"Resume" Virus Impact Negligible, but new Threats Emerge

[William Knowles <wk () C4I ORG>]

http://www.currents.net/news/00/05/31/news6.html

By: Brian Krebs, Newsbytes
May 31, 2000

Last Friday's "Resume" virus appears to have petered out over the long
holiday weekend, benefiting from considerable press and heightened
public awareness in the wake of other recent and similar attacks,
virus experts said Tuesday.

Shawn Wolfe, public relations manger at McAfee.com, said the damage
from the virus--which hides in an e-mail attachment called "Resume -
Janet Simons," was minimized due to its timing and the general
public's growing wariness about overly familiar and unsolicited
e-mail.

"At this point, it looks as though we've managed to head it off at the
pass," Wolfe said. "I think it helped that we had the extra day for
system administrators to go in and fix stuff over the holiday
weekend."

The body of the e-mail is addressed to the "Director of
Sales/Marketing." When the attached "resume.doc" or "Explorer.doc" is
opened, it first forwards a copy of itself to everyone in the user's
address book. And then when the attachment is closed, it deletes files
on the user's hard drive.

Though the virus is similar to the "Melissa" and "I Love You," worms
that infected computer systems in 22 countries and caused hundreds of
millions of dollars in damages, the damage was not nearly as
widespread.

"By the end of the day on Friday, we'd had reports from about 10
Fortune 500 companies that had some experience with the virus, but we
haven't heard anything else since," Wolfe said.

The National Infrastructure Protection Center (NIPC), the FBI unit
tasked with alerting federal agencies and the general public about
computer security threats, said no new information was available about
the virus.

While Fridays are usually the target release days for virus writers,
the past few days saw an unusual level of activity, due at least in
part to the extended holiday weekend, said Alan Komet, e-business
security manager for Computer Associates International, Inc., which
detected two other separate e-mail viruses this weekend.

"In general, Fridays are ideal (for virus release) because people
start to leave the office a little earlier, and security is a little
more lax than it should be," Komet said. "But because of the holiday
weekend, virus writers know that a lot of network security
administrators will be away on vacation as well."

Komet said Computer Associates (CA) detected two viruses--both similar
in nature--albeit somewhat less destructive than the "I Love You" and
"Resume" worms.

Early Monday morning, CA issued an alert on the "Cool Notepad Demo"
virus, which contains an e-mail attachment that spreads itself to
persons listed in an infected users' Microsoft Outlook address books.
The second virus, with a subject heading called "Fireburn," performs
in a similar manner.

Komet said while both viruses are far less destructive to the end-user
in that they do not delete essential files, they carry the potential
to overwhelm e-mail servers, which can cause disruptions similar to
those wrought by the denial of service attacks in February.

Komet added that a number of viruses--including Fireburn--appear to
have been written so as to disguise the ".vbs" extension, which
signifies the "visual basic script" macro that executes the virus on a
user's hard drive.

Several of the most recent viruses contain ".txt" extensions before
the ".vbs" extension. Other virus writers, he said, have included a
series of blank spaces between the virus filename and ".vbs"
extension, effectively creating a filename so long that programs such
as Windows Explorer do not display the telltale ".vbs" extension.

CA announced earlier Tuesday that it would make its newest "solution"
for fighting off such viruses available free to all home users. The
two systems--Content Inspection and Mailwatcher--work in tandem to
block ".vbs" scripts from running on popular e-mail systems, and watch
for e-mail that generates other e-mail.

Newsbytes notes that none of the viruses listed above are "variants"
of one another. By definition, variants are more or less renamed or
repackaged versions of a virus using the same source code. The recent
"I Love You," virus, for example, spawned a whole host of copycat
viruses--including "Mother's Day" and "Joke"--all of which appear to
have been cut-and-pasted into a new format or filename, experts said.


*-------------------------------------------------*
"Communications without intelligence is noise;
Intelligence without communications is irrelevant."
Gen. Alfred. M. Gray, USMC
---------------------------------------------------
C4I Secure Solutions             http://www.c4i.org
*-------------------------------------------------*

ISN is sponsored by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".