IP: Re New virus information

[Dave Farber <farber () cis upenn edu>]

> X-Sender: >X-Sender: brett@localhost
> X-Mailer: QUALCOMM Windows Eudora Version 4.3.2
> Date: Mon, 19 Jun 2000 18:56:08 -0600
> To: farber () cis upenn edu, ip-sub-1 () majordomo pobox com
> From: Brett Glass <brett () lariat org>
> Subject: Re: IP: New virus information
>
> Dave:
>
> Here is the notice we're sending to all of our community network's
> members about the "Life Stages" Trojan horse. It has a lot of
> useful info that others can use.
>
> --Brett
>
> ----------
>
> LARIAT Members and Friends:
>
> The LARIAT server has intercepted several copies of the "Life Stages" Trojan
> horse.
>
> What It Is
>
> The "Life Stages" Trojan horse program spreads itself via e-mail, via Internet
> Relay Chat (IRC), via the ICQ instant messaging program, and by copying itself
> to the hard drives of machines which share their files in a peer-to-peer
> network. (Microsoft Windows' file sharing is particularly susceptible to this
> method of propagation.)
>
> This Trojan horse only affects computers running Windows 95, Windows 98,
> Windows 2000, or Windows NT. (If you have a Mac or are running OS/2 or UNIX,
> your computer won't be infected.) It's a nasty bug which mails MANY copies of
> itself from your machine (all under your name!) to everyone in your Outlook or
> Outlook Express address book.  It's also difficult to remove, because it
> modifies a database called the Windows Registry extensively and tosses
> Regedit, a Windows utility that lets you undo these modifications, into the
> "Recycle Bin.". (Until someone develops an automatic removal utility, you'll
> need to recover Regedit before you can get the bug out of your system.)
>
> If you do not use Microsoft Outlook or Outlook Express, you won't spread the
> bug via e-mail but your computer can still be infected by it.  If you use mIRC
> or PIRCH, two programs that do Internet Relay Chat, you can both get and
> spread the bug through them. The bug can also spread itself via ICQ, an
> instant messaging program. And if you're using Microsoft's peer-to-peer
> networking (that is, if you're sharing disks via the "Network Neighborhood"
> icon in Windows), you may be able to get and spread the bug that way too.
>
> LARIAT's Filter: A Partial Defense
>
> LARIAT's server has already been set up with a special, customized filter
> which catches suspicious attachments. (This is the same filter which sometimes
> puts the word "DEFANGED" into the names of e-mail attachments to protect you.)
> Our filter recognized the "Life Stages" Trojan horse as hostile and caught it
> before it reached a single one of our members.
>
> However, if you receive mail by any other means -- say, via Juno, or Hotmail,
> or an account at the University -- the LARIAT server won't get a chance to
> filter that mail. So, watch out for e-mail with an attachment whose name
> begins with "LIFE_STAGES". (The booby-trapped mail can have many possible
> subject lines -- they're generated at random from a list of words programmed
> into the Trojan -- so don't rely on the subject to determine if the mail is
> safe.) If you see such a message, for Heaven's sake do not open the
> attachment.
>
> We also cannot prevent you from receiving the Trojan horse program via IRC or
> an instant message, so if you receive it that way make sure not to run it.
>
> If you inadvertently run the Trojan horse program, your computer will display
> a file containing a rather bad joke about dating at different ages. While the
> file is being displayed, your computer will be infected and will begin to send
> a barrage of e-mail containing copies of the Trojan horse. Every copy will
> have your return address on it and will look as if it is a message from you.
>
> If You're Infected
>
> If it's too late and you've already been bitten by this bug, take your system
> offline IMMEDIATELY. Go to an UNINFECTED computer and print out the removal
> instructions at
>
> http://www.symantec.com/avcenter/venc/data/vbs.stages.a.html
>
> Be warned that this Trojan horse was designed to be tricky to remove. It makes
> three copies of itself on the system, and if any one of them is not removed it
> re-creates the others. If you're not sure how to follow the removal
> instructions (they're a bit technical), get someone who understands how to
> edit the Windows Registry to help you.
>
> Finally, as always, be wary of attachments to e-mail and keep your virus
> scanner up to date.
>
> Thank you!
>
> Brett Glass, Chairman and System Administrator
>
>
> P.S. -- Special Instructions for McAfee ViruScan users
>
> McAfee's virus scanner has special difficulty with this bug because ViruScan
> doesn't normally scan files in your "Recycle Bin" (the \RECYCLED\ directory).
> The author of the Trojan, knowing this, wrote it to store its files in that
> directory. So, if you use McAfee, you will need to remove this directory from
> the scanner's "Exclude" list as well as updating your pattern files.
>
> I recommend selecting the "SuperDAT update" from their update page rather than
> clicking the "Update" button on the software's control panel, because this
> provides a more complete upgrade. To get the "SuperDAT update," go to
>
> http://www.nai.com/asp_set/download/dats/find.asp
>
> on the McAfee Web site. After you've downloaded and run the update program, be
> sure to double-click on the tiny "shield icon" in the system tray, press the
> button marked Properties, select the tab marked Exclusion, and remove
> \RECYCLED\ from the list of excluded directories. (McAfee should have made
> this happen automatically, but they didn't.)
>
> Finally, if you've set McAfee's scanner to scan only executable files (this
> speeds up the system immensely if you're doing on-the-fly scanning), add
> the extension SHS to the list of executable extensions. For some reason,
> updating McAfee's virus scanning engine does not update this list
> automatically, and so a lot of extensions (not just SHS) are missing from
> many users' machines. McAfee should really provide a comprehensive list
> of what needs to be here (based on their pattern files) and update it
> when they update their scanner; it's rather scary that they don't.