Bagle and other recent viruses (Was: warning - new trend of attempts to infect ISP users, possibly virus)
On Wed, 3 Mar 2004, Stephen J. Wilcox wrote: Perhaps I'm only following this as its affecting us more, but I dont recall a time previously when I've had so many viruses hitting us and getting thro our scanners with nothing we can do about it. I dont recall seeing viruses with variants as high as 'j' before, especially in the relatively short time since the previous variants were out Seriously, drop some references if I'm off-track.. its just my perception and I'm not an expert at all with viruses... This might be an interesting reading on this point - http://www.pcpro.co.uk/news/news_story.php?id=54437 Rapid MyDoom, Bagle and Netsky variants do battle to control your computer New variants of MyDoom, Bagle and Netsky arrive in quick succession as the battle to control infected computers heats up. Sophos has issued alerts this morning for MyDoom-G and H, Bagle-J and K and Netsky F. The worms are fighting for the control of infected computers which the virus writers can use for their nefarious activities. Bagle-J contains the text 'Hey,NetSky, [expletives removed], don't ruine our bussiness, wanna start a war?' 'You wish that they would have this slagging match on a message board or in a dark alley, rather than on the Internet,' said Graham Cluley, senior technology consultant for Sophos. 'It's like an argument where everyone wants the last word.' So the flood of viruses doesn't look likely to end any time soon. The text in Bagle-J supports the theories of antivirus companies that virus writers are being given a financial incentive to write these worms - perhaps by spammers who can send their emails through the infected machines. And indeed previous variants of Bagle and Netsky remove evidence of infection by their rivals ... -- William Leibzon Elan Networks [EMAIL PROTECTED]
Re: Bagle and other recent viruses (Was: warning - new trend of attempts to infect ISP users, possibly virus)
Also the followin is talking about same too: http://www.cmpnetasia.com/ViewArt.cfm?Artid=23047Catid=3subcat=50 Dueling Hackers Sparked Bagle, Netsky Worm Blitz Gregg Keizer, TechWeb News , 3-Mar-2004 Security analysts are asking themselves whether the wave of malicious worms that began traversing the Internet Friday and continued their blitz Tuesday was a coordinated attack or mischievous coincidence. No question it has been a deluge of worms. Seven variations of Bagle and two of Netsky surfaced in the last five days. Was the flood just happenstance? Or was there something more devious behind the surge? The answer, said security experts, is a bit of both, with some fighting over hacker turf thrown in for good measure ... On Thu, 4 Mar 2004, william(at)elan.net wrote: On Wed, 3 Mar 2004, Stephen J. Wilcox wrote: Perhaps I'm only following this as its affecting us more, but I dont recall a time previously when I've had so many viruses hitting us and getting thro our scanners with nothing we can do about it. I dont recall seeing viruses with variants as high as 'j' before, especially in the relatively short time since the previous variants were out Seriously, drop some references if I'm off-track.. its just my perception and I'm not an expert at all with viruses... This might be an interesting reading on this point - http://www.pcpro.co.uk/news/news_story.php?id=54437 Rapid MyDoom, Bagle and Netsky variants do battle to control your computer New variants of MyDoom, Bagle and Netsky arrive in quick succession as the battle to control infected computers heats up. Sophos has issued alerts this morning for MyDoom-G and H, Bagle-J and K and Netsky F. The worms are fighting for the control of infected computers which the virus writers can use for their nefarious activities. Bagle-J contains the text 'Hey,NetSky, [expletives removed], don't ruine our bussiness, wanna start a war?' 'You wish that they would have this slagging match on a message board or in a dark alley, rather than on the Internet,' said Graham Cluley, senior technology consultant for Sophos. 'It's like an argument where everyone wants the last word.' So the flood of viruses doesn't look likely to end any time soon. The text in Bagle-J supports the theories of antivirus companies that virus writers are being given a financial incentive to write these worms - perhaps by spammers who can send their emails through the infected machines. And indeed previous variants of Bagle and Netsky remove evidence of infection by their rivals ... -- William Leibzon Elan Networks [EMAIL PROTECTED]
Re: Warning - new trend of attempts to infect ISP users (possibly virus)
On Wed, 3 Mar 2004, Stephen J. Wilcox wrote: Erm is it me or are the writers of Bagle and Netsky determined to keep morphing their code to outwit the virus scanners.. is this a new trend in virus writing - beat the systems by evolving your code quicker than the security firms can release updates? new trend in that it started only a decade ago? Steve On Tue, 2 Mar 2004, Larry Rosenman wrote: http://vil.nai.com/vil/content/v_101071.htm W32/[EMAIL PROTECTED] --On Tuesday, March 02, 2004 20:07:17 -0800 william(at)elan.net [EMAIL PROTECTED] wrote: I have just seen emails (several different kinds) pretending to be sent from 3 of my isp domains to users of those domains warning users that their email account would be disabled and asking to open a .pif attachment. I know largest ISPs probably have expierenced this but I believe what I have seen today means they are after ISPs (or possibly just after any domains with number of email addresses under them) of all sizes right at the moment. All emails we received from the same source ip - 129.59.206.187 Please check your email base for what looks like the following (in the examples I changed everything to elan.net, actually every isp domain received different example of this, only first one is exact). Example 1: --- From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Email account utilization warning. Hello user of Elan.net e-mail server, Your e-mail account has been temporary disabled because of unauthorized access. For further details see the attach. Best wishes, The Elan.net team http://www.elan.net --- Example 2: --- From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Warning about your e-mail account. Dear user of Elan.net mailing system, Our main mailing server will be temporary unavaible for next two days, to continue receiving mail in these days you have to configure our free auto-forwarding service. Further details can be obtained from attached file. Cheers, The Elan.net team http://www.elan.net --- Example3: --- To: [EMAIL PROTECTED] Subject: Warning about your e-mail account. From: [EMAIL PROTECTED] Dear user, the management of Elan.net mailing system wants to let you know that, Some of our clients complained about the spam (negative e-mail content) outgoing from your e-mail account. Probably, you have been infected by a proxy-relay trojan server. In order to keep your computer safe, follow the instructions. Please, read the attach for further details. The Management, The Elan.net team http://www.elan.net -- -- Joel Jaeggli Unix Consulting [EMAIL PROTECTED] GPG Key Fingerprint: 5C6E 0104 BAF0 40B0 5BD3 C38B F000 35AB B67F 56B2
Re: Warning - new trend of attempts to infect ISP users (possibly virus)
Erm is it me or are the writers of Bagle and Netsky determined to keep morphing their code to outwit the virus scanners.. is this a new trend in virus writing - beat the systems by evolving your code quicker than the security firms can release updates? Steve On Tue, 2 Mar 2004, Larry Rosenman wrote: http://vil.nai.com/vil/content/v_101071.htm W32/[EMAIL PROTECTED] --On Tuesday, March 02, 2004 20:07:17 -0800 william(at)elan.net [EMAIL PROTECTED] wrote: I have just seen emails (several different kinds) pretending to be sent from 3 of my isp domains to users of those domains warning users that their email account would be disabled and asking to open a .pif attachment. I know largest ISPs probably have expierenced this but I believe what I have seen today means they are after ISPs (or possibly just after any domains with number of email addresses under them) of all sizes right at the moment. All emails we received from the same source ip - 129.59.206.187 Please check your email base for what looks like the following (in the examples I changed everything to elan.net, actually every isp domain received different example of this, only first one is exact). Example 1: --- From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Email account utilization warning. Hello user of Elan.net e-mail server, Your e-mail account has been temporary disabled because of unauthorized access. For further details see the attach. Best wishes, The Elan.net team http://www.elan.net --- Example 2: --- From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Warning about your e-mail account. Dear user of Elan.net mailing system, Our main mailing server will be temporary unavaible for next two days, to continue receiving mail in these days you have to configure our free auto-forwarding service. Further details can be obtained from attached file. Cheers, The Elan.net team http://www.elan.net --- Example3: --- To: [EMAIL PROTECTED] Subject: Warning about your e-mail account. From: [EMAIL PROTECTED] Dear user, the management of Elan.net mailing system wants to let you know that, Some of our clients complained about the spam (negative e-mail content) outgoing from your e-mail account. Probably, you have been infected by a proxy-relay trojan server. In order to keep your computer safe, follow the instructions. Please, read the attach for further details. The Management, The Elan.net team http://www.elan.net
Re: Warning - new trend of attempts to infect ISP users (possibly virus)
Erm is it me or are the writers of Bagle and Netsky determined to keep morphing their code to outwit the virus scanners.. is this a new trend in virus writing - beat the systems by evolving your code quicker than the security firms can release updates? new trend in that it started only a decade ago? Perhaps I'm only following this as its affecting us more, but I dont recall a time previously when I've had so many viruses hitting us and getting thro our scanners with nothing we can do about it. I dont recall seeing viruses with variants as high as 'j' before, especially in the relatively short time since the previous variants were out Seriously, drop some references if I'm off-track.. its just my perception and I'm not an expert at all with viruses... Steve On Tue, 2 Mar 2004, Larry Rosenman wrote: http://vil.nai.com/vil/content/v_101071.htm W32/[EMAIL PROTECTED] --On Tuesday, March 02, 2004 20:07:17 -0800 william(at)elan.net [EMAIL PROTECTED] wrote: I have just seen emails (several different kinds) pretending to be sent from 3 of my isp domains to users of those domains warning users that their email account would be disabled and asking to open a .pif attachment. I know largest ISPs probably have expierenced this but I believe what I have seen today means they are after ISPs (or possibly just after any domains with number of email addresses under them) of all sizes right at the moment. All emails we received from the same source ip - 129.59.206.187 Please check your email base for what looks like the following (in the examples I changed everything to elan.net, actually every isp domain received different example of this, only first one is exact). Example 1: --- From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Email account utilization warning. Hello user of Elan.net e-mail server, Your e-mail account has been temporary disabled because of unauthorized access. For further details see the attach. Best wishes, The Elan.net team http://www.elan.net --- Example 2: --- From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Warning about your e-mail account. Dear user of Elan.net mailing system, Our main mailing server will be temporary unavaible for next two days, to continue receiving mail in these days you have to configure our free auto-forwarding service. Further details can be obtained from attached file. Cheers, The Elan.net team http://www.elan.net --- Example3: --- To: [EMAIL PROTECTED] Subject: Warning about your e-mail account. From: [EMAIL PROTECTED] Dear user, the management of Elan.net mailing system wants to let you know that, Some of our clients complained about the spam (negative e-mail content) outgoing from your e-mail account. Probably, you have been infected by a proxy-relay trojan server. In order to keep your computer safe, follow the instructions. Please, read the attach for further details. The Management, The Elan.net team http://www.elan.net
Re: Warning - new trend of attempts to infect ISP users (possibly virus)
it has gotten to the point for me that i am looking for a whitelisting option on my firewall/a-v gateway instead of a blacklisting one for attachments. Stephen J. Wilcox wrote: Erm is it me or are the writers of Bagle and Netsky determined to keep morphing their code to outwit the virus scanners.. is this a new trend in virus writing - beat the systems by evolving your code quicker than the security firms can release updates? new trend in that it started only a decade ago? Perhaps I'm only following this as its affecting us more, but I dont recall a time previously when I've had so many viruses hitting us and getting thro our scanners with nothing we can do about it. I dont recall seeing viruses with variants as high as 'j' before, especially in the relatively short time since the previous variants were out Seriously, drop some references if I'm off-track.. its just my perception and I'm not an expert at all with viruses... Steve On Tue, 2 Mar 2004, Larry Rosenman wrote: http://vil.nai.com/vil/content/v_101071.htm W32/[EMAIL PROTECTED] --On Tuesday, March 02, 2004 20:07:17 -0800 william(at)elan.net [EMAIL PROTECTED] wrote: I have just seen emails (several different kinds) pretending to be sent from 3 of my isp domains to users of those domains warning users that their email account would be disabled and asking to open a .pif attachment. I know largest ISPs probably have expierenced this but I believe what I have seen today means they are after ISPs (or possibly just after any domains with number of email addresses under them) of all sizes right at the moment. All emails we received from the same source ip - 129.59.206.187 Please check your email base for what looks like the following (in the examples I changed everything to elan.net, actually every isp domain received different example of this, only first one is exact). Example 1: --- From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Email account utilization warning. Hello user of Elan.net e-mail server, Your e-mail account has been temporary disabled because of unauthorized access. For further details see the attach. Best wishes, The Elan.net team http://www.elan.net --- Example 2: --- From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Warning about your e-mail account. Dear user of Elan.net mailing system, Our main mailing server will be temporary unavaible for next two days, to continue receiving mail in these days you have to configure our free auto-forwarding service. Further details can be obtained from attached file. Cheers, The Elan.net team http://www.elan.net --- Example3: --- To: [EMAIL PROTECTED] Subject: Warning about your e-mail account. From: [EMAIL PROTECTED] Dear user, the management of Elan.net mailing system wants to let you know that, Some of our clients complained about the spam (negative e-mail content) outgoing from your e-mail account. Probably, you have been infected by a proxy-relay trojan server. In order to keep your computer safe, follow the instructions. Please, read the attach for further details. The Management, The Elan.net team http://www.elan.net -- My Foundation verse: Isa 54:17 No weapon that is formed against thee shall prosper; and every tongue that shall rise against thee in judgment thou shalt condemn. This is the heritage of the servants of the LORD, and their righteousness is of me, saith the LORD.
Re: Warning - new trend of attempts to infect ISP users (possibly virus)
Date: Wed, 3 Mar 2004 16:15:39 + (GMT) From: Stephen J. Wilcox [EMAIL PROTECTED] Sender: [EMAIL PROTECTED] Erm is it me or are the writers of Bagle and Netsky determined to keep morphing their code to outwit the virus scanners.. is this a new trend in virus writing - beat the systems by evolving your code quicker than the security firms can release updates? new trend in that it started only a decade ago? Perhaps I'm only following this as its affecting us more, but I dont recall a time previously when I've had so many viruses hitting us and getting thro our scanners with nothing we can do about it. I dont recall seeing viruses with variants as high as 'j' before, especially in the relatively short time since the previous variants were out Seriously, drop some references if I'm off-track.. its just my perception and I'm not an expert at all with viruses... They are getting batter at it, but the WANK worm (1989) used self-modifying code so that no two replicas were the same. (Note: This worm only infected VMS systems running on the global DECNET internet, mostly DOE, NASA, and DEC corporate systems.) -- R. Kevin Oberman, Network Engineer Energy Sciences Network (ESnet) Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab) E-mail: [EMAIL PROTECTED] Phone: +1 510 486-8634
Re: Warning - new trend of attempts to infect ISP users (possibly virus)
- Original Message - From: william(at)elan.net [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, March 03, 2004 3:07 PM Subject: Warning - new trend of attempts to infect ISP users (possibly virus) I have just seen emails (several different kinds) pretending to be sent from 3 of my isp domains to users of those domains warning users that their email account would be disabled and asking to open a .pif attachment. I know largest ISPs probably have expierenced this but I believe what I Sorry to tell you but this has been around for some time. I was the target - not a victim - of three of these letters since last year. Naturally I didn't believe it and warned my ISP what was happening. They have, since, updated their web page to reflect this but unfortunately haven't done the right thing and email the users. Greg.
Re: Warning - new trend of attempts to infect ISP users (possibly virus)
If it ain't one thing, it's... http://www.vnunet.com/News/1153081
Warning - new trend of attempts to infect ISP users (possibly virus)
I have just seen emails (several different kinds) pretending to be sent from 3 of my isp domains to users of those domains warning users that their email account would be disabled and asking to open a .pif attachment. I know largest ISPs probably have expierenced this but I believe what I have seen today means they are after ISPs (or possibly just after any domains with number of email addresses under them) of all sizes right at the moment. All emails we received from the same source ip - 129.59.206.187 Please check your email base for what looks like the following (in the examples I changed everything to elan.net, actually every isp domain received different example of this, only first one is exact). Example 1: --- From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Email account utilization warning. Hello user of Elan.net e-mail server, Your e-mail account has been temporary disabled because of unauthorized access. For further details see the attach. Best wishes, The Elan.net team http://www.elan.net --- Example 2: --- From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Warning about your e-mail account. Dear user of Elan.net mailing system, Our main mailing server will be temporary unavaible for next two days, to continue receiving mail in these days you have to configure our free auto-forwarding service. Further details can be obtained from attached file. Cheers, The Elan.net team http://www.elan.net --- Example3: --- To: [EMAIL PROTECTED] Subject: Warning about your e-mail account. From: [EMAIL PROTECTED] Dear user, the management of Elan.net mailing system wants to let you know that, Some of our clients complained about the spam (negative e-mail content) outgoing from your e-mail account. Probably, you have been infected by a proxy-relay trojan server. In order to keep your computer safe, follow the instructions. Please, read the attach for further details. The Management, The Elan.net team http://www.elan.net
Re: Warning - new trend of attempts to infect ISP users (possibly virus)
http://vil.nai.com/vil/content/v_101071.htm W32/[EMAIL PROTECTED] --On Tuesday, March 02, 2004 20:07:17 -0800 william(at)elan.net [EMAIL PROTECTED] wrote: I have just seen emails (several different kinds) pretending to be sent from 3 of my isp domains to users of those domains warning users that their email account would be disabled and asking to open a .pif attachment. I know largest ISPs probably have expierenced this but I believe what I have seen today means they are after ISPs (or possibly just after any domains with number of email addresses under them) of all sizes right at the moment. All emails we received from the same source ip - 129.59.206.187 Please check your email base for what looks like the following (in the examples I changed everything to elan.net, actually every isp domain received different example of this, only first one is exact). Example 1: --- From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Email account utilization warning. Hello user of Elan.net e-mail server, Your e-mail account has been temporary disabled because of unauthorized access. For further details see the attach. Best wishes, The Elan.net team http://www.elan.net --- Example 2: --- From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Warning about your e-mail account. Dear user of Elan.net mailing system, Our main mailing server will be temporary unavaible for next two days, to continue receiving mail in these days you have to configure our free auto-forwarding service. Further details can be obtained from attached file. Cheers, The Elan.net team http://www.elan.net --- Example3: --- To: [EMAIL PROTECTED] Subject: Warning about your e-mail account. From: [EMAIL PROTECTED] Dear user, the management of Elan.net mailing system wants to let you know that, Some of our clients complained about the spam (negative e-mail content) outgoing from your e-mail account. Probably, you have been infected by a proxy-relay trojan server. In order to keep your computer safe, follow the instructions. Please, read the attach for further details. The Management, The Elan.net team http://www.elan.net -- Larry Rosenman http://www.lerctr.org/~ler Phone: +1 972-414-9812 E-Mail: [EMAIL PROTECTED] US Mail: 1905 Steamboat Springs Drive, Garland, TX 75044-6749 pgp0.pgp Description: PGP signature