Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Anyone know more about this?

From: brett () LARIAT ORG (Brett Glass)
Date: Sat, 10 Jun 2000 11:38:46 -0600

Here's the latest on this incident. NETSEC's advisory at

http://www.netsec.net/advisory.html

(it wasn't posted when I sent the first message in this thread
to this list) has a number of technical errors which lessen
its credibility. (There's no such thing, for example, as a
"polymorphic" Trojan.) It also differs markedly from McAfee's
less alarmist account at

http://vil.mcafee.com/dispVirus.asp?virus_k=98681&;

NETSEC claims that the Trojan is a huge (more than 300K) self-
contained EXE while McAfee claims that it is a 3K EXE file that in
turn downloads a larger one. NETSEC claims it masquerades as an AVI
file but is in fact an EXE with an embedded AVI icon. McAfee says that
it is an EXE which uses the double extension trick popularized by the
ILOVEYOU worm (they say it has double extension .mpg.exe). They also
differ as to what icon the user sees when the newsgroup posting
containing the Trojan is viewed.

Since the Trojan was part of many public newsgroup postings which
presumably were archived and could be inspected, it's suspicious
indeed that the companies' accounts differ so dramatically.

Symantec's account also differs from NETSEC's and is closer to
McAfee's; see

http://www.symantec.com/avcenter/venc/data/serbian.trojan.html

Symantec says it has no evidence that 2000 or more machines have
been infected via this Trojan, as NETSEC claims. They suspect
that NETSEC is hyping whatever they found, perhaps mistakenly
counting many unrelated Sub7 infections as having resulted from
this Trojan.

In short, there's a big cloud of FUD and hype surrounding the
entire affair.

About the only common thread is that all agree that the victims,
however many there were, were ultimately infected by a variant of
the Sub7 Trojan. They further agree if you use a virus scanner that
detects Sub7 on the target system you will be able to defend against
or remove the Trojan. Other elements of the reports -- such as claims
that a horrific mass DDoS attack is being orchestrated -- are
unconfirmed and should be greeted with skepticism.

--Brett Glass
Previous By Date Next
Previous By Thread Next

Current thread: