Re: Possibly yet another MS mail worm

["John Palmer" <nanog () adns net>]

In this case, it is the IDIOIT users. You tell them time and time again DONT CLICK ON ATTACHMENTS
UNLESS SOMEONE YOU KNOW IS SENDING IT AND TELLS YOU IN ADVANCE THEY ARE
SENDING IT.

The problem is dumb users who DONT LISTEN. This is mostly the office crowd.

The real imbeciles are people operating a broadband connection without a license. Letting a
computer illeterate, typical beer guzzling, porno hunting hick have a computer with a 
DSL/cable connection should be a capital offense. Those are where most of the
zombies are located.  When you use words like "attachment" and '.exe' with them, their
eyes just sort of glaze over. "Hey, all I do is point and click and it just works". We need
to cleanse the gene pool of these kinds, or at least take away their dsl connections. 

----- Original Message ----- 
From: "Sam Stickland" <sam_ml () spacething org>
To: "Curtis Maurand" <curtis () maurand com>; "Todd Vierling" <tv () duh org>
Cc: <nanog () merit edu>
Sent: Monday, March 01, 2004 10:06
Subject: Re: Possibly yet another MS mail worm


> Curtis Maurand wrote:
> > On Mon, 1 Mar 2004, Todd Vierling wrote:
> >
> > > On Mon, 1 Mar 2004, Curtis Maurand wrote:
> > >
> > > > Sure they do....its called COM/DCOM/OLE/ActiveX or whatever they
> > > > want to call it this week.  Its on every windows system.
> > >
> > > No, my point was that the majority of newer trojan mail viruses
> > > don't depend on ActiveX exploits -- they simply wait, dormant, for a
> > > n00b to click on this mysterious-looking Zip Folder, and the
> > > mysterious-looking EXE inside.
> > >
> > > It's as if the modern e-mail viruses are closer to human infections.
> > > Only the clueful are immune.  8-)
> >
> > The latter is very true.
> >
> > My point is that the COM/DCOM/OLE/ActiveX is what allows for a script
> > in an email message that gets executed to have access to the rest of
> > the system, rather than executing within a protected sandbox.  Of
> > course scripts within email messages shouldn't execute at all.  Once
> > they do execute, they have access to the OLE objects on the machine.
> > Its a security hole big enough to drive a tank through.
>
> I don't think that defines the problem very well. The current Bagle.C virus
> does the following:
>
> "W32/Bagle-C opens up a backdoor on port 2745 and listens for connections.
> If it receives the appropriate command it attempts to download and execute a
> file. W32/Bagle-C also makes a web connection to a remote URL, thus
> reporting the location and open port of infected computers.
>
> Adds the value:
>
> gouday.exe = <SYSTEM>\readme.exe
>
> to the registry key:
>
> HKCU\Software\Microsoft\Windows\CurrentVersion\Run
>
> This means that W32/Bagle-C runs every time you logon to your computer"
>
> It also uses it's own SMTP engine to replicate itself. So effectively it's
> opening a connection to port 80 (from an unprivileged port), listening on
> port 2745 (an unprivileged port), and opening connections to port 25 (from
> an unprivileged port).
>
> Maybe I'm missing something here, but where does access to OLE objects come
> into play? Also this virus would appear to function just as well even if a
> non-adminstrator user opened it.
>
> Sam