Kammy
03-08-2004, 07:30 AM
From Fred Langa this a.m. Its a long read....But... a should read. Especially Section #3..
snip
_______________________________________________
Another *&^%@* Worm
There's a malicious worm that's been around for a while, but that
exploded last week; it masquerades as a message from an ISP or web site-
-- Verizon, AOL, and others; even from me ("Dear user of Langa.com e-
mail..." or something similar).
The email usually arrives with a password-protected Zip file attachment
that contains executable files. The email text tells you how to open it
to "protect yourself from spam" or to "reset your email account" or some
such.
DO NOT OPEN THE FILE! It's not really from me--- or Verizon, or AOL, or
whomever. No responsible party will *ever* send you an executable file,
unasked for, out of the blue. I certainly will never, ever do so.
In this case, the file is a trojan designed to infect your system. The
worm-writers placed the payload in a password-protected file to try to
hide from some anti-virus tools. They also crafted the worm to do an
unusually good job of spoofing the formats and headers--- it can look
quite legitimate, at first glance.
At first, I was amused when I got emails addressed to me from "The
Langa.Com team." Well, the "Langa.Com team" is just me, and I knew I
didn't send the message, so I knew it was a fake and deleted it. (My
systems here never were infected by this worm; no infected mails
originated from me.)
But I then got hundreds more copies of the worm--- and many of you did,
too--- and it was no longer funny.
This particular attack seems to have started from a user at
Centurytel.net, but it's hard to say for sure. In any case, don't be
fooled: JUST DELETE THE FILE AND THE EMAIL. In fact, that's a sensible
precaution for any unasked for attachment that shows up in your mail:
When in doubt--- any doubt at all--- toss it out.
More information (from the Symantec/Norton Antivirus people):
http://securityresponse.symantec.com/avcenter/venc/data/w32.beagle.k@mm.html
If you think you've been infected, a free removal tool is available from Symantec. http://securityresponse.symantec.com/avcenter/venc/data/w32.beagle@mm.removal.tool.html
3) Making Sure Your Antivirus Tools Can Work Inside Zips
This excellent tip was posted on the "Bugtraq" mailing list; it helps AV
tools block the content of password-protected Zip files like the
malicious one discussed in the previous item:
With the release of Beagle.H and Beagle.I, virus writers
started enclosing the infected files within password protected
ZIP files... I've found that the A/V software does see the
file within the ZIP archive, but cannot process it because it
does not recognize the extension. When the archive is
password protected, the file enclosed receives a "+" character
at the end of the extension (ie test.exe becomes test.exe+)
Since the A/V software doesn't recognize that kind of
extension, it lets it pass thru.
I found that by adding the "+" character to file extensions
that are blocked (.exe+, .cmd+, .vbs+ etc etc), the A/V
software can now recognize that file extension and perform the
necessary actions on it.
I've only tested this out on Norton Anti-Virus for Exchange
V2.1, but it should work on the other A/V software programs. -
--Mike Maloney, Sr. System Engineer, Middlesex County College
________________________________________________
The End. :)
snip
_______________________________________________
Another *&^%@* Worm
There's a malicious worm that's been around for a while, but that
exploded last week; it masquerades as a message from an ISP or web site-
-- Verizon, AOL, and others; even from me ("Dear user of Langa.com e-
mail..." or something similar).
The email usually arrives with a password-protected Zip file attachment
that contains executable files. The email text tells you how to open it
to "protect yourself from spam" or to "reset your email account" or some
such.
DO NOT OPEN THE FILE! It's not really from me--- or Verizon, or AOL, or
whomever. No responsible party will *ever* send you an executable file,
unasked for, out of the blue. I certainly will never, ever do so.
In this case, the file is a trojan designed to infect your system. The
worm-writers placed the payload in a password-protected file to try to
hide from some anti-virus tools. They also crafted the worm to do an
unusually good job of spoofing the formats and headers--- it can look
quite legitimate, at first glance.
At first, I was amused when I got emails addressed to me from "The
Langa.Com team." Well, the "Langa.Com team" is just me, and I knew I
didn't send the message, so I knew it was a fake and deleted it. (My
systems here never were infected by this worm; no infected mails
originated from me.)
But I then got hundreds more copies of the worm--- and many of you did,
too--- and it was no longer funny.
This particular attack seems to have started from a user at
Centurytel.net, but it's hard to say for sure. In any case, don't be
fooled: JUST DELETE THE FILE AND THE EMAIL. In fact, that's a sensible
precaution for any unasked for attachment that shows up in your mail:
When in doubt--- any doubt at all--- toss it out.
More information (from the Symantec/Norton Antivirus people):
http://securityresponse.symantec.com/avcenter/venc/data/w32.beagle.k@mm.html
If you think you've been infected, a free removal tool is available from Symantec. http://securityresponse.symantec.com/avcenter/venc/data/w32.beagle@mm.removal.tool.html
3) Making Sure Your Antivirus Tools Can Work Inside Zips
This excellent tip was posted on the "Bugtraq" mailing list; it helps AV
tools block the content of password-protected Zip files like the
malicious one discussed in the previous item:
With the release of Beagle.H and Beagle.I, virus writers
started enclosing the infected files within password protected
ZIP files... I've found that the A/V software does see the
file within the ZIP archive, but cannot process it because it
does not recognize the extension. When the archive is
password protected, the file enclosed receives a "+" character
at the end of the extension (ie test.exe becomes test.exe+)
Since the A/V software doesn't recognize that kind of
extension, it lets it pass thru.
I found that by adding the "+" character to file extensions
that are blocked (.exe+, .cmd+, .vbs+ etc etc), the A/V
software can now recognize that file extension and perform the
necessary actions on it.
I've only tested this out on Norton Anti-Virus for Exchange
V2.1, but it should work on the other A/V software programs. -
--Mike Maloney, Sr. System Engineer, Middlesex County College
________________________________________________
The End. :)