Information Security News mailing list archives
"Resume" Virus Impact Negligible, but new Threats Emerge
From: William Knowles <wk () C4I ORG>
Date: Thu, 1 Jun 2000 13:48:44 -0500
http://www.currents.net/news/00/05/31/news6.html By: Brian Krebs, Newsbytes May 31, 2000 Last Friday's "Resume" virus appears to have petered out over the long holiday weekend, benefiting from considerable press and heightened public awareness in the wake of other recent and similar attacks, virus experts said Tuesday. Shawn Wolfe, public relations manger at McAfee.com, said the damage from the virus--which hides in an e-mail attachment called "Resume - Janet Simons," was minimized due to its timing and the general public's growing wariness about overly familiar and unsolicited e-mail. "At this point, it looks as though we've managed to head it off at the pass," Wolfe said. "I think it helped that we had the extra day for system administrators to go in and fix stuff over the holiday weekend." The body of the e-mail is addressed to the "Director of Sales/Marketing." When the attached "resume.doc" or "Explorer.doc" is opened, it first forwards a copy of itself to everyone in the user's address book. And then when the attachment is closed, it deletes files on the user's hard drive. Though the virus is similar to the "Melissa" and "I Love You," worms that infected computer systems in 22 countries and caused hundreds of millions of dollars in damages, the damage was not nearly as widespread. "By the end of the day on Friday, we'd had reports from about 10 Fortune 500 companies that had some experience with the virus, but we haven't heard anything else since," Wolfe said. The National Infrastructure Protection Center (NIPC), the FBI unit tasked with alerting federal agencies and the general public about computer security threats, said no new information was available about the virus. While Fridays are usually the target release days for virus writers, the past few days saw an unusual level of activity, due at least in part to the extended holiday weekend, said Alan Komet, e-business security manager for Computer Associates International, Inc., which detected two other separate e-mail viruses this weekend. "In general, Fridays are ideal (for virus release) because people start to leave the office a little earlier, and security is a little more lax than it should be," Komet said. "But because of the holiday weekend, virus writers know that a lot of network security administrators will be away on vacation as well." Komet said Computer Associates (CA) detected two viruses--both similar in nature--albeit somewhat less destructive than the "I Love You" and "Resume" worms. Early Monday morning, CA issued an alert on the "Cool Notepad Demo" virus, which contains an e-mail attachment that spreads itself to persons listed in an infected users' Microsoft Outlook address books. The second virus, with a subject heading called "Fireburn," performs in a similar manner. Komet said while both viruses are far less destructive to the end-user in that they do not delete essential files, they carry the potential to overwhelm e-mail servers, which can cause disruptions similar to those wrought by the denial of service attacks in February. Komet added that a number of viruses--including Fireburn--appear to have been written so as to disguise the ".vbs" extension, which signifies the "visual basic script" macro that executes the virus on a user's hard drive. Several of the most recent viruses contain ".txt" extensions before the ".vbs" extension. Other virus writers, he said, have included a series of blank spaces between the virus filename and ".vbs" extension, effectively creating a filename so long that programs such as Windows Explorer do not display the telltale ".vbs" extension. CA announced earlier Tuesday that it would make its newest "solution" for fighting off such viruses available free to all home users. The two systems--Content Inspection and Mailwatcher--work in tandem to block ".vbs" scripts from running on popular e-mail systems, and watch for e-mail that generates other e-mail. Newsbytes notes that none of the viruses listed above are "variants" of one another. By definition, variants are more or less renamed or repackaged versions of a virus using the same source code. The recent "I Love You," virus, for example, spawned a whole host of copycat viruses--including "Mother's Day" and "Joke"--all of which appear to have been cut-and-pasted into a new format or filename, experts said. *-------------------------------------------------* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen. Alfred. M. Gray, USMC --------------------------------------------------- C4I Secure Solutions http://www.c4i.org *-------------------------------------------------* ISN is sponsored by SecurityFocus.com --- To unsubscribe email LISTSERV () SecurityFocus com with a message body of "SIGNOFF ISN".
Current thread:
- "Resume" Virus Impact Negligible, but new Threats Emerge William Knowles (Jun 01)