Re: OT: Virus
Back with the nimda virus, the attachment was a .exe but the MIME type was set to audio/wave. This causes WMP or other media player to automatically open the file effectively auto-executing the program. - Original Message - From: Jeffrey [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, November 28, 2001 11:00 PM Subject: Re: OT: Virus --- Sisyphus [EMAIL PROTECTED] wrote: Yes - this is where a major part of the problem lies. How does one configure the system so that attachments will not open *unless* clicked on ? Afaik my configuration will not allow attachments to open until they are clicked - yet this is obviously not the case, as they did open ( or, at least, opened an IE download box ) but they were at no stage 'clicked on'. I have heard that it helps if you configure your system such that it does not execute random script files. FOr example, I have my system set so that any .vbs file is opened in Notepad. If I want to execute it (unlikely in my case) I have to right click and choose 'execute'. This is merely a Windows file-type set default action, no real cofiguration changes made. In addition, I'm not sure that this would stop much. I definitely don't have this setting for .exe files. But as far as I'm concerned, it doesn't hurt to have the extra precaution. What sort of kindergarten genius devises a system that needs a patch for something that should be easily handled by user configuration ? Uhh, is the answer Microsoft..? ;) = Jeffrey Hottle nkuvu at yahoo dot com __ Do You Yahoo!? Yahoo! GeoCities - quick and easy web site hosting, just $8.95/month. http://geocities.yahoo.com/ps/info1 ___ Perl-Win32-Users mailing list [EMAIL PROTECTED] http://listserv.ActiveState.com/mailman/listinfo/perl-win32-users ___ Perl-Win32-Users mailing list [EMAIL PROTECTED] http://listserv.ActiveState.com/mailman/listinfo/perl-win32-users
Re: OT: Virus
I don't know of any perl coding relating for this or if a patch for OE is available yet. I do know that you must have anti-virus software though or it will make it through. I learned that when Nimda hit our classroom subnet. Everyone had the system patched with all the patches too. Anyways, for AV software. I personally recommend Norton but to the best of my knowledge there is not a Linux version of it. Norton has a filter scanning ALL incoming and outgoing email. It will catch virus before it gets to my email box. Also, I just now updated to the newest virus definitions. - Original Message - From: Sisyphus To: [EMAIL PROTECTED] Sent: Wednesday, November 28, 2001 6:57 PM Subject: OT: Virus Hi, Yeah, as noted on this list, I''ve been caught a couple of times lately by virus attachments that open without being opened. ( The first was Nimda, which, afaik, did not get the chance to spread from this box.) I believe they utilise a hole in the relationship between Outlook Express and Internet Explorer. There's a patch for that, isn't there ? Or can it also be taken care of with some proper configuration ? Looks like I'd better get it fixed. I had updated my virus definitions 6 days ago, but it still didn't catch it. Seems I needed toupdate 2 days ago, as the relevant definitions are now available from my ISP. Maybe he's a bit slow atmaking them available, or does the virus industry now move that fast ? CPAN has little to offer in this regard. 'AntiVirus::ForIdiots' doesn't appear to have been written yet. Anyway, someone had better set me straighton how to close that hole,or I'll have to change my sig to 'Syphillis'. Hope everyone managed to avoid inconvenience/damage. Cheers, Rob
RE: OT: Virus
Based on info from Microsoft an Outlook registry setting could stop viruses from automatically executing when the Outlook preview pane is active. This is Kixtart script code used in our logon script. Sorry for posting a non-Perl solution, but someone can rewrite it. ;--;Outlook Security Patch:OutlookSec;--dim $key1, $key2, $RC1, $RegKey $key1 = "HKEY_CURRENT_USER\Software\Microsoft\Office"$key2 = "Outlook\Options\General" $KixVersion=@Kix if $KixVersion="4.00"; Outlook 98$RegKey = "$key1\8.0\$key2"if keyexist($RegKey)$RC1=WriteValue($RegKey,"Security Zone","4","REG_DWORD")endif ; Outlook 2000$RegKey = "$key1\9.0\$key2"if keyexist($RegKey)$RC1=WriteValue($RegKey,"Security Zone","4","REG_DWORD")endif ; Outlook 2002$RegKey = "$key1\10.0\$key2"if keyexist($RegKey)$RC1=WriteValue($RegKey,"Security Zone","4","REG_DWORD")endifelse; Outlook 98$RegKey = "$key1\8.0\$key2"if existkey($RegKey)=0$RC1=WriteValue($RegKey,"Security Zone","4","REG_DWORD")endif ; Outlook 2000$RegKey = "$key1\9.0\$key2"if existkey($RegKey)=0$RC1=WriteValue($RegKey,"Security Zone","4","REG_DWORD")endif ; Outlook 2002$RegKey = "$key1\10.0\$key2"if existkey($RegKey)=0$RC1=WriteValue($RegKey,"Security Zone","4","REG_DWORD")endifendifreturn -Original Message-From: Robert Pendell [mailto:[EMAIL PROTECTED]]Sent: Wednesday, November 28, 2001 7:36 PMTo: [EMAIL PROTECTED]Subject: Re: OT: Virus I don't know of any perl coding relating for this or if a patch for OE is available yet. I do know that you must have anti-virus software though or it will make it through. I learned that when Nimda hit our classroom subnet. Everyone had the system patched with all the patches too. Anyways, for AV software. I personally recommend Norton but to the best of my knowledge there is not a Linux version of it. Norton has a filter scanning ALL incoming and outgoing email. It will catch virus before it gets to my email box. Also, I just now updated to the newest virus definitions. - Original Message - From: Sisyphus To: [EMAIL PROTECTED] Sent: Wednesday, November 28, 2001 6:57 PM Subject: OT: Virus Hi, Yeah, as noted on this list, I''ve been caught a couple of times lately by virus attachments that open without being opened. ( The first was Nimda, which, afaik, did not get the chance to spread from this box.) I believe they utilise a hole in the relationship between Outlook Express and Internet Explorer. There's a patch for that, isn't there ? Or can it also be taken care of with some proper configuration ? Looks like I'd better get it fixed. I had updated my virus definitions 6 days ago, but it still didn't catch it. Seems I needed toupdate 2 days ago, as the relevant definitions are now available from my ISP. Maybe he's a bit slow atmaking them available, or does the virus industry now move that fast ? CPAN has little to offer in this regard. 'AntiVirus::ForIdiots' doesn't appear to have been written yet. Anyway, someone had better set me straighton how to close that hole,or I'll have to change my sig to 'Syphillis'. Hope everyone managed to avoid inconvenience/damage. Cheers, Rob
RE: OT: Virus
Title: Message You may be interested in a synopsis of the current pest - BadtransB Virus. I hopes this helps you. Pete Quick summary FYI onBadtrans.B worm- leaves backdoors logs data Badtrans.B arrives in the recipient's in-box with a "Re:" subject line to an e-mail actually sent by the user The Badtrans.B variant is executed when a user opens an infected e-mail, and does not require a user to click on an attachment Badtrans.B also runs a key logger program. The data gathered by the key logger is saved in encrypted form on the system's hard drive The attachments included with the worm will appear to be .MP3, .DOC or .ZIP files, but are actually double extension files with .SCR or .PIF extensions. These attachments are 13,312 bytes in length, according to Network Associates. The patch can be found at http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS01-027.asp. The complete article is at ITworld.com dated 11/26/01bySam Costello, IDG News Service, Boston Bureau
Re: OT: Virus
Title: Message Hmm... ZoneAlarm Pro catches all .pif attachments and quarantines them. Very nice personal firewall. Mark - Original Message - From: Marracci, Peter E To: 'Robert Pendell' ; [EMAIL PROTECTED] Sent: 28 November, 2001 4:48 PM Subject: RE: OT: Virus You may be interested in a synopsis of the current pest - BadtransB Virus. I hopes this helps you. Pete Quick summary FYI onBadtrans.B worm- leaves backdoors logs data Badtrans.B arrives in the recipient's in-box with a "Re:" subject line to an e-mail actually sent by the user The Badtrans.B variant is executed when a user opens an infected e-mail, and does not require a user to click on an attachment Badtrans.B also runs a key logger program. The data gathered by the key logger is saved in encrypted form on the system's hard drive The attachments included with the worm will appear to be .MP3, .DOC or .ZIP files, but are actually double extension files with .SCR or .PIF extensions. These attachments are 13,312 bytes in length, according to Network Associates. The patch can be found at http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS01-027.asp. The complete article is at ITworld.com dated 11/26/01bySam Costello, IDG News Service, Boston Bureau
Re: OT: Virus
- Original Message - From: Marracci, Peter E The Badtrans.B variant is executed when a user opens an infected e-mail, and does not require a user to click on an attachment Yes - this is where a major part of the problem lies. How does one configure the system so that attachments will not open *unless* clicked on ? Afaik my configuration will not allow attachments to open until they are clicked - yet this is obviously not the case, as they did open ( or, at least, opened an IE download box ) but they were at no stage 'clicked on'. The patch can be found at http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security /bulletin/MS01-027.asp http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/ bulletin/MS01-027.asp. The complete article is at ITworld.com dated 11/26/01 by Sam Costello, IDG News Service, Boston Bureau I'll follow those links - they hopefully answer the question I raised above. What sort of kindergarten genius devises a system that needs a patch for something that should be easily handled by user configuration ? Which brings me back to one of the questions I raised in my original post - ie can this problem of attachments opening spontaneously (in Outlook Express) be solved with configuration only ? (Or is the patch a necessity ? ) If attachments are going to open spontaneously, then you're really depending upon your virus checking system, and if its definitions are not up to date, then things start to get interesting. No matter how good the virus checker is, I'd feel much happier knowing that attachments could not open spontaneously in Outlook Express. Anyway, before I get too carried away, I suppose I should follow those links. Thanks Pete, and thanks also to the others who have provided advice. Cheers, Rob ___ Perl-Win32-Users mailing list [EMAIL PROTECTED] http://listserv.ActiveState.com/mailman/listinfo/perl-win32-users
Re: OT: Virus
--- Sisyphus [EMAIL PROTECTED] wrote: Yes - this is where a major part of the problem lies. How does one configure the system so that attachments will not open *unless* clicked on ? Afaik my configuration will not allow attachments to open until they are clicked - yet this is obviously not the case, as they did open ( or, at least, opened an IE download box ) but they were at no stage 'clicked on'. I have heard that it helps if you configure your system such that it does not execute random script files. FOr example, I have my system set so that any .vbs file is opened in Notepad. If I want to execute it (unlikely in my case) I have to right click and choose 'execute'. This is merely a Windows file-type set default action, no real cofiguration changes made. In addition, I'm not sure that this would stop much. I definitely don't have this setting for .exe files. But as far as I'm concerned, it doesn't hurt to have the extra precaution. What sort of kindergarten genius devises a system that needs a patch for something that should be easily handled by user configuration ? Uhh, is the answer Microsoft..? ;) = Jeffrey Hottle nkuvu at yahoo dot com __ Do You Yahoo!? Yahoo! GeoCities - quick and easy web site hosting, just $8.95/month. http://geocities.yahoo.com/ps/info1 ___ Perl-Win32-Users mailing list [EMAIL PROTECTED] http://listserv.ActiveState.com/mailman/listinfo/perl-win32-users