  let me click on this" moronic attitude
certain joe blow users have.

The neat thing about this particular recipe is:  you can choose to rename
the attachment to a non executable extension,  and include a note asking
the recipient to scan it first,  THEN rename and run it.  OR you could
chose to just drop all offending attachments (along with emails) to a
special file  such as /dev/null


If ISP's around the world would get together,  and FORCE recipients to .zip
executables, attached to email,    I feel viruses would stop spreading so
wildly.




At 08:49 PM 7/23/00 -0700, you wrote:
> I sure am glad I keep my virus checker updated. The file was attached (now
> quarantined, file was "Santana.vbs). Here are some links for the write-up:
> http://vil.nai.com/villib/dispVirus.asp?virus_k=98666
> http://europe.datafellows.com/v-descs/gwv.htm
> http://www.symantec.com/avcenter/venc/data/vbs.gnutella.html. What REALLY
> bothers me is that Symantec lists it like this (though not their fault):
> Number of infections: 0-49
> Number of sites: 3-9
> Geographic distribution: Medium
> Threat containment: Easy
> Removal: Easy
> Now think of it like this - How many members on this mailing list got it?
> Wanna bet the number of infections have gone up? Maybe it is just me, why
> send a KNOWN virus to a mailing list? Why not just let people know that you
> got hit with it instead of sending it to the list? Sorry for blowing up.
> But, with all the viruses running around and uneducated (or caring) users
> that will click on anything, I just don't think it was a good thing to do.
> Again, sorry for venting to the list but someone had to do it.
>
> David Bailey
> To contact me, Try one of the following:
> you have my e-mail or ICQ: 36834226/Bit4Byte
>
>
> -----Original Message-----
> From: Incidents Mailing List [mailto:INCIDENTS () SECURITYFOCUS COM]On
> Behalf Of Matt Merhar
> Sent: Friday, July 21, 2000 10:35 PM
> To: INCIDENTS () SECURITYFOCUS COM
> Subject: New gnutella worm found in the wild.
>
>
> Hi,
>    I recently saw this file up for grabs (July 22, 1AM) on the gnutella
> filesharing network. Attached is the source of what seems to be a
> non-destructive, self-replicating 'worm' which has already spread quite
> rapidly around the gnutella network. It also appears to be semi-polymorphic,
> as it changes it's filename to the names in an array called NewFilenames.
> The contents of it are as follows:
> NewFilenames    = Array(ProgramName & ".vbs", "Jenna Jameson movie
> listing.vbs", "Pamela Anderson movie listing.vbs", "Asia Carerra movie
> listing.vbs", "xxx FTP movie listing.vbs", "ASF Compressor (No quality
> loss).vbs", "collegesex.vbs", "Gladiator.vbs", "Battlefield Earth.vbs",
> "Evangelion complete episodes scripts.vbs", "Scan Master checklist.vbs",
> "How to eat pussy.vbs", "Alicia Silverstone.vbs", "Pearl Jam.vbs", "Mp3
> compressor (Half the size but same quality).vbs", "Napster Metallica
> Crack.vbs", "Santana.vbs", "NSync.vbs", "Nirvana.mp3.vbs", "Shania
> Twain.mp3.vbs", "Jesus loves you.vbs", "Gnutella upgrade.vbs", "OFFICIAL
> Gnutella Option Pack.vbs")
>
>    -Matt
>
>
> ________________________________________________________________________
> Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com