[ale] email virus? rehash.... with onions

Michael D. Hirsch mdhirsch at mail.com
Wed May 8 10:04:59 EDT 2002 

Even worse is that KLEZ would infect some AV programs, so not only
would they not detect it, they would reinfect whenever run.  I don't
know if KLEZ did, but I could imagine a virus breaking the automatic
update system, too, leading to a very long time before detection.

--Michael

James P. Kinney III writes:
 > A true scenario, but Mallory's AV scan was still showing clear for
 > several weeks until the updates caught up with reality. 
 > 
 > Many people I have dealt with have AV software. Some even have it setup
 > to automatically check for updates on a periodic basis. The default 
 > upgrade time seems to be about a week.
 > 
 > So, worst case is 7 days from infect to upgrade. On a corporate machine
 > in use by the VP of finance, this could be a serious disaster.
 > 
 > On Tue, 2002-05-07 at 20:04, Kevin Krumwiede wrote:
 > > No.  What was happening was that Mallory would send a virus-laden email
 > > to Bob, using Alice's name in the "from" field.  Bob would warn Alice
 > > that her computer was infected, but of course her AV scanner wouldn't
 > > find anything.  Meanwhile, Mallory would remain oblivious.
 > > 
 > > Krum
 > > 
 > > On Tue, 2002-05-07 at 19:48, Jeff Hubbs wrote:
 > > > Just so I understand the implications fully...
 > > > 
 > > > When Klez first spread in the wild, was it going undetected by the usual 
 > > > Windows anti-virus software, even if said software was using current 
 > > > updates of their signature files?
 > > > 
 > > > If so, then I find this VERY damning.
 > > > 
 > > > - Jeff
 > > > 
 > > > James P. Kinney III wrote:
 > > > 
 > > > > That brings up an interesting argument for the eradication of M$ on the
 > > > > corporate desktop. The viral spreading of confidential information could
 > > > > be viewed as a bigger security threat than just the headache and hassle
 > > > > of a network getting trashed by a bug going haywire.
 > > > > 
 > > > > On Tue, 2002-05-07 at 17:55, Irv Mullins wrote:
 > > > > 
 > > > >>On Tuesday 07 May 2002 05:29 pm, you wrote:
 > > > >>
 > > > >>>On Tue, 2002-05-07 at 17:07, Cade Thacker wrote:
 > > > >>>
 > > > >>>>I cleaned out my mail box the other day, so I don't have the discusion
 > > > >>>>that you all had the other day, but I just go a bounce back of an email I
 > > > >>>>did not send. Attached is a small file that "file" returns the following:
 > > > >>>>
 > > > >>>>border.bat: MS-DOS executable (EXE), OS/2 or MS Windows
 > > > >>>>
 > > > >>>>What was the summary of this puppy? something to do with W32/Klez?
 > > > >>>>
 > > > >>>http://securityresponse.symantec.com/avcenter/venc/data/w32.klez.gen@mm.htm
 > > > >>>
 > > > >>Thanks for the confirmation.
 > > > >>It's interesting to take a look at the third (random, I guess) 
 > > > >>file that is attached to those worms. Using khexedit or similar,
 > > > >>I have found html, jpg's, and a "confidential" business report 
 > > > >>so far.
 > > > >>
 > > > >>We need smarter worms, which can look for pictures of "girlfriends"
 > > > >>to send out :p
 > > > >>
 > > > >>Regards,
 > > > >>Irv
 > > > >>
 > > > >>---
 > > > >>This message has been sent through the ALE general discussion list.
 > > > >>See http://www.ale.org/mailing-lists.shtml for more info. Problems should be 
 > > > >>sent to listmaster at ale dot org.
 > > > >>
 > > > 
 > > > 
 > > > 
 > > > 
 > > > ---
 > > > This message has been sent through the ALE general discussion list.
 > > > See http://www.ale.org/mailing-lists.shtml for more info. Problems should be 
 > > > sent to listmaster at ale dot org.
 > > > 
 > > 
 > > 
 > > 
 > > ---
 > > This message has been sent through the ALE general discussion list.
 > > See http://www.ale.org/mailing-lists.shtml for more info. Problems should be 
 > > sent to listmaster at ale dot org.
 > -- 
 > James P. Kinney III   \Changing the mobile computing world/
 > President and CEO      \          one Linux user         /
 > Local Net Solutions,LLC \           at a time.          /
 > 770-493-8244             \.___________________________./
 > 
 > GPG ID: 829C6CA7 James P. Kinney III (M.S. Physics)
 > <jkinney at localnetsolutions.com>
 > Fingerprint = 3C9E 6366 54FC A3FE BA4D 0659 6190 ADC3 829C 6CA7 
 > 
 > 
 > 
 > 
 > ---
 > This message has been sent through the ALE general discussion list.
 > See http://www.ale.org/mailing-lists.shtml for more info. Problems should be 
 > sent to listmaster at ale dot org.



---
This message has been sent through the ALE general discussion list.
See http://www.ale.org/mailing-lists.shtml for more info. Problems should be 
sent to listmaster at ale dot org.

More information about the Ale mailing list