[ale] email virus? rehash.... with onions

Jeff Hubbs hbbs at attbi.com
Tue May 7 20:32:51 EDT 2002


Can someone point me to anything on the Web that succintly describes the 
virus, its vector(s), and specifically that even updated AV software was 
useless to stop it?

- Jeff

James P. Kinney III wrote:

> A true scenario, but Mallory's AV scan was still showing clear for
> several weeks until the updates caught up with reality. 
> 
> Many people I have dealt with have AV software. Some even have it setup
> to automatically check for updates on a periodic basis. The default 
> upgrade time seems to be about a week.
> 
> So, worst case is 7 days from infect to upgrade. On a corporate machine
> in use by the VP of finance, this could be a serious disaster.
> 
> On Tue, 2002-05-07 at 20:04, Kevin Krumwiede wrote:
> 
>>No.  What was happening was that Mallory would send a virus-laden email
>>to Bob, using Alice's name in the "from" field.  Bob would warn Alice
>>that her computer was infected, but of course her AV scanner wouldn't
>>find anything.  Meanwhile, Mallory would remain oblivious.
>>
>>Krum
>>
>>On Tue, 2002-05-07 at 19:48, Jeff Hubbs wrote:
>>
>>>Just so I understand the implications fully...
>>>
>>>When Klez first spread in the wild, was it going undetected by the usual 
>>>Windows anti-virus software, even if said software was using current 
>>>updates of their signature files?
>>>
>>>If so, then I find this VERY damning.
>>>
>>>- Jeff
>>>
>>>James P. Kinney III wrote:
>>>
>>>
>>>>That brings up an interesting argument for the eradication of M$ on the
>>>>corporate desktop. The viral spreading of confidential information could
>>>>be viewed as a bigger security threat than just the headache and hassle
>>>>of a network getting trashed by a bug going haywire.
>>>>
>>>>On Tue, 2002-05-07 at 17:55, Irv Mullins wrote:
>>>>
>>>>
>>>>>On Tuesday 07 May 2002 05:29 pm, you wrote:
>>>>>
>>>>>
>>>>>>On Tue, 2002-05-07 at 17:07, Cade Thacker wrote:
>>>>>>
>>>>>>
>>>>>>>I cleaned out my mail box the other day, so I don't have the discusion
>>>>>>>that you all had the other day, but I just go a bounce back of an email I
>>>>>>>did not send. Attached is a small file that "file" returns the following:
>>>>>>>
>>>>>>>border.bat: MS-DOS executable (EXE), OS/2 or MS Windows
>>>>>>>
>>>>>>>What was the summary of this puppy? something to do with W32/Klez?
>>>>>>>
>>>>>>>
>>>>>>http://securityresponse.symantec.com/avcenter/venc/data/w32.klez.gen@mm.htm
>>>>>>
>>>>>>
>>>>>Thanks for the confirmation.
>>>>>It's interesting to take a look at the third (random, I guess) 
>>>>>file that is attached to those worms. Using khexedit or similar,
>>>>>I have found html, jpg's, and a "confidential" business report 
>>>>>so far.
>>>>>
>>>>>We need smarter worms, which can look for pictures of "girlfriends"
>>>>>to send out :p
>>>>>
>>>>>Regards,
>>>>>Irv
>>>>>
>>>>>---
>>>>>This message has been sent through the ALE general discussion list.
>>>>>See http://www.ale.org/mailing-lists.shtml for more info. Problems should be 
>>>>>sent to listmaster at ale dot org.
>>>>>
>>>>>
>>>
>>>
>>>
>>>---
>>>This message has been sent through the ALE general discussion list.
>>>See http://www.ale.org/mailing-lists.shtml for more info. Problems should be 
>>>sent to listmaster at ale dot org.
>>>
>>>
>>
>>
>>---
>>This message has been sent through the ALE general discussion list.
>>See http://www.ale.org/mailing-lists.shtml for more info. Problems should be 
>>sent to listmaster at ale dot org.
>>




---
This message has been sent through the ALE general discussion list.
See http://www.ale.org/mailing-lists.shtml for more info. Problems should be 
sent to listmaster at ale dot org.






More information about the Ale mailing list