Re: Another new worm???

[MHarmer () MVG COM (Harmer, Mike)]

I have to say that I strongly disagree with dear old Dan. However, as others
have covered that slant well enough, I will say something about Virus
Exchange though. This is a little bit from Sophos's Web site. I noticed it
when I was getting the latest identity. They make reference to a REVS
program. It seems that WildList Org. and Sophos have some partnership that
promotes sharing of virus samples. Perhaps you could get fragments from
them, but I have a feeling that it is only open to people that are
"trusted". For some more information see
http://www.us.sophos.com/pressoffice/pressrel/uk/20000427revs.html.

And Dan, I am a sys admin, programmer, DBA. I have no interest in spreading
viruses or creating them, but I do have an interest in the viruses
themselves. I do have copies of LoveLetter that neutered and took apart.
Some viruses have cute tricks, others I get on how to remove them. As for
security through obscurity, come on, hasn't that been covered enough yet.
You can't stop the virus channels, so what do you gain by stooping others? A
bunch of under informed system administrators is what you get.

Michael E. Harmer
Miller-Valentine Group
4000 Miller-Valentine Ct.
Dayton, OH 45439-1487
x804
mharmer () mvg com

----------------------------------------------
In the middle of difficulty lies opportunity.
--Albert Einstein
----------------------------------------------

-----Original Message-----
From: Blue Boar [mailto:BlueBoar () THIEVCO COM]
Sent: Tuesday, June 20, 2000 10:57 PM
To: VULN-DEV () SECURITYFOCUS COM
Subject: Re: Another new worm???

Dan Schrader wrote:
> Thank you

You're welcome.

> You have no provided the virus to 40,000 people who have nothing in common

I've got less than 10,000 subscribers.  Dunno how many people read the
archives on the SecurityFocus.com site.

> except that they are interested in security.  Go to usenet and you will
find
> dozens of posts from virus writers and vx wannabes asking for viruses to
> play with - you answered their prayers.

I'm not really the best source of viruses, but I help out when I can.

> This virus has already been extensively analyzed  - there was no need to
> spread it further.

Hm... now there's a sticky point.  I've tried once or twice to get a copy
of a virus from Trend Micro (and other AV vendors.)  I've been turned down
flat each time.  Seems there's a policy to not give out the code.  Now, if
I wanted to by cynical, I'd assume that was because the AV vendors have
a direct financial interest in the code not being publicly available,
thereby forcing people to buy AV software for protection.  I get the
distinct impression that they don't share with each other as well.  I'll
leave that for you to comment on if you like.

However, there are loads of us who maintain our own mail filters and IDS
signatures, and who want to understand the root issues behind the virus
spread.  We don't necessarily want to pay someone else to do that for us.
The "information" that AV companies publish about viruses is nearly useless
for these purposes.

> In the future if you wish to have a file analyzed, send to known, trusted
> experts or send to one or more of the antivirus vendors.  Trend Micro will
> analyze unsolicated files if you send them to:
>
> virus_doctor () trendmicro com

So now you've got it, let's see the analysis.  Keep in mind that the kind
of analysis that has gone on here before often includes picking through
the code and commenting on interesting bits.

                                BB