Security Incidents mailing list archives
Re: Anyone know more about this?
From: brett () LARIAT ORG (Brett Glass)
Date: Sat, 10 Jun 2000 11:38:46 -0600
Here's the latest on this incident. NETSEC's advisory at http://www.netsec.net/advisory.html (it wasn't posted when I sent the first message in this thread to this list) has a number of technical errors which lessen its credibility. (There's no such thing, for example, as a "polymorphic" Trojan.) It also differs markedly from McAfee's less alarmist account at http://vil.mcafee.com/dispVirus.asp?virus_k=98681& NETSEC claims that the Trojan is a huge (more than 300K) self- contained EXE while McAfee claims that it is a 3K EXE file that in turn downloads a larger one. NETSEC claims it masquerades as an AVI file but is in fact an EXE with an embedded AVI icon. McAfee says that it is an EXE which uses the double extension trick popularized by the ILOVEYOU worm (they say it has double extension .mpg.exe). They also differ as to what icon the user sees when the newsgroup posting containing the Trojan is viewed. Since the Trojan was part of many public newsgroup postings which presumably were archived and could be inspected, it's suspicious indeed that the companies' accounts differ so dramatically. Symantec's account also differs from NETSEC's and is closer to McAfee's; see http://www.symantec.com/avcenter/venc/data/serbian.trojan.html Symantec says it has no evidence that 2000 or more machines have been infected via this Trojan, as NETSEC claims. They suspect that NETSEC is hyping whatever they found, perhaps mistakenly counting many unrelated Sub7 infections as having resulted from this Trojan. In short, there's a big cloud of FUD and hype surrounding the entire affair. About the only common thread is that all agree that the victims, however many there were, were ultimately infected by a variant of the Sub7 Trojan. They further agree if you use a virus scanner that detects Sub7 on the target system you will be able to defend against or remove the Trojan. Other elements of the reports -- such as claims that a horrific mass DDoS attack is being orchestrated -- are unconfirmed and should be greeted with skepticism. --Brett Glass
Current thread:
- Anyone know more about this? Brett Glass (Jun 08)
- Re: Anyone know more about this? Matt Jacobi (Jun 12)
- <Possible follow-ups>
- Re: Anyone know more about this? Brett Glass (Jun 10)